Malformed `readerSNState` in ACKNACK submessage triggers panic (add overflow)
squizz617 opened this issue · comments
Hi, reporting another fuzzer-found vulnerability.
The root cause is pretty obvious. The num_bits attribute of SequenceNumberSet can be very large, e.g., UINT32_MAX.
As a result, at sequence_number.rs:433, num_bits + 31 triggers a panic (attempt to add with overflow).
let num_bits: u32 = reader.read_value()?; // <- from an ACKNACK message an attacker sends
let word_count = (num_bits + 31) / 32; // <- OVERFLOW
- Hexdump of the ACKNACK submessage:
0000 00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00
0010 45 00 01 8b 00 01 40 00 40 11 3b 5f 7f 00 00 01
0020 7f 00 00 01 05 39 2e 86 01 77 6a b2 52 54 50 53
0030 02 02 ff ff 01 0f 45 d2 b3 f5 58 b9 01 00 00 00
0040 06 05 00 00 ff ff ff ff ff ff ff ff ff ff ff ff
0050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0060 ff ff ff ff ff ff ff e1 e1 e1 e1 e1 e1 e1 e1 e1
0070 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
0080 e1 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0090 ff ff ff ff ff e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
00a0 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
00b0 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
00c0 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
00d0 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 cf 13 ff ff ff
00e0 ff ff ff ff ff ff ff ff ff ff 00 00 00 e1 e1 e1
00f0 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
0100 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
0110 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
0120 cf 13 ff ff ff ff ff ff ff ff ff ff ff ff ff 00
0130 00 00 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
0140 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
0150 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
0160 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1
0170 e1 e1 e1 e1 e1 ff ff ff ff ff ff ff ff ff f7 ff
0180 ff ff ff 00 00 00 1e ff ff ff ff ff ff ff ff ff
0190 ff ff ff ff ff ff ff ff ff ff ff
- Full backtrace:
thread 'RustDDS Participant 0 event loop' panicked at 'attempt to add with overflow', src/structure/sequence_number.rs:433:22
stack backtrace:
0: 0x55656d02a9da - std::backtrace_rs::backtrace::libunwind::trace::h9a6b80bbf328ba5d
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x55656d02a9da - std::backtrace_rs::backtrace::trace_unsynchronized::hd162ec543a11886b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x55656d02a9da - std::sys_common::backtrace::_print_fmt::h78a5099be12f51a6
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:65:5
3: 0x55656d02a9da - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::ha1c5390454d74f71
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:44:22
4: 0x55656d05052f - core::fmt::write::h9ffde816c577717b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/fmt/mod.rs:1254:17
5: 0x55656d027a55 - std::io::Write::write_fmt::h88186074961638e4
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/io/mod.rs:1698:15
6: 0x55656d02a7a5 - std::sys_common::backtrace::_print::h184198273ed08d59
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:47:5
7: 0x55656d02a7a5 - std::sys_common::backtrace::print::h1b4d8e7add699453
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:34:9
8: 0x55656d02be4e - std::panicking::default_hook::{{closure}}::h393bcea75423915a
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:269:22
9: 0x55656d02bbf5 - std::panicking::default_hook::h48c64f31d8b3fd03
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:288:9
10: 0x55656d02c3ae - std::panicking::rust_panic_with_hook::hafdc493a79370062
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:691:13
11: 0x55656d02c262 - std::panicking::begin_panic_handler::{{closure}}::h0a64bc82e36bedc7
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:580:13
12: 0x55656d02ae46 - std::sys_common::backtrace::__rust_end_short_backtrace::hc203444fb7416a16
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:150:18
13: 0x55656d02c002 - rust_begin_unwind
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:578:5
14: 0x55656c7e4193 - core::panicking::panic_fmt::h0f6ef0178afce4f2
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:67:14
15: 0x55656c7e422d - core::panicking::panic::h0ead933cb8f56d66
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:117:5
16: 0x55656cd20446 - <rustdds::structure::sequence_number::NumberSet<N> as speedy::readable::Readable<C>>::read_from::h2b237242a51b2df4
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/structure/sequence_number.rs:433:22
17: 0x55656cd6dfca - speedy::reader::Reader::read_value::h87efb664ada2c4ef
at /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/speedy-0.8.6/src/reader.rs:505:9
18: 0x55656cd6dfca - <rustdds::messages::submessages::ack_nack::AckNack as speedy::readable::Readable<C_>>::read_from::h0b819daebfb3cc87
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/messages/submessages/ack_nack.rs:24:39
19: 0x55656cd6dd80 - speedy::readable::Readable::read_with_length_from_buffer_with_ctx::h4bc91b82c7ce8164
at /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/speedy-0.8.6/src/readable.rs:492:21
20: 0x55656cd6dbfa - speedy::readable::Readable::read_from_buffer_with_ctx::h4836f717cf1e85e1
at /home/seulbae/.cargo/registry/src/index.crates.io-6f17d22bba15001f/speedy-0.8.6/src/readable.rs:480:9
21: 0x55656cd99c77 - rustdds::rtps::message::Message::read_from_buffer::ha440e071e86c01c3
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/rtps/message.rs:165:13
22: 0x55656cdc36bc - rustdds::rtps::message_receiver::MessageReceiver::handle_received_packet::hc7a36f69f3a2e87d
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/rtps/message_receiver.rs:173:30
23: 0x55656cc65a2e - rustdds::rtps::dp_event_loop::DPEventLoop::event_loop::h05601bd6c3c2ae31
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/rtps/dp_event_loop.rs:250:19
24: 0x55656c998aa3 - rustdds::dds::participant::DomainParticipantInner::new::{{closure}}::had0cef772e58f041
at /home/seulbae/ddssecurity/targets/rustdds-0.8.3/src/dds/participant.rs:768:9
25: 0x55656ccaa709 - std::sys_common::backtrace::__rust_begin_short_backtrace::h3c1e3fbec170011b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys_common/backtrace.rs:134:18
26: 0x55656ccca660 - std::thread::Builder::spawn_unchecked_::{{closure}}::{{closure}}::heed9327ed729ac05
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:526:17
27: 0x55656cda8764 - <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once::hd3ac06514cc9e0f4
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panic/unwind_safe.rs:271:9
28: 0x55656ccc5e78 - std::panicking::try::do_call::hed72e5162abcf112
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:485:40
29: 0x55656ccc616b - __rust_try
30: 0x55656ccc5c78 - std::panicking::try::h5292baa88e55de58
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:449:19
31: 0x55656cc33e4a - std::panic::catch_unwind::hdcd6626c135e20a9
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panic.rs:140:14
32: 0x55656ccca40a - std::thread::Builder::spawn_unchecked_::{{closure}}::h97b9c2e3d6394ccc
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/thread/mod.rs:525:30
33: 0x55656c9acf9f - core::ops::function::FnOnce::call_once{{vtable.shim}}::h8e1e1ae7ba09c97b
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/ops/function.rs:250:5
34: 0x55656d02f505 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::ha1f2224656a778fb
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9
35: 0x55656d02f505 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::haa29ed9703f354b7
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/alloc/src/boxed.rs:1973:9
36: 0x55656d02f505 - std::sys::unix::thread::Thread::new::thread_start::h33b6dae3e3692197
at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/sys/unix/thread.rs:108:17
37: 0x7fd0db9cb609 - start_thread
at /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
38: 0x7fd0db79b133 - clone
at /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
39: 0x0 - <unknown>
Thank you.
This was a good catch!
I do not think anyone had even remotely thought of this.
Fixed in Release 0.8.4 .