DGNum/ubus: A message system like D-Bus for Liminix, taken from OpenWRT's ubus

DGNum/ubus

A message system like D-Bus for Liminix, taken from OpenWRT's ubus

Find a file

Julian Squires a8cf678230 ubusd: protect against too-short messages A bad client can send a message whose blob_attr len is less than 4, and ubus_msg_new happily points ->data off the end of the allocated buffer, leading to invalid reads, writes, and eventually a crash if ubus monitor is running: ==17683== Invalid write of size 4 ==17683== at 0x10A915: client_cb (ubusd_main.c:143) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a63200 is 0 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== Invalid read of size 4 ==17683== at 0x10A645: blob_len (blob.h:102) ==17683== by 0x10A93D: blob_raw_len (blob.h:111) ==17683== by 0x10A93D: client_cb (ubusd_main.c:149) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a63200 is 0 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== Invalid read of size 4 ==17683== at 0x10ACE8: blob_len (blob.h:102) ==17683== by 0x10B7E1: blob_raw_len (blob.h:111) ==17683== by 0x10B7E1: ubusd_proto_receive_message (ubusd_proto.c:457) ==17683== by 0x10A9A7: client_cb (ubusd_main.c:169) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a63200 is 0 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== Invalid read of size 4 ==17683== at 0x10D39B: blob_len (blob.h:102) ==17683== by 0x10D53E: ubusd_monitor_message (ubusd_monitor.c:91) ==17683== by 0x10A99C: client_cb (ubusd_main.c:168) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a6b3e0 is 0 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== Invalid read of size 1 ==17683== at 0x4848286: blob_put (blob.c:167) ==17683== by 0x10D555: ubusd_monitor_message (ubusd_monitor.c:91) ==17683== by 0x10A99C: client_cb (ubusd_main.c:168) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a6b3e4 is 4 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== ==17683== Process terminating with default action of signal 11 (SIGSEGV) ==17683== Bad permissions for mapped region at address 0x4E43000 ==17683== at 0x4848286: blob_put (blob.c:167) ==17683== by 0x10D555: ubusd_monitor_message (ubusd_monitor.c:91) ==17683== by 0x10A99C: client_cb (ubusd_main.c:168) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) The following Python program minimally reproduces the issue: import socket sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.connect('/tmp/usock') sock.recv(12) sock.send(b'\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00') Signed-off-by: Julian Squires <julian@cipht.net>		2021-06-02 18:04:07 +02:00
examples	examples: remove dead increments	2019-12-16 23:39:16 +01:00
lua	lua: avoid truncation of large numeric values	2020-03-15 20:49:27 +01:00
tests	tests: cram: fix usage test	2020-08-05 10:27:24 +02:00
.gitignore	examples: split client/server code	2012-10-24 14:37:57 +02:00
.gitlab-ci.yml	ci: enable unit testing	2019-12-26 09:46:05 +01:00
cli.c	cli: document usage of "subscribe" command	2020-08-05 08:20:32 +02:00
CMakeLists.txt	cmake: add a possibility to set library version	2021-02-15 19:12:12 +01:00
libubus-acl.c	iron out all extra compiler warnings	2019-12-16 23:39:16 +01:00
libubus-internal.h	fix blob parsing vulnerability by using blob_parse_untrusted	2019-12-19 19:53:25 +01:00
libubus-io.c	ubusd/libubus-io: fix socket descriptor passing	2019-12-27 15:11:41 +01:00
libubus-obj.c	fix blob parsing vulnerability by using blob_parse_untrusted	2019-12-19 19:53:25 +01:00
libubus-req.c	fix blob parsing vulnerability by using blob_parse_untrusted	2019-12-19 19:53:25 +01:00
libubus-sub.c	libubus: fix passing the return code of the subscriber callback to the notifier	2013-03-17 18:29:38 +01:00
libubus.c	fix blob parsing vulnerability by using blob_parse_untrusted	2019-12-19 19:53:25 +01:00
libubus.h	ubus: make libubus ready for linking into C++	2020-01-05 17:34:03 +01:00
ubus_common.h	ubus_common: remove duplicate ARRAY_SIZE and add missing include	2019-12-19 11:18:07 +01:00
ubusd.c	ubusd: add per-client tx queue limit	2021-05-31 18:39:31 +02:00
ubusd.h	ubusd: add per-client tx queue limit	2021-05-31 18:39:31 +02:00
ubusd_acl.c	ubusd_acl: add support for wildcard in methods	2020-10-25 18:01:19 +00:00
ubusd_acl.h	ubusd_acl: event send access list support	2018-10-06 20:40:24 +02:00
ubusd_event.c	workaround possibly false positive uses of memory after it is freed	2019-12-19 11:18:07 +01:00
ubusd_id.c	ubusd: use avl_strcmp	2012-12-11 23:38:00 +01:00
ubusd_id.h	add copyright/license information	2011-06-17 16:35:11 +02:00
ubusd_main.c	ubusd: protect against too-short messages	2021-06-02 18:04:07 +02:00
ubusd_monitor.c	ubus_monitor: workaround possibly false positive uses of memory after it is freed	2019-12-19 19:53:25 +01:00
ubusd_obj.c	workaround possibly false positive uses of memory after it is freed	2019-12-19 11:18:07 +01:00
ubusd_obj.h	pass ubus_msg_buf to callback of internal object	2015-06-18 19:01:17 +02:00
ubusd_proto.c	ubusd: convert tx_queue to linked list	2021-05-31 14:16:19 +02:00
ubusmsg.h	ubusd: add monitor support	2015-11-19 22:32:11 +01:00