Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACE has a out-of-bounds array vulnerability, causing core dump. #1840

Open
liuxiaolongNew opened this issue May 20, 2022 · 4 comments
Open

ACE has a out-of-bounds array vulnerability, causing core dump. #1840

liuxiaolongNew opened this issue May 20, 2022 · 4 comments
Assignees
@liuxiaolongNew

Comments

@liuxiaolongNew
Copy link

liuxiaolongNew commented May 20, 2022
edited by jwillemsen

Version

ACE+TAO 6.5.14

Host machine and operating system

Linux 4.4.0-131-generic x86_64

Compiler name and version (including patch level)

gcc version 5.4.0 20160609

The problem effects:

Program coredump

Description

Coredump occurs occasionally in the CORBA service. There are two stacks.
the first one:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  ACE_Active_Map_Manager<std::pair<CORBA::OctetSeq, TAO_Active_Object_Map_Entry*> >::find (this=0xaaaacaff0f10, this=0xaaaacaff0f10, internal_value=@0xffff4e77b0f0: 0x0, key=...) at /acetao/src/acetao_modify/ace/Active_Map_Manager_T.inl:64

the second one:

#0  TAO::unbounded_value_sequence<unsigned char>::operator== (rhs=..., this=0x7f93dedb7898) at ../../tao/Unbounded_Octet_Sequence_T.h:216
#1  TAO_Persistent_Strategy::find_servant_using_system_id_and_user_id (this=0x55ea0557f0b0, system_id=..., user_id=..., servant=@0x7f93dedb7880: 0x0, entry=@0x7f93dedb7888: 0x1000003f7)
    at /acetao/src/acetao_modify/TAO/tao/PortableServer/Active_Object_Map.cpp:906
#2  0x00007f94540c3ec7 in TAO_Active_Object_Map::find_servant_using_system_id_and_user_id (entry=@0x7f93dedb7888: 0x1000003f7, servant=@0x7f93dedb7880: 0x0, user_id=..., system_id=..., this=<optimized out>) at ../../tao/PortableServer/Active_Object_Map.inl:195
#3  TAO::Portable_Server::ServantRetentionStrategyRetain::find_servant (this=0x55ea056c5140, system_id=..., servant_upcall=..., poa_current_impl=...) at /acetao/src/acetao_modify/TAO/tao/PortableServer/ServantRetentionStrategyRetain.cpp:296
#4  0x00007f94540b446f in TAO::Portable_Server::RequestProcessingStrategyServantActivator::locate_servant (this=0x55ea056c50e0, system_id=..., servant_upcall=..., poa_current_impl=..., wait_occurred_restart_call=@0x7f93dedb79cf: false)
    at /acetao/src/acetao_modify/TAO/tao/PortableServer/RequestProcessingStrategyServantActivator.cpp:94
#5  0x00007f94540c73fb in TAO::Portable_Server::Servant_Upcall::prepare_for_upcall_i (this=this@entry=0x7f93dedb7a30, key=..., operation=operation@entry=0x55ea21af3470 "report", forward_to=..., wait_occurred_restart_call=@0x7f93dedb79cf: false)
    at /acetao/src/acetao_modify/TAO/tao/PortableServer/Servant_Upcall.cpp:123

Sample fix/ workaround

Vulnerable Function:

template <class T> ACE_INLINE int
ACE_Active_Map_Manager<T>::find (const ACE_Active_Map_Manager_Key &key,
                                 T *&internal_value) const
{
  ACE_UINT32 slot_index = key.slot_index ();
  ACE_UINT32 slot_generation = key.slot_generation ();

  if (slot_index > this->total_size_ ||
#if defined (ACE_HAS_LAZY_MAP_MANAGER)
      this->search_structure_[slot_index].free_ ||
#endif /* ACE_HAS_LAZY_MAP_MANAGER */
      this->search_structure_[slot_index].ext_id_.slot_generation () != slot_generation ||
      this->search_structure_[slot_index].ext_id_.slot_index () ==
                 (ACE_UINT32)this->free_list_id ())
    {
      return -1;
    }
  else
    {
      // This is where the user value is.
      internal_value = &this->search_structure_[slot_index].int_id_;
    }

  return 0;
}

Modifying the Index Judgment Condition Statement like these

-bash-4.2# diff old/ACE/ace/Active_Map_Manager_T.inl new/ACE/ace/Active_Map_Manager_T.inl
64c64
<   if (slot_index > this->total_size_ ||
\---
>   if (slot_index >= this->total_size_ ||
@jwillemsen
Copy link
Member

Please extend one of the unit tests in the ACE/tests directory as reproducer, when you have that, please open a pull request with the test extension and another one for the proposed fix

@liuxiaolongNew
Copy link
Author

liuxiaolongNew commented May 20, 2022
edited

Please extend one of the unit tests in the ACE/tests directory as reproducer, when you have that, please open a pull request with the test extension and another one for the proposed fix

I cannot reproduce this bug stably. It only occurs when fuzzing is used. I think it's an obvious out-of-bounds array

@jwillemsen jwillemsen changed the title The TAO has a out-of-bounds array vulnerability, causing core dump. ACE has a out-of-bounds array vulnerability, causing core dump. May 20, 2022
@mitza-oci
Copy link
Member

It seems like this could be tested without fuzzing. The ACE_Active_Map_Manager_Key input parameter can have any value for slot_index, including an invalid one. Using a tool like Address Sanitizer would show invalid memory access.

@liuxiaolongNew
Copy link
Author

It seems like this could be tested without fuzzing. The ACE_Active_Map_Manager_Key input parameter can have any value for slot_index, including an invalid one. Using a tool like Address Sanitizer would show invalid memory access.

OK,I'll try to write a UT test the ACE_Active_Map_Manager_Key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@liuxiaolongNew liuxiaolongNew

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jwillemsen @mitza-oci @liuxiaolongNew