Uploaded image for project: 'Hyrax Data Server'
  1. HYRAX-598

NULL pointer dereference in D4ParserSax2

    Details

    • Type: Bug
    • Status: Done (View workflow)
    • Priority: Medium
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: libdap
    • Labels:
      None
    • Epic Link:
    • Sprint:
      NASA-18.1.2

      Description

      Reported on Github by GwanYeong Kim

      Summary

      memory error (invalid write of size 4) in vsnprnt caused by the percent characters (%) in the xml file (attached) specifically designed to look for memory corruption (fuzzing), whereby security experts look for the bits that cause a particular crash and determine if they are exploited.

      Specifically,

      valgrind --trace-children=yes ./dmr-test -p Null_D4ParserSax2
      

      returns (just including useful portion):

      ==19281== Command: /home/centos/hyrax/libdap4/tests/.libs/lt-dmr-test -p Null_D4ParserSax2
      ==19281== 
      ==19281== Invalid write of size 4
      ==19281==    at 0x63D2611: vfprintf (in /usr/lib64/libc-2.17.so)
      ==19281==    by 0x63FC1B8: vsnprintf (in /usr/lib64/libc-2.17.so)
      ==19281==    by 0x5124CAF: libdap::D4ParserSax2::dmr_error(void*, char const*, ...) (D4ParserSax2.cc:1223)
      ==19281==    by 0x51288EA: libdap::D4ParserSax2::process_dimension_def(char const*, unsigned char const**, int) (D4ParserSax2.cc:209)
      ==19281==    by 0x512BC40: libdap::D4ParserSax2::dmr_start_element(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) (D4ParserSax2.cc:704)
      ==19281==    by 0x58478CF: ??? (in /usr/lib64/libxml2.so.2.9.1)
      ==19281==    by 0x584DE61: ??? (in /usr/lib64/libxml2.so.2.9.1)
      ==19281==    by 0x584F61D: xmlParseChunk (in /usr/lib64/libxml2.so.2.9.1)
      ==19281==    by 0x512595C: libdap::D4ParserSax2::intern(std::istream&, libdap::DMR*, bool) (D4ParserSax2.cc:1342)
      ==19281==    by 0x4160C2: test_dap4_parser(std::string const&, bool, bool) (dmr-test.cc:94)
      ==19281==    by 0x4134F9: main (dmr-test.cc:380)
      ==19281==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
      ==19281== 
      ==19281== 
      ==19281== Process terminating with default action of signal 11 (SIGSEGV)
      ==19281==  Access not within mapped region at address 0x0
      ==19281==    at 0x63D2611: vfprintf (in /usr/lib64/libc-2.17.so)
      ==19281==    by 0x63FC1B8: vsnprintf (in /usr/lib64/libc-2.17.so)
      ==19281==    by 0x5124CAF: libdap::D4ParserSax2::dmr_error(void*, char const*, ...) (D4ParserSax2.cc:1223)
      ==19281==    by 0x51288EA: libdap::D4ParserSax2::process_dimension_def(char const*, unsigned char const**, int) (D4ParserSax2.cc:209)
      ==19281==    by 0x512BC40: libdap::D4ParserSax2::dmr_start_element(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) (D4ParserSax2.cc:704)
      ==19281==    by 0x58478CF: ??? (in /usr/lib64/libxml2.so.2.9.1)
      ==19281==    by 0x584DE61: ??? (in /usr/lib64/libxml2.so.2.9.1)
      ==19281==    by 0x584F61D: xmlParseChunk (in /usr/lib64/libxml2.so.2.9.1)
      ==19281==    by 0x512595C: libdap::D4ParserSax2::intern(std::istream&, libdap::DMR*, bool) (D4ParserSax2.cc:1342)
      ==19281==    by 0x4160C2: test_dap4_parser(std::string const&, bool, bool) (dmr-test.cc:94)
      ==19281==    by 0x4134F9: main (dmr-test.cc:380)
      ==19281==  If you believe this happened as a result of a stack
      ==19281==  overflow in your program's main thread (unlikely but
      ==19281==  possible), you can try to increase the size of the
      ==19281==  main thread stack using the --main-stacksize= flag.
      ==19281==  The main thread stack size used in this run was 8388608.
      ==19281== 
      ==19281== HEAP SUMMARY:
      ==19281==     in use at exit: 41,430 bytes in 185 blocks
      ==19281==   total heap usage: 247 allocs, 62 frees, 46,682 bytes allocated
      ==19281== 
      

      Minimal crash file from GwanYeong Kim <gy741.kim@gmail.com>

      <?l?><t xmlns="http://xml.opendap.org/ns/DAP/4.0#"><Dimension name="" size="%n">
      

        Attachments

          Activity

            People

            • Assignee:
              jimg James Gallagher
              Reporter:
              ukari Uday Kari (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 30 minutes
                3h 30m