Segfault with insufficient workspace (buffer overflow)

Question

Segfault with insufficient workspace (buffer overflow)

shiver opened this issue 9 years ago · 3 comments

Setup:

Varnish-4.1.0 revision 3041728
VSF (master ea07f16)
Ubuntu 14.04

I seem to have encountered a buffer overflow in vmod_normalize() relating to utf8proc_decompose().

Assert error in child_sigsegv_handler(), mgt/mgt_child.c line 297:
  Condition(Segmentation fault by instruction at 0x7fd277225738) not true.

Not being an expert in either VSF, utf8proc or even C, my assumptions may be incorrect. At minimum I do receive an panic which crashes the varnish child when it is encountered.

To reproduce:

Have a running web server.

echo -e "HTTP/1.1 200 OK\n\n" | nc -l localhost 8080

Start varnish and a child in the foreground for debugging purposes.

$ sudo varnishd -d -f /etc/varnish/default.vcl -T localhost:6092
Platform: Linux,3.13.0-66-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit
200 283
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,3.13.0-66-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit
varnish-4.1.0 revision 3041728

Type 'help' for command list.
Type 'quit' to close CLI session.
Type 'start' to launch worker process.

start
child (26635) Started
200 0

Child (26635) said Child starts

Have some data which exceeds the available workspace_client limit. The default being 64K. The following will produce a random file of 70K.

dd if=/dev/urandom of=file.txt bs=1024 count=70

POST to varnish

curl --data-urlencode @file.txt http://localhost

The varnish child then crashes and produces the error mentioned above.

I think I have narrowed down the cause to the following line in vmod_normalize():

    len = utf8proc_decompose((utf8proc_uint8_t *)s, 0 /* IGNORED */,
        (utf8proc_int32_t *)p, u, options);

I think the problem is that WS_Reserve() returns the available buffer space in bytes, which is then stored in u. However, utf8proc_decompose() is looking for a buffer with a length specified in utf8proc_int32_t, not in bytes. This call will also clobber the magic number stored in ctx->ws->e, which I think marks the end of the available workspace.

I will issue a pull request shortly for my proposed fix, as there is more that needs to change since correcting the buffer size issue does not completely fix it.

Thanks

Answer 1 · 2015-11-12T11:16:18.000Z

Thanks for the report.

You might be into something here. I will take a look.

Answer 2 · 2015-12-03T01:10:09.000Z

Hi. Just to let you know I haven't forgotten about this. I will commit a different fix in the following days.
Thanks.

Answer 3 · 2016-01-25T09:47:22.000Z

Thanks for bringing this to my attention and sorry it took so long.

I've spent some time pondering about this and normalization in general. The current approach has a few drawbacks (e.g. workspace exhaustion, non-ASCII characters handling) and I wanted to address them all but rather than waiting for the perfect fix let's get this out of the way and sort the others separately.