Opened 5 years ago

Closed 5 years ago

#734 closed defect (fixed)

FYI off-by-one while processing request header (low/no impact?).

Reported by: kroemeke@… Owned by:
Priority: trivial Milestone:
Component: nginx-core Version: 1.7.x
Keywords: Cc:
uname -a: Linux aaa 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:36:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.2

Description

Hi there,

Not a biggie (we think?) - but probably still worth reporting.

1.2.9 - TRIGGERED
1.4.0 - TRIGGERED
1.4.7 - TRIGGERED
1.6.2 - TRIGGERED
1.7.2 - TRIGGERED
1.7.5 - TRIGGERED
1.7.6 - TRIGGERED
1.7.7 - NOPE
1.7.9 - NOPE
1.7.10 - NOPE

Off by one in ngx_http_request.c:ngx_http_process_request_headers() :

1214                     p = r->header_name_start;
...                      ...
1226                     len = r->header_in->end - p;                           // len = 1750
1227 
1228                     if (len > NGX_MAX_ERROR_STR - 300) {                   // 2048-300 = 1748
1229                         len = NGX_MAX_ERROR_STR - 300;                     // len = 1748
1230                         p[len++] = '.'; p[len++] = '.'; p[len++] = '.';    // len = 1749, 1750, 1751, 
1231                     }

==9250==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007100 at pc 0x4b4678 bp 0x7fffffffdd50 sp 0x7fffffffdd48
WRITE of size 1 at 0x625000007100 thread T0
    #0 0x4b4677 in ngx_http_process_request_headers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b4677)
    #1 0x4b34ce in ngx_http_process_request_line (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b34ce)
    #2 0x4b1ccc in ngx_http_wait_request_handler (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b1ccc)
    #3 0x46493a in ngx_event_process_posted (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46493a)
    #4 0x45fb69 in ngx_process_events_and_timers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x45fb69)
    #5 0x47f288 in ngx_worker_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47f288)
    #6 0x476d67 in ngx_spawn_process (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x476d67)
    #7 0x47e301 in ngx_reap_children (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47e301)
    #8 0x47ba0e in ngx_master_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47ba0e)
    #9 0x404ca9 in main (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x404ca9)
    #10 0x7ffff5ed5ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #11 0x403c48 (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x403c48)

0x625000007100 is located 0 bytes to the right of 8192-byte region [0x625000005100,0x625000007100)
allocated by thread T0 here:
    #0 0x7ffff6f567df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
    #1 0x46f94b in ngx_alloc (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46f94b)
    #2 0x40cf09 in ngx_palloc_large (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x40cf09)
    #3 0x40ca67 in ngx_palloc (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x40ca67)
    #4 0x4138ad in ngx_create_temp_buf (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4138ad)
    #5 0x4b5e6a in ngx_http_alloc_large_header_buffer (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b5e6a)
    #6 0x4b43e5 in ngx_http_process_request_headers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b43e5)
    #7 0x4b34ce in ngx_http_process_request_line (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b34ce)
    #8 0x4b1ccc in ngx_http_wait_request_handler (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b1ccc)
    #9 0x46493a in ngx_event_process_posted (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46493a)
    #10 0x45fb69 in ngx_process_events_and_timers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x45fb69)
    #11 0x47f288 in ngx_worker_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47f288)
    #12 0x476d67 in ngx_spawn_process (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x476d67)
    #13 0x47e301 in ngx_reap_children (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47e301)
    #14 0x47ba0e in ngx_master_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47ba0e)
    #15 0x404ca9 in main (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x404ca9)
    #16 0x7ffff5ed5ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ngx_http_process_request_headers
Shadow bytes around the buggy address:
  0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9250==ABORTING
==9250==Sleeping for 1 second(s)


regards,

Akat1
Filip Palian
Marek Kroemeke

Change History (1)

comment:1 Changed 5 years ago by mdounin

  • Resolution set to fixed
  • Status changed from new to closed

Thanks, this bug is fixed in 1.7.7 (21043ce2a005).

Note: See TracTickets for help on using tickets.