dhcpcd-discuss

Home Other Lists Thread Index Date Index Search
Thread Prev Thread Next Date Prev Date Next Thread Index Date Index

Re: use after free

Roy Marples

Tue Mar 27 23:31:37 2018


On 27/03/2018 20:57, Klemens Nanni wrote:

Running dhcpcd on OpenBSD -CURRENT for IA_PD behind a commodity router with
dynamic IPv6 and daily reconnect, 7.0.1 dumps core on use after free.
Detected with https://man.openbsd.org/malloc.conf:

	# readlink /etc/malloc.conf
	CFGSU

Versions and configuration:

	# sysctl kern.version
	kern.version=OpenBSD 6.3-beta (GENERIC.MP) #35: Tue Mar  6 10:19:27 MST 2018
	    deraadt@xxxxxxxxxxxxxxxxx:/usr/src/sys/arch/amd64/compile/GENERIC.MP
	
	# dhcpcd --version
	dhcpcd 7.0.1
	Copyright (c) 2006-2018 Roy Marples
	Compiled in features: INET ARP ARPing IPv4LL INET6 DHCPv6 AUTH
	# cat /etc/dhcpcd.conf
	ipv6only
	noipv6rs
	duid
	script /usr/bin/true
	allowinterfaces em0 vether0
	interface em0
	ia_pd 2 vether0/1
	# rcctl get dhcpcd flags
	-Mq

I have yet to crash it reproducibly.

Analysis (compiled with `-g3 -ggdb'):

	# egdb -se $(which dhcpcd) -c /dhcpcd.core -batch -ex bt
	[New process 482776]
	Core was generated by `dhcpcd'.
	Program terminated with signal SIGABRT, Aborted.
	#0  thrkill () at -:3
	3       -: No such file or directory.
	#0  thrkill () at -:3
	#1  0x000010855947a0be in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
	#2  0x000010855949d779 in wrterror (d=0x1084e07e85c0, msg=0x1085595fe630 "use after free %p") at /usr/src/lib/libc/stdlib/malloc.c:288
	#3  0x000010855949e3af in ofree (argpool=<optimized out>, p=<optimized out>, clear=0, check=0, argsz=0) at /usr/src/lib/libc/stdlib/malloc.c:1258
	#4  0x000010855949d859 in free (ptr=0x1085b264f420) at /usr/src/lib/libc/stdlib/malloc.c:1416
	#5  0x00001082d0c4737a in dhcp6_checkstatusok (ifp=0x10858244f300, m=0x108565b77000, p=0x0, len=73) at dhcp6.c:1874
	#6  0x00001082d0c4743b in dhcp6_validatelease (ifp=0x10858244f300, m=0x108565b77000, len=73, sfrom=0x7f7ffffdfa80 "fe80::<redacted>", acquired=0x0) at dhcp6.c:2328
	#7  0x00001082d0c46a87 in dhcp6_recvif (ifp=0x10858244f300, r=0x108565b77000, len=73) at dhcp6.c:3213
	#8  0x00001082d0c46496 in dhcp6_recv (ctx=0x7f7ffffdf7c8, ia=0x0) at dhcp6.c:3509
	#9  0x00001082d0c45d81 in dhcp6_recvctx (arg=0x7f7ffffdf7c8) at dhcp6.c:3525
	#10 0x00001082d0c0a22b in eloop_start (eloop=0x108544830a00, signals=0x7f7ffffdf8d8) at eloop.c:963
	#11 0x00001082d0c07511 in main (argc=2, argv=0x7f7ffffdfb48) at dhcpcd.c:1924



I think this is fixed here:
https://roy.marples.name/git/dhcpcd.git/commit/src/dhcp6.c?id=d1088cb4a4037726b58d66188ecc45136e418215
It should be pre-produceable by triggering the DHCPv6 server to send back a non OK status code with a message. I don't have the time to setup a test case to prove this, nor am I sure about any security issue other than a DoS. 

Roy
References:
use after freeKlemens Nanni
Archive administrator: postmaster@marples.name