oss-sec mailing list archives
siege: off-by-one in load_conf()
From: Agostino Sarubbo <ago () gentoo org>
Date: Tue, 14 Jul 2015 21:17:04 +0200
Description:
Siege is an http load testing and benchmarking utility.
During the test of a webserver, I hit a segmentation fault. I recompiled
siege with ASan and it clearly show an off-by-one in load_conf(). The issue
is reproducible without passing any arguments to the binary.
The complete output:
ago@willoughby ~ # siege
===============================================
==================
==488==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000d7f1 at pc 0x00000051ab64 bp 0x7ffcc3d19a70 sp
0x7ffcc3d19a68
READ of size 1 at 0x60200000d7f1 thread T0
#0 0x51ab63 in load_conf /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263:12
#1 0x515486 in init_config /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:96:7
#2 0x5217b9 in main /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/main.c:324:7
#3 0x7fb2b1b93aa4 in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#4 0x439426 in _start (/usr/bin/siege+0x439426)
0x60200000d7f1 is located 0 bytes to the right of 1-byte region
[0x60200000d7f0,0x60200000d7f1)
allocated by thread T0 here:
#0 0x4c03e2 in __interceptor_malloc /var/tmp/portage/sys-
devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x7fb2b1bf31e9 in __strdup /var/tmp/portage/sys-libs/glibc-2.20-
r2/work/glibc-2.20/string/strdup.c:42
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263 load_conf
Shadow bytes around the buggy address:
0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9b00: fa fa 03 fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff9b10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff9b20: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9b30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff9b40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==488==ABORTING
Affected version:
3.1.0 (and maybe past versions).
Fixed version:
Not available.
Commit fix:
Not available.
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
Not assigned.
Timeline:
2015-06-09: bug discovered
2015-06-10: bug reported privately to upstream
2015-07-13: no upstream response
2015-07-14: advisory release
Permalink:
https://blogs.gentoo.org/ago/2015/07/14/siege-off-by-one-in-load_conf
@MITRE:
If you think this deserves a CVE, please assign one.
Thanks.
--
Agostino Sarubbo
Gentoo Linux Developer
Current thread:
- siege: off-by-one in load_conf() Agostino Sarubbo (Jul 14)
- Re: siege: off-by-one in load_conf() Seth Arnold (Jul 14)
- Re: siege: off-by-one in load_conf() Agostino Sarubbo (Jul 14)
- Re: siege: off-by-one in load_conf() Jason A. Donenfeld (Jul 20)
- Re: siege: off-by-one in load_conf() Agostino Sarubbo (Jul 14)
- Re: siege: off-by-one in load_conf() Seth Arnold (Jul 14)