Heap-based Buffer Overflow in modbus_reply #614
Comments
AiDaiP
changed the title
AiDaiP
changed the title
|
Another poc |
❯ ./tests/unit-test-server
The client connection from 127.0.0.1 is accepted
Waiting for an indication...
<03><DD><00><00><00><0D><FF><17><01><62><00><01><00><84><00><01><02><D7><11>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==174549==ERROR: AddressSanitizer: SEGV on unknown address 0x605ffffffec8 (pc 0x7fd8514abc62 bp 0x7ffebf02e730 sp 0x7ffebf02dcc0 T0)
==174549==The signal is caused by a WRITE memory access.
#0 0x7fd8514abc62 in modbus_reply /XXX/src/libmodbus/build/src/../../src/modbus.c:980:46
#1 0x4cbcaf in main /XXX/src/libmodbus/build/tests/../../tests/unit-test-server.c:183:14
#2 0x7fd85112a564 in __libc_start_main csu/../csu/libc-start.c:332:16
#3 0x41c40d in _start (/XXX/src/libmodbus/build/tests/.libs/unit-test-server+0x41c40d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /XXX/src/libmodbus/build/src/../../src/modbus.c:980:46 in modbus_reply
==174549==ABORTINGI can reproduce the issue and address sanitizer spots the issue, too. Built with $ cd <libmodbus-src>
$ mkdir -p build
$ cd build
$ CC=clang-13 CFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ../configure
$ make -j8
$ ./tests/unit-test-server
$ <run POC> |
|
Note: This is very likely a security issue, maybe this can be made private for now @stephane ? |
|
I think it's too late to made it private now. I'm struggle to fund this project and I'm very busy these days. |
|
@AiDaiP and @JonasToth : can you apply the fix of my PR and check whether this fixes the issue on your side? Thanks. |
|
With the nice fix of @mhei: The client connection from 127.0.0.1 is accepted
Waiting for an indication...
<FF><E0><00><1F><00><5A><FF><17><01><60><00><20><01><5E><00><01><02><10><34>
Illegal data read address 0x180 or write address 0x15E write_and_read_registers
[FF][E0][00][00][00][03][FF][97][02] |
|
@mhei , @stephane thank you for the fix! A general question: Are the sanitizers already integrated into CI? I would contribute such changes if you like. Another thing: @AiDaiP what fuzzer did you use? Maybe a general target and/or OSS-Fuzz integration would be helpful to spot such issues earlier? Again, I would fight for a bit of time from my employer to contribute. Should there be a CVE for this issue? |
|
I used my ugly fuzzer. |
|
I was thinking about creating a few But even AFL would not be an issue if its possible to integrate it into OSS-Fuzz, i guess |
|
I think libfuzzer will work. The TCP/RTU stuff takes a long time and it is very boring. |
|
My understanding is, that you are working for a company at this right now? Are you investing time anyway or was this a one-off effort? I just want to avoid duplicated work :) |
|
I'm a senior student. I'm doing this for my paper. |
|
Ok. I think its best if at the end of the day the fuzzing gets integrated into this project. If the result of your work is just the paper without the project integration, I would try to pick it up from there. |
|
Actually, this bug has been reported a long time ago... #499 |
) While handling MODBUS_FC_WRITE_AND_READ_REGISTERS, both address offsets must be checked, i.e. the read and the write address must be within the mapping range. At the moment, only the read address was considered, it looks like a simple copy and paste error, so let's fix it. Signed-off-by: Michael Heimpold <[email protected]>
libmodbus version
ebc4f47
OS and/or distribution
Ubuntu 20.04 focal
Environment
,AMD EPYC 7742 64-Core @ 16x 2.25GHz
Description
Heap-based Buffer Overflow in _modbus_receive_msg
Expected behaviour
no crash.
Actual behaviour
double free or corruption (!prev)
Steps to reproduce the behavior (commands or source code)
libmodbus/tests/unit-test-server.c
then, ctrl+c close the nc.
libmodbus output with debug mode enabled
The text was updated successfully, but these errors were encountered: