Opened 10 years ago
Closed 10 years ago
#734 closed defect (fixed)
FYI off-by-one while processing request header (low/no impact?).
| Reported by: | Marek Kroemeke | Owned by: | |
|---|---|---|---|
| Priority: | trivial | Milestone: | |
| Component: | nginx-core | Version: | 1.7.x |
| Keywords: | Cc: | ||
| uname -a: | Linux aaa 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:36:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.6.2
|
||
Description
Hi there,
Not a biggie (we think?) - but probably still worth reporting.
1.2.9 - TRIGGERED
1.4.0 - TRIGGERED
1.4.7 - TRIGGERED
1.6.2 - TRIGGERED
1.7.2 - TRIGGERED
1.7.5 - TRIGGERED
1.7.6 - TRIGGERED
1.7.7 - NOPE
1.7.9 - NOPE
1.7.10 - NOPE
Off by one in ngx_http_request.c:ngx_http_process_request_headers() :
1214 p = r->header_name_start;
... ...
1226 len = r->header_in->end - p; // len = 1750
1227
1228 if (len > NGX_MAX_ERROR_STR - 300) { // 2048-300 = 1748
1229 len = NGX_MAX_ERROR_STR - 300; // len = 1748
1230 p[len++] = '.'; p[len++] = '.'; p[len++] = '.'; // len = 1749, 1750, 1751,
1231 }
==9250==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007100 at pc 0x4b4678 bp 0x7fffffffdd50 sp 0x7fffffffdd48
WRITE of size 1 at 0x625000007100 thread T0
#0 0x4b4677 in ngx_http_process_request_headers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b4677)
#1 0x4b34ce in ngx_http_process_request_line (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b34ce)
#2 0x4b1ccc in ngx_http_wait_request_handler (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b1ccc)
#3 0x46493a in ngx_event_process_posted (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46493a)
#4 0x45fb69 in ngx_process_events_and_timers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x45fb69)
#5 0x47f288 in ngx_worker_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47f288)
#6 0x476d67 in ngx_spawn_process (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x476d67)
#7 0x47e301 in ngx_reap_children (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47e301)
#8 0x47ba0e in ngx_master_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47ba0e)
#9 0x404ca9 in main (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x404ca9)
#10 0x7ffff5ed5ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#11 0x403c48 (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x403c48)
0x625000007100 is located 0 bytes to the right of 8192-byte region [0x625000005100,0x625000007100)
allocated by thread T0 here:
#0 0x7ffff6f567df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x46f94b in ngx_alloc (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46f94b)
#2 0x40cf09 in ngx_palloc_large (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x40cf09)
#3 0x40ca67 in ngx_palloc (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x40ca67)
#4 0x4138ad in ngx_create_temp_buf (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4138ad)
#5 0x4b5e6a in ngx_http_alloc_large_header_buffer (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b5e6a)
#6 0x4b43e5 in ngx_http_process_request_headers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b43e5)
#7 0x4b34ce in ngx_http_process_request_line (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b34ce)
#8 0x4b1ccc in ngx_http_wait_request_handler (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x4b1ccc)
#9 0x46493a in ngx_event_process_posted (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x46493a)
#10 0x45fb69 in ngx_process_events_and_timers (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x45fb69)
#11 0x47f288 in ngx_worker_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47f288)
#12 0x476d67 in ngx_spawn_process (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x476d67)
#13 0x47e301 in ngx_reap_children (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47e301)
#14 0x47ba0e in ngx_master_process_cycle (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x47ba0e)
#15 0x404ca9 in main (/home/fuzz/nginx-1.4.7-asan/sbin/nginx+0x404ca9)
#16 0x7ffff5ed5ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ngx_http_process_request_headers
Shadow bytes around the buggy address:
0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==9250==ABORTING
==9250==Sleeping for 1 second(s)
regards,
Akat1
Filip Palian
Marek Kroemeke
Note:
See TracTickets
for help on using tickets.
Thanks, this bug is fixed in 1.7.7 (21043ce2a005).