[ntp:security] [Bug 3416] test1

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sun Oct 8 10:20:35 UTC 2017


https://bugs.ntp.org/show_bug.cgi?id=3416

--- Comment #1 from Magnus Stubman <magnus at stubman.eu> 2017-07-11 10:27:53 UTC ---
Created attachment 1524
  --> https://bugs.ntp.org/attachment.cgi?id=1524
crash

the attached testcase causes ntpd to crash when compiled with ASAN:

ntpd was compiled with configuration flag --with-threads=no and compliler flags
-fsanitize=address -ggdb

11 Jul 12:12:00 ntpd[23951]: ntpd 4.2.8p10 at 1.3728-o Tue Jul 11 09:26:17 UTC
2017 (1): Starting
11 Jul 12:12:00 ntpd[23951]: Command line: ntpd/ntpd -n -I lo -c
/home/dude/resources/ntp.conf
11 Jul 12:12:00 ntpd[23951]: proto: precision = 0.079 usec (-24)
11 Jul 12:12:00 ntpd[23951]: switching logging to file /dev/null
11 Jul 12:12:00 ntpd[23951]: Listen and drop on 0 v6wildcard [::]:123
11 Jul 12:12:00 ntpd[23951]: Listen and drop on 1 v4wildcard 0.0.0.0:123
11 Jul 12:12:00 ntpd[23951]: Listen normally on 2 lo 127.0.0.1:123
11 Jul 12:12:00 ntpd[23951]: Listen normally on 3 lo [::1]:123
11 Jul 12:12:00 ntpd[23951]: Listening on routing socket on fd #20 for
interface updates
=================================================================
==23951==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000e736 at pc 0x556c30b60164 bp 0x7fff5c3cd700 sp 0x7fff5c3cd6f8
READ of size 1 at 0x60200000e736 thread T0
    #0 0x556c30b60163 in ctl_getitem
/home/dude/projects/ntpd/p10/noinstru/ntpd/ntp_control.c:3098
    #1 0x556c30b6e93d in read_mru_list
/home/dude/projects/ntpd/p10/noinstru/ntpd/ntp_control.c:3974
    #2 0x556c30b6a2db in process_control
/home/dude/projects/ntpd/p10/noinstru/ntpd/ntp_control.c:1299
    #3 0x556c30b96487 in receive
/home/dude/projects/ntpd/p10/noinstru/ntpd/ntp_proto.c:660
    #4 0x556c30b5debf in ntpdmain
/home/dude/projects/ntpd/p10/noinstru/ntpd/ntpd.c:1331
    #5 0x556c30b5df57 in main
/home/dude/projects/ntpd/p10/noinstru/ntpd/ntpd.c:394
    #6 0x7f5b12b93b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x556c30b35f18 (/home/dude/projects/ntpd/p10/noinstru/ntpd/ntpd+0x5cf18)

0x60200000e736 is located 0 bytes to the right of 6-byte region
[0x60200000e730,0x60200000e736)
allocated by thread T0 here:
    #0 0x7f5b13ad39f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
    #1 0x556c30c175c7 in ereallocz
/home/dude/projects/ntpd/p10/noinstru/libntp/emalloc.c:43

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dude/projects/ntpd/p10/noinstru/ntpd/ntp_control.c:3098 ctl_getitem
Shadow bytes around the buggy address:
  0x0c047fff9c90: fa fa 00 fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
  0x0c047fff9ca0: fa fa 07 fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
  0x0c047fff9cb0: fa fa 07 fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
  0x0c047fff9cc0: fa fa 07 fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
  0x0c047fff9cd0: fa fa 07 fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
=>0x0c047fff9ce0: fa fa 07 fa fa fa[06]fa fa fa 00 02 fa fa 07 fa
  0x0c047fff9cf0: fa fa 07 fa fa fa 00 01 fa fa 06 fa fa fa 06 fa
  0x0c047fff9d00: fa fa 06 fa fa fa 00 07 fa fa 00 00 fa fa fd fd
  0x0c047fff9d10: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa fd fd
  0x0c047fff9d20: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 02
  0x0c047fff9d30: fa fa fd fd fa fa 00 02 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==23951==ABORTING

-- 
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list