Headline
CVE-2021-45773: NULL Pointer Dereference in CS104_IPAddress_setFromString · Issue #100 · mz-automation/lib60870
A NULL pointer dereference in CS104_IPAddress_setFromString at src/iec60870/cs104/cs104_slave.c of lib60870 commit 0d5e76e can lead to a segmentation fault or application crash.
NULL Pointer Dereference in CS104_IPAddress_setFromString****Description
A NULL Pointer Dereference was discovered in CS104_IPAddress_setFromString at src/iec60870/cs104/cs104_slave.c:785. The vulnerability causes a segmentation fault and application crash.
If the ipAddrStr is NULL, strchr() will crash. Should there be a check?
version
0d5e76e
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
gdb
LD_PRELOAD="/root/tools/preeny-master/build/lib/libdesock.so" ./cs104_redundancy_server
New connection request from (null)
[1] 128322 segmentation fault LD_PRELOAD="/root/tools/preeny-master/build/lib/libdesock.so"
pwndbg>
0x0000555555568557 785 if (strchr(ipAddrStr, '.') != NULL) {
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x0
RCX 0x7ffff7e9739b (getpeername+11) ◂— cmp rax, -0xfff
RDX 0x0
*RDI 0x0
RSI 0x2e
R8 0x0
R9 0x23
R10 0x55555557110e ◂— 0x63656e6e6f43000a /* '\n' */
R11 0x246
R12 0x7fffffffde9e ◂— 0x5555555a60600000
R13 0x7fffffffde9f ◂— 0x5555555a606000
R14 0x7fffffffdea0 —▸ 0x5555555a6060 ◂— 0x0
R15 0x7ffff7d6afc0 ◂— 0x0
RBP 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
RSP 0x7ffff7d6adc0 ◂— 0x0
*RIP 0x555555568557 (CS104_IPAddress_setFromString+32) ◂— call 0x5555555574e0
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
0x555555568543 <CS104_IPAddress_setFromString+12> mov qword ptr [rbp - 0x18], rdi
0x555555568547 <CS104_IPAddress_setFromString+16> mov qword ptr [rbp - 0x20], rsi
0x55555556854b <CS104_IPAddress_setFromString+20> mov rax, qword ptr [rbp - 0x20]
0x55555556854f <CS104_IPAddress_setFromString+24> mov esi, 0x2e
0x555555568554 <CS104_IPAddress_setFromString+29> mov rdi, rax
► 0x555555568557 <CS104_IPAddress_setFromString+32> call strchr@plt <strchr@plt>
s: 0x0
c: 0x2e
0x55555556855c <CS104_IPAddress_setFromString+37> test rax, rax
0x55555556855f <CS104_IPAddress_setFromString+40> je CS104_IPAddress_setFromString+165 <CS104_IPAddress_setFromString+165>
0x555555568561 <CS104_IPAddress_setFromString+42> mov rax, qword ptr [rbp - 0x18]
0x555555568565 <CS104_IPAddress_setFromString+46> mov dword ptr [rax + 0x10], 0
0x55555556856c <CS104_IPAddress_setFromString+53> mov dword ptr [rbp - 0xc], 0
──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /root/disk2/fuzzing/lib60870/test/lib60870/lib60870-C/src/iec60870/cs104/cs104_slave.c
780 };
781
782 static void
783 CS104_IPAddress_setFromString(CS104_IPAddress self, const char* ipAddrStr)
784 {
► 785 if (strchr(ipAddrStr, '.') != NULL) {
786 /* parse IPv4 string */
787 self->type = IP_ADDRESS_TYPE_IPV4;
788
789 int i;
790
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7ffff7d6adc0 ◂— 0x0
01:0008│ 0x7ffff7d6adc8 —▸ 0x7ffff7d6ae20 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
02:0010│ 0x7ffff7d6add0 —▸ 0x7ffff0000ef0 ◂— 0x4
03:0018│ 0x7ffff7d6add8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
04:0020│ rbp 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
05:0028│ 0x7ffff7d6ade8 —▸ 0x55555556c0c1 (getMatchingRedundancyGroup+54) ◂— mov qword ptr [rbp - 0x40], 0
06:0030│ 0x7ffff7d6adf0 ◂— 0x0
07:0038│ 0x7ffff7d6adf8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x555555568557 CS104_IPAddress_setFromString+32
f 1 0x55555556c0c1 getMatchingRedundancyGroup+54
f 2 0x55555556c64f serverThread+523
f 3 0x7ffff7f6f609 start_thread+217
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.
Thread 2 "cs104_redundanc" received signal SIGSEGV, Segmentation fault.
__strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57
57 ../sysdeps/x86_64/multiarch/strchr-avx2.S: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x0
*RCX 0x0
RDX 0x0
RDI 0x0
RSI 0x2e
R8 0x0
R9 0x23
R10 0x55555557110e ◂— 0x63656e6e6f43000a /* '\n' */
R11 0x246
R12 0x7fffffffde9e ◂— 0x5555555a60600000
R13 0x7fffffffde9f ◂— 0x5555555a606000
R14 0x7fffffffdea0 —▸ 0x5555555a6060 ◂— 0x0
R15 0x7ffff7d6afc0 ◂— 0x0
RBP 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
*RSP 0x7ffff7d6adb8 —▸ 0x55555556855c (CS104_IPAddress_setFromString+37) ◂— test rax, rax
*RIP 0x7ffff7eff08c (__strchr_avx2+28) ◂— vmovdqu ymm8, ymmword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff7eff08c <__strchr_avx2+28> vmovdqu ymm8, ymmword ptr [rdi]
0x7ffff7eff090 <__strchr_avx2+32> vpcmpeqb ymm1, ymm0, ymm8
0x7ffff7eff095 <__strchr_avx2+37> vpcmpeqb ymm2, ymm9, ymm8
0x7ffff7eff09a <__strchr_avx2+42> vpor ymm1, ymm2, ymm1
0x7ffff7eff09e <__strchr_avx2+46> vpmovmskb eax, ymm1
0x7ffff7eff0a2 <__strchr_avx2+50> test eax, eax
0x7ffff7eff0a4 <__strchr_avx2+52> jne __strchr_avx2+400 <__strchr_avx2+400>
↓
0x7ffff7eff200 <__strchr_avx2+400> tzcnt eax, eax
0x7ffff7eff204 <__strchr_avx2+404> xor edx, edx
0x7ffff7eff206 <__strchr_avx2+406> lea rax, [rdi + rax]
0x7ffff7eff20a <__strchr_avx2+410> cmp sil, byte ptr [rax]
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7ffff7d6adb8 —▸ 0x55555556855c (CS104_IPAddress_setFromString+37) ◂— test rax, rax
01:0008│ 0x7ffff7d6adc0 ◂— 0x0
02:0010│ 0x7ffff7d6adc8 —▸ 0x7ffff7d6ae20 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
03:0018│ 0x7ffff7d6add0 —▸ 0x7ffff0000ef0 ◂— 0x4
04:0020│ 0x7ffff7d6add8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
05:0028│ rbp 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
06:0030│ 0x7ffff7d6ade8 —▸ 0x55555556c0c1 (getMatchingRedundancyGroup+54) ◂— mov qword ptr [rbp - 0x40], 0
07:0038│ 0x7ffff7d6adf0 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff7eff08c __strchr_avx2+28
f 1 0x55555556855c CS104_IPAddress_setFromString+37
f 2 0x55555556c0c1 getMatchingRedundancyGroup+54
f 3 0x55555556c64f serverThread+523
f 4 0x7ffff7f6f609 start_thread+217
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>