Skip to content

Fix heap buffer overead in ConfigParser::UnQuote()#1763

Closed
xiaoxiaoafeifei wants to merge 1 commit intosquid-cache:masterfrom
xiaoxiaoafeifei:master
Closed

Fix heap buffer overead in ConfigParser::UnQuote()#1763
xiaoxiaoafeifei wants to merge 1 commit intosquid-cache:masterfrom
xiaoxiaoafeifei:master

Conversation

@xiaoxiaoafeifei
Copy link
Contributor

@xiaoxiaoafeifei xiaoxiaoafeifei commented Mar 29, 2024
edited by rousskov
Loading

Detected by using AddressSanitizer.

@squid-prbot
Copy link
Collaborator

squid-prbot commented Mar 29, 2024

Can one of the admins verify this patch?

@squid-anubis squid-anubis added the M-failed-description https://github.com/measurement-factory/anubis#pull-request-labels label Mar 29, 2024
rousskov
rousskov requested changes Mar 29, 2024
View reviewed changes
Copy link
Contributor

@rousskov rousskov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this bug!

@rousskov rousskov added the S-waiting-for-author author action is expected (and usually required) label Mar 29, 2024
@rousskov rousskov self-requested a review April 1, 2024 15:02
@rousskov rousskov added S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box and removed S-waiting-for-author author action is expected (and usually required) labels Apr 1, 2024
@rousskov rousskov changed the title Fix heap buffer overflow in function ConfigParser::UnQuote Fix heap buffer overead in ConfigParser::UnQuote() Apr 1, 2024
@squid-anubis squid-anubis removed the M-failed-description https://github.com/measurement-factory/anubis#pull-request-labels label Apr 1, 2024
rousskov
rousskov previously approved these changes Apr 1, 2024
View reviewed changes
Copy link
Contributor

@rousskov rousskov left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adjusting this fix! I trust your refactoring still addresses the problem you could reproduce.

I have adjusted PR title and description (i.e. future official commit message) to meet Squid Project formatting requirements. In the future, please post all those (very useful!) testing details as a PR comment while keeping PR description as the commit message body (which we can then edit to add any details as needed, of course). Thank you.

Our CI formatting tests fail because your name is not in CONTRIBUTORS file. Please add your contact info to that file in this PR. The tools detect two variations of your credentials based on info provided by git/GitHib. Use the variation you prefer.

@rousskov rousskov added S-waiting-for-author author action is expected (and usually required) and removed S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box labels Apr 1, 2024
@xiaoxiaoafeifei
Copy link
Contributor Author

xiaoxiaoafeifei commented Apr 2, 2024
edited
Loading

Reproduce:
export CFLAGS="-g -O0 -fsanitize=address,undefined" CXXFLAGS="-g -O0 -fsanitize=address,undefined"
export CC=afl-clang-fast CXX=afl-clang-fast++
./configure
make && make install
/usr/local/squid/sbin/squid -f poc_file
poc_file:
poc_file.zip

Evidence:
==81496==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000000baf at pc 0x55d9017b242f bp 0x7ffc8a164e30 sp 0x7ffc8a164e28
READ of size 1 at 0x60b000000baf thread T0
#0 0x55d9017b242e in ConfigParser::UnQuote(char const*, char const**) /root/fuzz/fuzz_squid/squid/src/ConfigParser.cc:184:9
#1 0x55d9017b4acb in ConfigParser::TokenParse(char const*&, ConfigParser::TokenType&) /root/fuzz/fuzz_squid/squid/src/ConfigParser.cc:234:31
#2 0x55d9017b0aab in ConfigParser::NextElement(ConfigParser::TokenType&) /root/fuzz/fuzz_squid/squid/src/ConfigParser.cc:321:19
#3 0x55d9017aed45 in ConfigParser::NextToken() /root/fuzz/fuzz_squid/squid/src/ConfigParser.cc:350:21
#4 0x55d9017bd856 in ConfigParser::NextQuotedToken() /root/fuzz/fuzz_squid/squid/src/ConfigParser.cc:528:19
#5 0x55d901d752b8 in parse_wordlist(wordlist**) /root/fuzz/fuzz_squid/squid/src/cache_cf.cc:3156:21
#6 0x55d9023d4d53 in parse_externalAclHelper(external_acl**) /root/fuzz/fuzz_squid/squid/src/external_acl.cc:364:5
#7 0x55d901dfb36b in parse_line(char*) /root/fuzz/fuzz_squid/squid/src/../src/cf_parser.cci:1098:9
#8 0x55d901d936c4 in parseOneConfigFile(char const*, unsigned int) /root/fuzz/fuzz_squid/squid/src/cache_cf.cc:564:26
#9 0x55d901d6cb6d in parseConfigFileOrThrow(char const*) /root/fuzz/fuzz_squid/squid/src/cache_cf.cc:612:17
#10 0x55d901d6b863 in parseConfigFile(char const*) /root/fuzz/fuzz_squid/squid/src/cache_cf.cc:640:16
#11 0x55d902741c1b in SquidMain(int, char**) /root/fuzz/fuzz_squid/squid/src/main.cc:1597:25
#12 0x55d90273fba2 in SquidMainSafe(int, char**) /root/fuzz/fuzz_squid/squid/src/main.cc:1353:16
#13 0x55d90273fb49 in main /root/fuzz/fuzz_squid/squid/src/main.cc:1341:12
#14 0x7f0d0a305d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#15 0x7f0d0a305e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#16 0x55d901398154 in _start (/usr/local/squid/sbin/squid+0x1352154) (BuildId: 18d358e29b9a385368bb9f266d0f672923deef52)

0x60b000000baf is located 0 bytes after 111-byte region [0x60b000000b40,0x60b000000baf)
allocated by thread T0 here:
#0 0x55d9014323a5 in __interceptor_realloc (/usr/local/squid/sbin/squid+0x13ec3a5) (BuildId: 18d358e29b9a385368bb9f266d0f672923deef52)
#1 0x55d9049812fc in xrealloc /root/fuzz/fuzz_squid/squid/compat/xalloc.cc:131:14
#2 0x55d901d901a7 in parseOneConfigFile(char const*, unsigned int) /root/fuzz/fuzz_squid/squid/src/cache_cf.cc:530:27
#3 0x55d901d6cb6d in parseConfigFileOrThrow(char const*) /root/fuzz/fuzz_squid/squid/src/cache_cf.cc:612:17
#4 0x55d901d6b863 in parseConfigFile(char const*) /root/fuzz/fuzz_squid/squid/src/cache_cf.cc:640:16
#5 0x55d902741c1b in SquidMain(int, char**) /root/fuzz/fuzz_squid/squid/src/main.cc:1597:25
#6 0x55d90273fba2 in SquidMainSafe(int, char**) /root/fuzz/fuzz_squid/squid/src/main.cc:1353:16
#7 0x55d90273fb49 in main /root/fuzz/fuzz_squid/squid/src/main.cc:1341:12
#8 0x7f0d0a305d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/fuzz_squid/squid/src/ConfigParser.cc:184:9 in ConfigParser::UnQuote(char const*, char const**)
Shadow bytes around the buggy address:
0x60b000000900: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x60b000000980: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x60b000000a00: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x60b000000a80: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x60b000000b00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x60b000000b80: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
0x60b000000c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60b000000c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60b000000d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60b000000d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60b000000e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==81496==ABORTING

@xiaoxiaoafeifei
Copy link
Contributor Author

xiaoxiaoafeifei commented Apr 2, 2024
edited
Loading

Thank you for adjusting this fix! I trust your refactoring still addresses the problem you could reproduce.

I have adjusted PR title and description (i.e. future official commit message) to meet Squid Project formatting requirements. In the future, please post all those (very useful!) testing details as a PR comment while keeping PR description as the commit message body (which we can then edit to add any details as needed, of course). Thank you.

Our CI formatting tests fail because your name is not in CONTRIBUTORS file. Please add your contact info to that file in this PR. The tools detect two variations of your credentials based on info provided by git/GitHib. Use the variation you prefer.

Thanks for you reply! @rousskov
I have post all those testing details as a PR comment and added my contact to CONTRIBUTORS file

@rousskov rousskov removed the S-waiting-for-author author action is expected (and usually required) label Apr 2, 2024
@kinkie kinkie added backport-to-v6 M-cleared-for-merge https://github.com/measurement-factory/anubis#pull-request-labels S-could-use-an-approval An approval may speed this PR merger (but is not required) and removed backport-to-v6 labels Apr 2, 2024
@rousskov
Copy link
Contributor

rousskov commented Apr 2, 2024

OK to test

@rousskov rousskov removed the S-could-use-an-approval An approval may speed this PR merger (but is not required) label Apr 2, 2024
squid-anubis pushed a commit that referenced this pull request Apr 2, 2024
@xiaoxiaoafeifei @squid-anubis
Fix heap buffer overead in ConfigParser::UnQuote() (#1763)
1891ce5 
Detected by using AddressSanitizer.
@squid-anubis squid-anubis added the M-waiting-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels label Apr 2, 2024
@squid-anubis squid-anubis added M-merged https://github.com/measurement-factory/anubis#pull-request-labels and removed M-waiting-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels M-cleared-for-merge https://github.com/measurement-factory/anubis#pull-request-labels labels Apr 2, 2024
kinkie pushed a commit to kinkie/squid that referenced this pull request Apr 9, 2024
@xiaoxiaoafeifei @kinkie
Fix heap buffer overead in ConfigParser::UnQuote() (squid-cache#1763)
5d18dc5 
Detected by using AddressSanitizer.
kinkie pushed a commit to kinkie/squid that referenced this pull request Apr 9, 2024
@xiaoxiaoafeifei @kinkie
Fix heap buffer overead in ConfigParser::UnQuote() (squid-cache#1763)
5f2ee67 
Detected by using AddressSanitizer.
kinkie pushed a commit to kinkie/squid that referenced this pull request Apr 14, 2024
@xiaoxiaoafeifei @kinkie
Fix heap buffer overead in ConfigParser::UnQuote() (squid-cache#1763)
d1d6498 
Detected by using AddressSanitizer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rousskov rousskov rousskov approved these changes

@kinkie kinkie kinkie approved these changes

Assignees

No one assigned

Labels

M-merged https://github.com/measurement-factory/anubis#pull-request-labels

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@xiaoxiaoafeifei @squid-prbot @rousskov @kinkie @squid-anubis