oss-sec mailing list archives
siege: off-by-one in load_conf()
From: Agostino Sarubbo <ago () gentoo org>
Date: Tue, 14 Jul 2015 21:17:04 +0200
Description: Siege is an http load testing and benchmarking utility. During the test of a webserver, I hit a segmentation fault. I recompiled siege with ASan and it clearly show an off-by-one in load_conf(). The issue is reproducible without passing any arguments to the binary. The complete output: ago@willoughby ~ # siege =============================================== ================== ==488==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d7f1 at pc 0x00000051ab64 bp 0x7ffcc3d19a70 sp 0x7ffcc3d19a68 READ of size 1 at 0x60200000d7f1 thread T0 #0 0x51ab63 in load_conf /var/tmp/portage/app- benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263:12 #1 0x515486 in init_config /var/tmp/portage/app- benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:96:7 #2 0x5217b9 in main /var/tmp/portage/app- benchmarks/siege-3.1.0/work/siege-3.1.0/src/main.c:324:7 #3 0x7fb2b1b93aa4 in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289 #4 0x439426 in _start (/usr/bin/siege+0x439426) 0x60200000d7f1 is located 0 bytes to the right of 1-byte region [0x60200000d7f0,0x60200000d7f1) allocated by thread T0 here: #0 0x4c03e2 in __interceptor_malloc /var/tmp/portage/sys- devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler- rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x7fb2b1bf31e9 in __strdup /var/tmp/portage/sys-libs/glibc-2.20- r2/work/glibc-2.20/string/strdup.c:42 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app- benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263 load_conf Shadow bytes around the buggy address: 0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa 0x0c047fff9b00: fa fa 03 fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff9b10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff9b20: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9b30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff9b40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==488==ABORTING Affected version: 3.1.0 (and maybe past versions). Fixed version: Not available. Commit fix: Not available. Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: Not assigned. Timeline: 2015-06-09: bug discovered 2015-06-10: bug reported privately to upstream 2015-07-13: no upstream response 2015-07-14: advisory release Permalink: https://blogs.gentoo.org/ago/2015/07/14/siege-off-by-one-in-load_conf @MITRE: If you think this deserves a CVE, please assign one. Thanks. -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- siege: off-by-one in load_conf() Agostino Sarubbo (Jul 14)
- Re: siege: off-by-one in load_conf() Seth Arnold (Jul 14)
- Re: siege: off-by-one in load_conf() Agostino Sarubbo (Jul 14)
- Re: siege: off-by-one in load_conf() Jason A. Donenfeld (Jul 20)
- Re: siege: off-by-one in load_conf() Agostino Sarubbo (Jul 14)
- Re: siege: off-by-one in load_conf() Seth Arnold (Jul 14)