a heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c #1039
Description
Describe the bug
Hi, I found a heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c
To reproduce
Steps to reproduce the behavior:
- export CFLAGS="-g -O0 -fsanitize=address,undefined"
export CC=afl-clang-fast
./configure
make && make install - /usr/local/sbin/unbound -c poc_file
poc_file:
poc_file.zip
Evidence
==82377==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1d55b9b7fc at pc 0x563778036868 bp 0x7fff8f67cc50 sp 0x7fff8f67cc48
WRITE of size 4 at 0x7f1d55b9b7fc thread T0
#0 0x563778036867 in cfg_mark_ports /root/fuzz/fuzz_unbound/unbound/util/config_file.c:1769:16
#1 0x5637780f6444 in ub_c_parse /root/fuzz/fuzz_unbound/unbound/./util/configparser.y:807:7
#2 0x56377808ae44 in config_read /root/fuzz/fuzz_unbound/unbound/util/config_file.c:1437:2
#3 0x563777b0441a in run_daemon /root/fuzz/fuzz_unbound/unbound/daemon/unbound.c:712:7
#4 0x563777b033e0 in main /root/fuzz/fuzz_unbound/unbound/daemon/unbound.c:838:2
#5 0x7f1d560d7d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#6 0x7f1d560d7e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#7 0x563777909e34 in _start (/usr/local/sbin/unbound+0x3cbe34) (BuildId: 0d770d8f7835f96a6db0ad985a4c0f7c946e452d)
0x7f1d55b9b7fc is located 4 bytes before 262144-byte region [0x7f1d55b9b800,0x7f1d55bdb800)
allocated by thread T0 here:
#0 0x5637779a3e48 in __interceptor_calloc (/usr/local/sbin/unbound+0x465e48) (BuildId: 0d770d8f7835f96a6db0ad985a4c0f7c946e452d)
#1 0x563777fcef03 in config_create /root/fuzz/fuzz_unbound/unbound/util/config_file.c:187:41
#2 0x563777b041da in run_daemon /root/fuzz/fuzz_unbound/unbound/daemon/unbound.c:710:14
#3 0x563777b033e0 in main /root/fuzz/fuzz_unbound/unbound/daemon/unbound.c:838:2
#4 0x7f1d560d7d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/fuzz_unbound/unbound/util/config_file.c:1769:16 in cfg_mark_ports
Shadow bytes around the buggy address:
0x7f1d55b9b500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1d55b9b580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1d55b9b600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1d55b9b680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1d55b9b700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x7f1d55b9b780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x7f1d55b9b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1d55b9b880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1d55b9b900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1d55b9b980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1d55b9ba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==82377==ABORTING
System:
Unbound version: 1.19.3
OS: Ubuntu 22.04.3 LTS