Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible illegal read access on zero page in APIv1 in StatusCode.cpp #3609

Open
0xricksanchez opened this issue Jan 28, 2020 · 2 comments
Open

Possible illegal read access on zero page in APIv1 in StatusCode.cpp #3609

0xricksanchez opened this issue Jan 28, 2020 · 2 comments

Comments

@0xricksanchez
Copy link

Check my reasoning in #3603

Sending malformed JSON entities to the context.Orion_LD (compiled with an Address Sanitizer) V1 API can ultimately result in a illegal READ access on a zero page in /opt/fiware-orion/src/lib/ngsi/StatusCode.cpp:

From the marked line over here

/opt/fiware-orion/src/lib/serviceRoutines/postUpdateContext.cpp:447
* ****************************************************************************
*
* foundAndNotFoundAttributeSeparation -
*
* Examine the response from mongo to find out what has really happened ...
*
*/
static void foundAndNotFoundAttributeSeparation(UpdateContextResponse* upcrsP, UpdateContextRequest* upcrP, ConnectionInfo* ciP)
{
  ContextElementResponseVector  notFoundV;
[...]
  //
  // If nothing at all in response vector, mark as not found (but not if DELETE request)
  //
  if (ciP->method != "DELETE")
  {
    if (upcrsP->contextElementResponseVector.size() == 0)
    {
      if (upcrsP->errorCode.code == SccOk)
      {
        upcrsP->errorCode.fill(SccContextElementNotFound, upcrP->entityVector[0]->id);  <-----------------
      }
    }
  }

The crash occurs finally occurs here:

/opt/fiware-orion/src/lib/ngsi/StatusCode.cpp:149
/* ****************************************************************************
*
* StatusCode::fill -
*/
void StatusCode::fill(HttpStatusCode _code, const std::string& _details)
{
  code          = _code;
  reasonPhrase  = httpStatusCodeString(code);
  details       = _details;     <----------------
}

Crash

�[36morion_1  |�[0m ASAN:DEADLYSIGNAL
�[36morion_1  |�[0m =================================================================
�[36morion_1  |�[0m ==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fed74efcb4e bp 0x0ffdacd65d60 sp 0x7fed66b2ea40 T1207)
�[36morion_1  |�[0m ==1==The signal is caused by a READ memory access.
�[36morion_1  |�[0m ==1==Hint: address points to the zero page.
�[36morion_1  |�[0m     #0 0x7fed74efcb4d in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x124b4d)
�[36morion_1  |�[0m     #1 0x564f2d482955 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/7/bits/basic_string.h:1356
�[36morion_1  |�[0m     #2 0x564f2d482955 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/7/bits/basic_string.h:685
�[36morion_1  |�[0m     #3 0x564f2d482955 in StatusCode::fill(HttpStatusCode, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /opt/fiware-orion/src/lib/ngsi/StatusCode.cpp:149
�[36morion_1  |�[0m     #4 0x564f2cff38e5 in foundAndNotFoundAttributeSeparation /opt/fiware-orion/src/lib/serviceRoutines/postUpdateContext.cpp:447
�[36morion_1  |�[0m     #5 0x564f2cff38e5 in postUpdateContext(ConnectionInfo*, int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, ParseData*, Ngsiv2Flavour) /opt/fiware-orion/src/lib/serviceRoutines/postUpdateContext.cpp:577
�[36morion_1  |�[0m     #6 0x564f2d1e2a14 in restService /opt/fiware-orion/src/lib/rest/RestService.cpp:708
�[36morion_1  |�[0m     #7 0x564f2d1e7a9f in orion::requestServe[abi:cxx11](ConnectionInfo*) /opt/fiware-orion/src/lib/rest/RestService.cpp:787
�[36morion_1  |�[0m     #8 0x564f2d1c6d88 in connectionTreat /opt/fiware-orion/src/lib/rest/rest.cpp:1580
�[36morion_1  |�[0m     #9 0x564f2d8043e7 in call_connection_handler /opt/libmicrohttpd-0.9.48/src/microhttpd/connection.c:1585
�[36morion_1  |�[0m     #10 0x564f2d805929 in MHD_connection_handle_idle /opt/libmicrohttpd-0.9.48/src/microhttpd/connection.c:2624
�[36morion_1  |�[0m     #11 0x564f2d8082bd in MHD_handle_connection /opt/libmicrohttpd-0.9.48/src/microhttpd/daemon.c:998
�[36morion_1  |�[0m     #12 0x7fed75f506da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
�[36morion_1  |�[0m     #13 0x7fed7455288e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
�[36morion_1  |�[0m AddressSanitizer can not provide additional info.
�[36morion_1  |�[0m SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x124b4d) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
�[36morion_1  |�[0m Thread T1207 created by T14 here:
�[36morion_1  |�[0m     #0 0x7fed76eb3d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
�[36morion_1  |�[0m     #1 0x564f2d80887f in create_thread /opt/libmicrohttpd-0.9.48/src/microhttpd/daemon.c:1230
�[36morion_1  |�[0m Thread T14 created by T0 here:
�[36morion_1  |�[0m     #0 0x7fed76eb3d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
�[36morion_1  |�[0m     #1 0x564f2d80887f in create_thread /opt/libmicrohttpd-0.9.48/src/microhttpd/daemon.c:1230
�[36morion_1  |�[0m ==1==ABORTING

Recorded responsible test case

{"contextElements": [{󠁩"type": "Room", "isPattern": "false",�"id": "Room1", "attributes": [{"name": "temperature", "type": "float", "value": "26.5", metadata󠁉"s": [{"name": "accuracy", "type": "float", "value": "0".8}]}]}], "updateAction": ": APPEND"}
@fgalan
Copy link
Member

fgalan commented Jan 29, 2020

Thanks for the feedback!

Looking to the "Recorded responsible test case" I'm not sure in which sense this JSON is malformed... Could you elaborate so I can try to reproduce, please?

@fgalan fgalan mentioned this issue Jan 29, 2020
Merged
@fgalan
Copy link
Member

fgalan commented Mar 17, 2020

Looking to the "Recorded responsible test case" I'm not sure in which sense this JSON is malformed... Could you elaborate so I can try to reproduce, please?

In other words, how I can generate the request (e.g. with a curl command) that is causing the crash.

@0xricksanchez what do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fgalan @0xricksanchez