Fix UAF in process_recv #6

meme · 2021-06-25T15:57:25Z

In process_recv, there is no handling for an error on
client_command, which may interally free the client (by calling
client_close). This results in a UAF:

client_command(client, hdr);
client->ib_size = 0;

Log:

[11:26:04.715][3] NOTE: remote 10.11.1.1:5000 is no longer available.
[11:37:12.068][4] New client on fd 5 (pid 9809)
[11:37:12.069][1] Client 5 command received in the wrong state
[11:37:12.069][4] Disconnecting client 0x6080000007a0 fd 5

ASan:

==5624==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000007c0 at pc 0x5643f34e1b79 bp 0x7ffe58b9f170 sp 0x7ffe58b9f160
WRITE of size 4 at 0x6080000007c0 thread T0
    #0 0x5643f34e1b78 in process_recv /usbfluxd/usbfluxd/client.c:981
    #1 0x5643f34e26a0 in client_process /usbfluxd/usbfluxd/client.c:1043
    #2 0x5643f34f03cb in main_loop /usbfluxd/usbfluxd/main.c:156
    #3 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477
    #4 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #5 0x5643f34d995d in _start (/usr/local/sbin/usbfluxd+0xa95d)

0x6080000007c0 is located 32 bytes inside of 96-byte region [0x6080000007a0,0x608000000800)
freed by thread T0 here:
    #0 0x7f31530f6f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x5643f34dac29 in client_close /usbfluxd/usbfluxd/client.c:254
    #2 0x5643f34ddeac in client_command /usbfluxd/usbfluxd/client.c:642
    #3 0x5643f34e1b45 in process_recv /usbfluxd/usbfluxd/client.c:980
    #4 0x5643f34e26a0 in client_process /usbfluxd/usbfluxd/client.c:1043
    #5 0x5643f34f03cb in main_loop /usbfluxd/usbfluxd/main.c:156
    #6 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477
    #7 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

previously allocated by thread T0 here:
    #0 0x7f31530f7279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5643f34da34c in client_accept /usbfluxd/usbfluxd/client.c:199
    #2 0x5643f34f023e in main_loop /usbfluxd/usbfluxd/main.c:149
    #3 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477
    #4 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: heap-use-after-free /usbfluxd/usbfluxd/client.c:981 in process_recv
Shadow bytes around the buggy address:
  0x0c107fff80a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c107fff80f0: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c107fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==5624==ABORTING

In `process_recv`, there is no handling for an error on `client_command`, which may interally free the `client` (by calling `client_close`). This results in a UAF: client_command(client, hdr); client->ib_size = 0; Log: [11:26:04.715][3] NOTE: remote 10.11.1.1:5000 is no longer available. [11:37:12.068][4] New client on fd 5 (pid 9809) [11:37:12.069][1] Client 5 command received in the wrong state [11:37:12.069][4] Disconnecting client 0x6080000007a0 fd 5 ASan: ==5624==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000007c0 at pc 0x5643f34e1b79 bp 0x7ffe58b9f170 sp 0x7ffe58b9f160 WRITE of size 4 at 0x6080000007c0 thread T0 #0 0x5643f34e1b78 in process_recv /usbfluxd/usbfluxd/client.c:981 corellium#1 0x5643f34e26a0 in client_process /usbfluxd/usbfluxd/client.c:1043 corellium#2 0x5643f34f03cb in main_loop /usbfluxd/usbfluxd/main.c:156 corellium#3 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477 corellium#4 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) corellium#5 0x5643f34d995d in _start (/usr/local/sbin/usbfluxd+0xa95d) 0x6080000007c0 is located 32 bytes inside of 96-byte region [0x6080000007a0,0x608000000800) freed by thread T0 here: #0 0x7f31530f6f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127 corellium#1 0x5643f34dac29 in client_close /usbfluxd/usbfluxd/client.c:254 corellium#2 0x5643f34ddeac in client_command /usbfluxd/usbfluxd/client.c:642 corellium#3 0x5643f34e1b45 in process_recv /usbfluxd/usbfluxd/client.c:980 corellium#4 0x5643f34e26a0 in client_process /usbfluxd/usbfluxd/client.c:1043 corellium#5 0x5643f34f03cb in main_loop /usbfluxd/usbfluxd/main.c:156 corellium#6 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477 corellium#7 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) previously allocated by thread T0 here: #0 0x7f31530f7279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 corellium#1 0x5643f34da34c in client_accept /usbfluxd/usbfluxd/client.c:199 corellium#2 0x5643f34f023e in main_loop /usbfluxd/usbfluxd/main.c:149 corellium#3 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477 corellium#4 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) SUMMARY: AddressSanitizer: heap-use-after-free /usbfluxd/usbfluxd/client.c:981 in process_recv Shadow bytes around the buggy address: 0x0c107fff80a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff80b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff80c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff80d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff80e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff80f0: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fd 0x0c107fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==5624==ABORTING

strazzere

LGTM thank you for the change

strazzere · 2021-06-25T20:33:42Z

Thanks for submitting this.

In `process_recv`, there is no handling for an error on `client_command`, which may interally free the `client` (by calling `client_close`). This results in a UAF: client_command(client, hdr); client->ib_size = 0; Log: [11:26:04.715][3] NOTE: remote 10.11.1.1:5000 is no longer available. [11:37:12.068][4] New client on fd 5 (pid 9809) [11:37:12.069][1] Client 5 command received in the wrong state [11:37:12.069][4] Disconnecting client 0x6080000007a0 fd 5 ASan: ==5624==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000007c0 at pc 0x5643f34e1b79 bp 0x7ffe58b9f170 sp 0x7ffe58b9f160 WRITE of size 4 at 0x6080000007c0 thread T0 #0 0x5643f34e1b78 in process_recv /usbfluxd/usbfluxd/client.c:981 #1 0x5643f34e26a0 in client_process /usbfluxd/usbfluxd/client.c:1043 #2 0x5643f34f03cb in main_loop /usbfluxd/usbfluxd/main.c:156 #3 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477 #4 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #5 0x5643f34d995d in _start (/usr/local/sbin/usbfluxd+0xa95d) 0x6080000007c0 is located 32 bytes inside of 96-byte region [0x6080000007a0,0x608000000800) freed by thread T0 here: #0 0x7f31530f6f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x5643f34dac29 in client_close /usbfluxd/usbfluxd/client.c:254 #2 0x5643f34ddeac in client_command /usbfluxd/usbfluxd/client.c:642 #3 0x5643f34e1b45 in process_recv /usbfluxd/usbfluxd/client.c:980 #4 0x5643f34e26a0 in client_process /usbfluxd/usbfluxd/client.c:1043 #5 0x5643f34f03cb in main_loop /usbfluxd/usbfluxd/main.c:156 corellium#6 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477 corellium#7 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) previously allocated by thread T0 here: #0 0x7f31530f7279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x5643f34da34c in client_accept /usbfluxd/usbfluxd/client.c:199 #2 0x5643f34f023e in main_loop /usbfluxd/usbfluxd/main.c:149 #3 0x5643f34f186c in main /usbfluxd/usbfluxd/main.c:477 #4 0x7f3152cffb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) SUMMARY: AddressSanitizer: heap-use-after-free /usbfluxd/usbfluxd/client.c:981 in process_recv Shadow bytes around the buggy address: 0x0c107fff80a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff80b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff80c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff80d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff80e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff80f0: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fd 0x0c107fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==5624==ABORTING

Fix UAF in process_recv

strazzere approved these changes Jun 25, 2021

View reviewed changes

strazzere merged commit 6b0e4c3 into corellium:master Jun 25, 2021

cooljeanius pushed a commit to cooljeanius/usbfluxd that referenced this pull request Oct 13, 2023

Merge pull request corellium#6 from meme/uaf

7d47ec3

Fix UAF in process_recv

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix UAF in process_recv #6

Fix UAF in process_recv #6

meme commented Jun 25, 2021

strazzere left a comment

strazzere commented Jun 25, 2021

Fix UAF in process_recv #6

Fix UAF in process_recv #6

Conversation

meme commented Jun 25, 2021

strazzere left a comment

Choose a reason for hiding this comment

strazzere commented Jun 25, 2021