View Issue Details

IDProjectCategoryView StatusLast Update
0005667unrealircdpublic2020-05-08 15:02
Reportermoody Assigned Tosyzop  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Fixed in Version5.0.5 
Summary0005667: Buffer overflow in crule parser
Descriptionstatic buffers sized are used in the parsing of crules, this can lead to crashes if the user supplied rule is too long.

[New Thread 0x7ffff73ad700 (LWP 27543)]
[Thread 0x7ffff73ad700 (LWP 27543) exited]
*** stack smashing detected ***: terminated

Thread 1 "unrealircd" received signal SIGABRT, Aborted.
0x00007ffff7908ea1 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff7908ea1 in raise () from /lib64/libc.so.6
#1 0x00007ffff78f253d in abort () from /lib64/libc.so.6
#2 0x00007ffff794c48f in __libc_message () from /lib64/libc.so.6
#3 0x00007ffff79dbe32 in __fortify_fail () from /lib64/libc.so.6
#4 0x00007ffff79dbe02 in __stack_chk_fail () from /lib64/libc.so.6
#5 0x0000555555575389 in crule_parsearglist (argrootp=0x555555a1db60, next_tokp=next_tokp@entry=0x7fffffffdc04,
    ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:625
#6 0x00005555555754a2 in crule_parsefunction (funcrootp=0x7fffffffdb80, next_tokp=next_tokp@entry=0x7fffffffdc04,
    ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:576
#7 0x000055555557567a in crule_parseprimary (primrootp=primrootp@entry=0x7fffffffdb80,
    next_tokp=next_tokp@entry=0x7fffffffdc04, ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:532
0000008 0x0000555555575701 in crule_parseandexpr (androotp=androotp@entry=0x7fffffffdbc0,
    next_tokp=next_tokp@entry=0x7fffffffdc04, ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:438
#9 0x0000555555575811 in crule_parseorexpr (orrootp=orrootp@entry=0x7fffffffdc10,
    next_tokp=next_tokp@entry=0x7fffffffdc04, ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:384
#10 0x0000555555575b13 in crule_test (rule=<optimized out>) at crule.c:696
#11 0x0000555555589cb5 in _test_deny (conf=<optimized out>, ce=0x5555559955a0) at conf.c:9863
#12 0x0000555555596048 in config_test () at conf.c:2831
#13 0x000055555559ddc9 in config_test_all () at conf.c:1965
#14 0x000055555559df02 in init_conf (rootconf=0x555555972d00 "/home/moody/unrealircd/conf/unrealircd.conf",
    rehash=0) at conf.c:2057
#15 0x000055555556fb3f in main (argc=<optimized out>, argv=<optimized out>) at ircd.c:1257
(gdb)
Steps To Reproduceadd a deny link block similar to the following.

deny link {
        mask "irc.example.com";
        rule connected(zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz);
        type all;
}
TagsNo tags attached.
3rd party modules

Activities

syzop

2020-05-06 09:11

administrator   ~0021551

Right, that is silly indeed. I will have a look at it in the weekend or next week, after I have finished other coding.

I am treating it as a crash bug due to a configuration fault, not as a security issue, by the way. Because you need to have access to the configuration to trigger it, in which case you can do just about anything anyway.

syzop

2020-05-08 15:02

administrator   ~0021558

Fixed, thanks for the report.

commit 606a35bed00eb4e0f8d105e6eaaeaad7f25042b9 (HEAD -> unreal50)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Fri May 8 14:58:49 2020 +0200

    Fix crash when using deny link::rule with oversized argument.
    Reported by moody in https://bugs.unrealircd.org/view.php?id=5667

https://github.com/unrealircd/unrealircd/commit/606a35bed00eb4e0f8d105e6eaaeaad7f25042b9

Issue History

Date Modified Username Field Change
2020-05-06 08:42 moody New Issue
2020-05-06 09:11 syzop Assigned To => syzop
2020-05-06 09:11 syzop Status new => acknowledged
2020-05-06 09:11 syzop Note Added: 0021551
2020-05-08 15:02 syzop Status acknowledged => resolved
2020-05-08 15:02 syzop Resolution open => fixed
2020-05-08 15:02 syzop Fixed in Version => 5.0.5
2020-05-08 15:02 syzop Note Added: 0021558