Headline
CVE-2017-8807: bugfix : coredump causes by memcpy in vbf_stp_error by shamger · Pull Request #2429 · varnishcache/varnish-cache
vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to obtain sensitive information from process memory because a VFP_GetStorage buffer is larger than intended in certain circumstances involving -sfile Stevedore transient objects.
Test output (panic only):
*** v1 0.9 debug|Info: Child (14386) said =================================================================
*** v1 0.9 debug|Info: Child (14386) said ==14386==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009b00 at pc 0x000108f3d2f8 bp 0x700002632c30 sp 0x7000026323e0
*** v1 0.9 debug|Info: Child (14386) said READ of size 4096 at 0x602000009b00 thread T12
*** v1 1.0 debug|Info: Child (14386) said #0 0x108f3d2f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
*** v1 1.2 debug|Info: Child (14386) said #1 0x1082542ab in vbf_stp_error cache_fetch.c:902
*** v1 1.2 debug|Info: Child (14386) said #2 0x10822f81f in vbf_fetch_thread steps.h:58
*** v1 1.2 debug|Info: Child (14386) said #3 0x1083fef58 in Pool_Work_Thread cache_wrk.c:375
*** v1 1.2 debug|Info: Child (14386) said #4 0x1083fa276 in WRK_Thread cache_wrk.c:128
*** v1 1.2 debug|Info: Child (14386) said #5 0x1083f94f0 in pool_thread cache_wrk.c:406
*** v1 1.2 debug|Info: Child (14386) said #6 0x7fff9da9693a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
*** v1 1.2 debug|Info: Child (14386) said #7 0x7fff9da96886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
*** v1 1.2 debug|Info: Child (14386) said #8 0x7fff9da9608c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)
*** v1 1.2 debug|Info: Child (14386) said
*** v1 1.2 debug|Info: Child (14386) said 0x602000009b00 is located 0 bytes to the right of 16-byte region [0x602000009af0,0x602000009b00)
*** v1 1.2 debug|Info: Child (14386) said allocated by thread T12 here:
*** v1 1.2 debug|Info: Child (14386) said #0 0x108f4618c in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5618c)
*** v1 1.2 debug|Info: Child (14386) said #1 0x10865a461 in VSB_newbuf vsb.c:201
*** v1 1.2 debug|Info: Child (14386) said #2 0x108659920 in VSB_new vsb.c:229
*** v1 1.2 debug|Info: Child (14386) said #3 0x108252a55 in vbf_stp_error cache_fetch.c:862
*** v1 1.2 debug|Info: Child (14386) said #4 0x10822f81f in vbf_fetch_thread steps.h:58
*** v1 1.2 debug|Info: Child (14386) said #5 0x1083fef58 in Pool_Work_Thread cache_wrk.c:375
*** v1 1.2 debug|Info: Child (14386) said #6 0x1083fa276 in WRK_Thread cache_wrk.c:128
*** v1 1.2 debug|Info: Child (14386) said #7 0x1083f94f0 in pool_thread cache_wrk.c:406
*** v1 1.2 debug|Info: Child (14386) said #8 0x7fff9da9693a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
*** v1 1.2 debug|Info: Child (14386) said #9 0x7fff9da96886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
*** v1 1.2 debug|Info: Child (14386) said #10 0x7fff9da9608c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)
*** v1 1.2 debug|Info: Child (14386) said
*** v1 1.2 debug|Info: Child (14386) said Thread T12 created by T4 here:
*** v1 1.2 debug|Info: Child (14386) said #0 0x108f3cca6 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4cca6)
*** v1 1.2 debug|Info: Child (14386) said #1 0x1083f7bc4 in pool_breed cache_wrk.c:431
*** v1 1.2 debug|Info: Child (14386) said #2 0x1083f3052 in pool_herder cache_wrk.c:490
*** v1 1.2 debug|Info: Child (14386) said #3 0x7fff9da9693a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
*** v1 1.2 debug|Info: Child (14386) said #4 0x7fff9da96886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
*** v1 1.2 debug|Info: Child (14386) said #5 0x7fff9da9608c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)
*** v1 1.2 debug|Info: Child (14386) said
*** v1 1.2 debug|Info: Child (14386) said Thread T4 created by T3 here:
*** v1 1.2 debug|Info: Child (14386) said #0 0x108f3cca6 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4cca6)
*** v1 1.2 debug|Info: Child (14386) said #1 0x10830c143 in pool_mkpool cache_pool.c:162
*** v1 1.2 debug|Info: Child (14386) said #2 0x108306f84 in pool_poolherder cache_pool.c:196
*** v1 1.2 debug|Info: Child (14386) said #3 0x7fff9da9693a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
*** v1 1.2 debug|Info: Child (14386) said #4 0x7fff9da96886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
*** v1 1.2 debug|Info: Child (14386) said #5 0x7fff9da9608c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)
*** v1 1.2 debug|Info: Child (14386) said
*** v1 1.2 debug|Info: Child (14386) said Thread T3 created by T0 here:
*** v1 1.2 debug|Info: Child (14386) said #0 0x108f3cca6 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4cca6)
*** v1 1.2 debug|Info: Child (14386) said #1 0x108306b6a in Pool_Init cache_pool.c:255
*** v1 1.2 debug|Info: Child (14386) said #2 0x1082d10f2 in child_main cache_main.c:260
*** v1 1.2 debug|Info: Child (14386) said #3 0x1084e0347 in mgt_launch_child mgt_child.c:399
*** v1 1.2 debug|Info: Child (14386) said #4 0x1084e3e87 in mch_cli_server_start mgt_child.c:665
*** v1 1.2 debug|Info: Child (14386) said #5 0x10863490f in cls_dispatch vcli_serve.c:229
*** v1 1.2 debug|Info: Child (14386) said #6 0x1086324f7 in cls_vlu2 vcli_serve.c:289
*** v1 1.2 debug|Info: Child (14386) said #7 0x108620290 in cls_vlu vcli_serve.c:364
*** v1 1.2 debug|Info: Child (14386) said #8 0x10864b742 in LineUpProcess vlu.c:98
*** v1 1.2 debug|Info: Child (14386) said #9 0x10864ad92 in VLU_Fd vlu.c:123
*** v1 1.2 debug|Info: Child (14386) said #10 0x10862a5d9 in VCLS_PollFd vcli_serve.c:554
*** v1 1.2 debug|Info: Child (14386) said #11 0x1084e7e31 in mgt_cli_callback2 mgt_cli.c:397
*** v1 1.2 debug|Info: Child (14386) said #12 0x10863f33e in vev_schedule_one vev.c:450
*** v1 1.2 debug|Info: Child (14386) said #13 0x10863d01b in vev_schedule vev.c:344
*** v1 1.2 debug|Info: Child (14386) said #14 0x1084fdd4b in main mgt_main.c:929
*** v1 1.2 debug|Info: Child (14386) said #15 0x7fff9d87d234 in start (libdyld.dylib:x86_64+0x5234)
*** v1 1.2 debug|Info: Child (14386) said
*** v1 1.2 debug|Info: Child (14386) said SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
*** v1 1.2 debug|Info: Child (14386) said Shadow bytes around the buggy address:
*** v1 1.2 debug|Info: Child (14386) said 0x1c0400001310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c0400001320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c0400001330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c0400001340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c0400001350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
*** v1 1.2 debug|Info: Child (14386) said =>0x1c0400001360:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c0400001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c0400001380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c0400001390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c04000013a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said 0x1c04000013b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
*** v1 1.2 debug|Info: Child (14386) said Shadow byte legend (one shadow byte represents 8 application bytes):
*** v1 1.2 debug|Info: Child (14386) said Addressable: 00
*** v1 1.2 debug|Info: Child (14386) said Partially addressable: 01 02 03 04 05 06 07
*** v1 1.2 debug|Info: Child (14386) said Heap left redzone: fa
*** v1 1.2 debug|Info: Child (14386) said Freed heap region: fd
*** v1 1.2 debug|Info: Child (14386) said Stack left redzone: f1
*** v1 1.2 debug|Info: Child (14386) said Stack mid redzone: f2
*** v1 1.2 debug|Info: Child (14386) said Stack right redzone: f3
*** v1 1.2 debug|Info: Child (14386) said Stack after return: f5
*** v1 1.2 debug|Info: Child (14386) said Stack use after scope: f8
*** v1 1.2 debug|Info: Child (14386) said Global redzone: f9
*** v1 1.2 debug|Info: Child (14386) said Global init order: f6
*** v1 1.2 debug|Info: Child (14386) said Poisoned by user: f7
*** v1 1.2 debug|Info: Child (14386) said Container overflow: fc
*** v1 1.2 debug|Info: Child (14386) said Array cookie: ac
*** v1 1.2 debug|Info: Child (14386) said Intra object redzone: bb
*** v1 1.2 debug|Info: Child (14386) said ASan internal: fe
*** v1 1.2 debug|Info: Child (14386) said Left alloca redzone: ca
*** v1 1.2 debug|Info: Child (14386) said Right alloca redzone: cb
*** v1 1.2 debug|Info: Child (14386) said ==14386==ABORTING
---- c1 1.2 HTTP rx EOF (fd:15 read: Undefined error: 0) 1
* top 1.2 RESETTING after a.vtc
** v1 1.2 Wait
**** v1 1.2 CLI TX|panic.clear
*** v1 1.2 debug|Error: Child (14386) died signal=6
*** v1 1.2 debug|Error: Child (14386) Panic at: Mon, 18 Sep 2017 11:24:07 GMT
*** v1 1.2 debug|Wrong turn at mgt/mgt_child.c:287:
*** v1 1.2 debug|Signal 6 (Abort trap: 6) received at 0x7fff9d9abd42 si_code 0
*** v1 1.2 debug|version = varnish-trunk revision 8e0b7b204, vrt api = 6.1
*** v1 1.2 debug|ident = Darwin,16.7.0,x86_64,-jnone,-sfile,-smalloc,-hcritbit,kqueue
*** v1 1.2 debug|now = 426422.783616 (mono), 1505733847.909924 (real)
*** v1 1.2 debug|Backtrace:
*** v1 1.2 debug| 0x1082f5c59: 0 varnishd 0x00000001082f5c59 pan_backtrace + 361
*** v1 1.2 debug| 0x1082f5875: 0 varnishd 0x00000001082f5875 pan_ic + 1525
*** v1 1.2 debug| 0x10861189b: 0 varnishd 0x000000010861189b VAS_Fail + 379
*** v1 1.2 debug| 0x1084e3928: 0 varnishd 0x00000001084e3928 child_signal_handler + 1272
*** v1 1.2 debug| 0x7fff9da8cb3a: 0 libsystem_platform.dylib 0x00007fff9da8cb3a _sigtramp + 26
*** v1 1.2 debug| 0x7000026323e0: 0 ??? 0x00007000026323e0 0x0 + 123145342362592
*** v1 1.2 debug| 0x7fff9d911420: 0 libsystem_c.dylib 0x00007fff9d911420 abort + 129
*** v1 1.2 debug| 0x108f68996: 0 libclang_rt.asan_osx_dynamic.dylib 0x0000000108f68996 _ZN11__sanitizer5AbortEv + 70
*** v1 1.2 debug| 0x108f64268: 0 libclang_rt.asan_osx_dynamic.dylib 0x0000000108f64268 _ZN11__sanitizer3DieEv + 120
*** v1 1.2 debug| 0x108f4b207: 0 libclang_rt.asan_osx_dynamic.dylib 0x0000000108f4b207 _ZN6__asan19ScopedInErrorReportD2Ev + 311
*** v1 1.2 debug|errno = 25 (Inappropriate ioctl for device)
*** v1 1.2 debug|thread = (cache-worker)
*** v1 1.2 debug|thr.req = 0x0 {
*** v1 1.2 debug|},
*** v1 1.2 debug|thr.busyobj = 0x631000050820 {
*** v1 1.2 debug| ws = 0x6310000508a0 {
*** v1 1.2 debug| id = \"bo\",
*** v1 1.2 debug| {s, f, r, e} = {0x631000052760, +264, 0x0, +57496},
*** v1 1.2 debug| },
*** v1 1.2 debug| retries = 0, failed = 0, flags = {do_stream},
*** v1 1.2 debug| director_req = 0x61200000b378 {
*** v1 1.2 debug| vcl_name = default,
*** v1 1.2 debug| type = backend {
*** v1 1.2 debug| display_name = vcl1.default,
*** v1 1.2 debug| ipv4 = 192.0.2.255,
*** v1 1.2 debug| port = 80,
*** v1 1.2 debug| hosthdr = 192.0.2.255,
*** v1 1.2 debug| health = healthy,
*** v1 1.2 debug| admin_health = probe, changed = 1505733847.432227,
*** v1 1.2 debug| n_conn = 0,
*** v1 1.2 debug| },
*** v1 1.2 debug| },
*** v1 1.2 debug| director_resp = director_req,
*** v1 1.2 debug| http[bereq] = 0x631000050e70 {
*** v1 1.2 debug| ws = 0x6310000508a0 {
*** v1 1.2 debug| [Already dumped, see above]
*** v1 1.2 debug| },
*** v1 1.2 debug| hdrs {
*** v1 1.2 debug| \"GET\",
*** v1 1.2 debug| \"/\",
*** v1 1.2 debug| \"HTTP/1.1\",
*** v1 1.2 debug| \"X-Forwarded-For: 127.0.0.1\",
*** v1 1.2 debug| \"Accept-Encoding: gzip\",
*** v1 1.2 debug| \"X-Varnish: 1002\",
*** v1 1.2 debug| \"Host: 192.0.2.255\",
*** v1 1.2 debug| },
*** v1 1.2 debug| },
*** v1 1.2 debug| http[beresp] = 0x6310000512e8 {
*** v1 1.2 debug| ws = 0x6310000508a0 {
*** v1 1.2 debug| [Already dumped, see above]
*** v1 1.2 debug| },
*** v1 1.2 debug| hdrs {
*** v1 1.2 debug| \"HTTP/1.1\",
*** v1 1.2 debug| \"503\",
*** v1 1.2 debug| \"Backend fetch failed\",
*** v1 1.2 debug| \"Date: Mon, 18 Sep 2017 11:24:07 GMT\",
*** v1 1.2 debug| \"Server: Varnish\",
*** v1 1.2 debug| },
*** v1 1.2 debug| },
*** v1 1.2 debug| objcore[fetch] = 0x60e000006be0 {
*** v1 1.2 debug| refcnt = 2,
*** v1 1.2 debug| flags = {busy},
*** v1 1.2 debug| exp_flags = {},
*** v1 1.2 debug| boc = 0x608000007b20 {
*** v1 1.2 debug| refcnt = 2,
*** v1 1.2 debug| state = req_done,
*** v1 1.2 debug| vary = 0x0,
*** v1 1.2 debug| stevedore_priv = 0x0,
*** v1 1.2 debug| },
*** v1 1.2 debug| exp = {1505733847.643175, 120.000000, 0.000000, 0.000000},
*** v1 1.2 debug| objhead = 0x60b0000054d0,
*** v1 1.2 debug| stevedore = 0x60f00000e230 (file foo) {
*** v1 1.2 debug| Simple = 0x10dad6000,
*** v1 1.2 debug| Obj = 0x60d000006438 {priv=0x60d000006430, ptr=0x10dad6000, len=216, space=4096},
*** v1 1.2 debug| LEN = 0x0...0,
*** v1 1.2 debug| VXID = 0x000003ea,
*** v1 1.2 debug| FLAGS = 0x00,
*** v1 1.2 debug| GZIPBITS = 0x0...0,
*** v1 1.2 debug| LASTMODIFIED = 0x41d66feb35c00000,
*** v1 1.2 debug| VARY = {len=0, ptr=0x0},
*** v1 1.2 debug| HEADERS = {len=96, ptr=0x10dad6078},
*** v1 1.2 debug| Body = 0x60d000006368 {priv=0x60d000006360, ptr=0x10dad7000, len=0, space=4096},
*** v1 1.2 debug| },
*** v1 1.2 debug| },
*** v1 1.2 debug| vcl = {
*** v1 1.2 debug| name = \"vcl1\",
*** v1 1.2 debug| busy = 2,
*** v1 1.2 debug| discard = 0,
*** v1 1.2 debug| state = auto,
*** v1 1.2 debug| temp = warm,
*** v1 1.2 debug| conf = {
*** v1 1.2 debug| srcname = {
*** v1 1.2 debug| \"<vcl.inline>\",
*** v1 1.2 debug| \"Builtin\",
*** v1 1.2 debug| },
*** v1 1.2 debug| },
*** v1 1.2 debug| },
*** v1 1.2 debug| vmods = {
*** v1 1.2 debug| },
*** v1 1.2 debug|},