Opened 10 years ago
Closed 10 years ago
#734 closed defect (fixed)
FYI off-by-one while processing request header (low/no impact?).
Reported by: | Marek Kroemeke | Owned by: | |
---|---|---|---|
Priority: | trivial | Milestone: | |
Component: | nginx-core | Version: | 1.7.x |
Keywords: | Cc: | ||
uname -a: | Linux aaa 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:36:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.6.2
|
Description
Hi there,
Not a biggie (we think?) - but probably still worth reporting.
1.2.9 - TRIGGERED
1.4.0 - TRIGGERED
1.4.7 - TRIGGERED
1.6.2 - TRIGGERED
1.7.2 - TRIGGERED
1.7.5 - TRIGGERED
1.7.6 - TRIGGERED
1.7.7 - NOPE
1.7.9 - NOPE
1.7.10 - NOPE
Off by one in ngx_http_request.c:ngx_http_process_request_headers() :
1214 p = r->header_name_start; ... ... 1226 len = r->header_in->end - p; // len = 1750 1227 1228 if (len > NGX_MAX_ERROR_STR - 300) { // 2048-300 = 1748 1229 len = NGX_MAX_ERROR_STR - 300; // len = 1748 1230 p[len++] = '.'; p[len++] = '.'; p[len++] = '.'; // len = 1749, 1750, 1751, 1231 }
==9250==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007100 at pc 0x4b4678 bp 0x7fffffffdd50 sp 0x7fffffffdd48 WRITE of size 1 at 0x625000007100 thread T0 #0 0x4b4677 in ngx_http_process_request_headers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b4677) #1 0x4b34ce in ngx_http_process_request_line (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b34ce) #2 0x4b1ccc in ngx_http_wait_request_handler (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b1ccc) #3 0x46493a in ngx_event_process_posted (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46493a) #4 0x45fb69 in ngx_process_events_and_timers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x45fb69) #5 0x47f288 in ngx_worker_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47f288) #6 0x476d67 in ngx_spawn_process (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x476d67) #7 0x47e301 in ngx_reap_children (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47e301) #8 0x47ba0e in ngx_master_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47ba0e) #9 0x404ca9 in main (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x404ca9) #10 0x7ffff5ed5ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #11 0x403c48 (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x403c48) 0x625000007100 is located 0 bytes to the right of 8192-byte region [0x625000005100,0x625000007100) allocated by thread T0 here: #0 0x7ffff6f567df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df) #1 0x46f94b in ngx_alloc (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46f94b) #2 0x40cf09 in ngx_palloc_large (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x40cf09) #3 0x40ca67 in ngx_palloc (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x40ca67) #4 0x4138ad in ngx_create_temp_buf (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4138ad) #5 0x4b5e6a in ngx_http_alloc_large_header_buffer (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b5e6a) #6 0x4b43e5 in ngx_http_process_request_headers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b43e5) #7 0x4b34ce in ngx_http_process_request_line (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b34ce) #8 0x4b1ccc in ngx_http_wait_request_handler (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b1ccc) #9 0x46493a in ngx_event_process_posted (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46493a) #10 0x45fb69 in ngx_process_events_and_timers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x45fb69) #11 0x47f288 in ngx_worker_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47f288) #12 0x476d67 in ngx_spawn_process (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x476d67) #13 0x47e301 in ngx_reap_children (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47e301) #14 0x47ba0e in ngx_master_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47ba0e) #15 0x404ca9 in main (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x404ca9) #16 0x7ffff5ed5ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ngx_http_process_request_headers Shadow bytes around the buggy address: 0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4a7fff8e20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==9250==ABORTING ==9250==Sleeping for 1 second(s)
regards,
Akat1
Filip Palian
Marek Kroemeke
Note:
See TracTickets
for help on using tickets.
Thanks, this bug is fixed in 1.7.7 (21043ce2a005).