Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-7105: Abort if malloc() was unsuccessful #752

Closed
wants to merge 1 commit into from
Closed

CVE-2020-7105: Abort if malloc() was unsuccessful #752

wants to merge 1 commit into from

Conversation

lamby
Copy link
Contributor

@lamby lamby commented Jan 19, 2020

No description provided.

@lamby
Copy link
Contributor Author

lamby commented Jan 19, 2020

This is to address #747

@mnunberg
Copy link
Contributor

mnunberg commented Jan 19, 2020
edited
Loading

Is there any advantage of crashing via abort vs crashing via segfault?

@lamby
Copy link
Contributor Author

lamby commented Jan 19, 2020

The segfault might be exploitable, and the abort is more debuggable outside of a security context.

@shouc shouc mentioned this pull request Jan 19, 2020
Closed
@shouc
Copy link

shouc commented Jan 19, 2020
edited
Loading

I think a better way to fix this is to abstract out the handling function to header files. For example:
#define OOM_HANDLER abort() and use OOM_HANDLER to substitute abort(), which makes upstream developers easier to define their own try catch logic.

@lamby
Copy link
Contributor Author

lamby commented Jan 19, 2020

Ah, good idea. I was not aware of that particular idiom, thanks.

@lamby lamby force-pushed the null-pointer-deferencing-747 branch from 78cec25 to dcc7cea Compare January 19, 2020 23:03
@lamby
Copy link
Contributor Author

lamby commented Jan 19, 2020

Something like this? :)

@shouc
Copy link

shouc commented Jan 19, 2020

lgtm but I am not the owner

@mnunberg
Copy link
Contributor

Perhaps just wrap the entire allocation in a macro/function?

@lamby
Copy link
Contributor Author

lamby commented Jan 20, 2020

Perhaps just wrap the entire allocation in a macro/function?

This could work. But:

  • Is there a Don't Repeat Yourself version of doing this that can support malloc and calloc (used at least 9 times)
  • It would be a fairly invasive code change (fine for master) but perhaps rather unwieldy to backport.

@mnunberg
Copy link
Contributor

  1. just wrap calloc, malloc, realloc, strdup, etc etc. I mean, this is what redis server does itself.
  2. I personally don't think that a segfault on NULL is all that big a deal, but I think we should simply start first at those areas which have been identified. As far as the invasiveness, a one-line change in a bunch of places is going to be far less invasive than a multi-line change in those same areas.

michael-grunder added a commit to michael-grunder/hiredis that referenced this pull request Jan 20, 2020
@michael-grunder
Safe allocation wrappers where we don't handle OOM
dfdc85a 
See hiredis issues redis#747, redis#752
@michael-grunder
Copy link
Collaborator

michael-grunder commented Jan 20, 2020
edited
Loading

just wrap calloc, malloc, realloc, strdup, etc etc. I mean, this is what redis server does itself

That's what I would suggest as well. Given that we often do handle a NULL reply (e.g. returning REDIS_ERROR_OOM) we should probably name them something else.

What about hr_safe_malloc, hr_safe_realloc, hr_safe_calloc, and hr_safe_strdup?

If we're all good with that direction I'm happy to formalize (and actually test) the changes.

edit for correct links:

link to my POC branch
link to the diff

@lamby
Copy link
Contributor Author

lamby commented Jan 20, 2020

I quickly sketched out a POC over on my fork.

FYI this links to the "New PR" page and not the PR itself. Did you forget to push it? I don't see the branch in your fork... :)

@michael-grunder
Copy link
Collaborator

Apparently I can't link things properly 😄

link to my POC branch
link to the diff

@lamby
Copy link
Contributor Author

lamby commented Jan 20, 2020

Thanks; nice work. I suppose the other approach might be to emulate what Redis' src/zmalloc.c does by #define realloc(ptr,size) foo_realloc(ptr,size) etc.?

@michael-grunder
Copy link
Collaborator

I like that strategy as well, but we probably need two versions because there are a bunch of places where OOM is handled in a non-fatal way.

@mnunberg let us know if this strategy seems reasonable.

@michael-grunder
Copy link
Collaborator

As an alternative what do people think about getting #638 merged first?

That has some good stuff in it in addition to the malloc NULL checks. In particular the the redisAsync*Append functions.

@shouc
Copy link

shouc commented Jan 21, 2020

lgtm, the only conflict is in async.c, where #638 uses following approach:

if (NULL != (dup = malloc(sizeof(*dup))))
        memcpy(dup, src, sizeof(*dup));

@lamby
Copy link
Contributor Author

lamby commented Jan 22, 2020

what do people think about getting #638 merged first?

I'd quite very like this one (or something similar) merged first as I am trying to ensure I can cherry-pick a minimal patch for older and already-shipped versions of hiredis, hence trying to reduce the number of changes. It would be difficult for me to ship out #638's wide-reaching changes in a safe and confident manner (and might even be difficult to backport in a pure code sesne as it changes quite a lot).

@lamby lamby force-pushed the null-pointer-deferencing-747 branch from dcc7cea to 3e2ddf9 Compare January 22, 2020 21:58
@mnunberg
Copy link
Contributor

Re #638 I'm not a fan of mindlessly checking for NULL so much and so explicitly that it makes the actual code hard to read. I think that PR has too much boilerplate, though I do appreciate what he's trying to do over there.

@michael-grunder I'm in favor of a prefixed malloc, maybe hiredis_malloc or whatever... or just hi_malloc

@michael-grunder
Copy link
Collaborator

michael-grunder commented Jan 22, 2020
edited
Loading

@mnunberg Seems reasonable to me. I'll package it up and open a PR for review.

Edit: @lamby I totally understand not wanting such a huge change just for a patch.

michael-grunder added a commit that referenced this pull request Jan 23, 2020
@michael-grunder
Rename allocation wrappers and add license info
70e73a3 
See #752, #747
@michael-grunder
Copy link
Collaborator

Closing in favor of #754, please redirect all bikeshedding over there.

@lamby lamby mentioned this pull request Jan 23, 2020
Merged
michael-grunder added a commit that referenced this pull request Jan 28, 2020
@michael-grunder
Safe allocation wrappers (#754)
669ac9d 
Create allocation wrappers with a configurable OOM handler (defaults to abort()).

See #752, #747
@stevelipinski
Copy link

Will a new release/tag be issued (0.15.0?) since this addresses a CVE?

michael-grunder added a commit that referenced this pull request Mar 13, 2020
@michael-grunder
Safe allocation wrappers (#754)
a153788 
Create allocation wrappers with a configurable OOM handler (defaults to abort()).

See #752, #747
valentinogeron pushed a commit to valentinogeron/hiredis that referenced this pull request Mar 17, 2020
@michael-grunder @valentinogeron
Safe allocation wrappers (redis#754)
5a3a817 
Create allocation wrappers with a configurable OOM handler (defaults to abort()).

See redis#752, redis#747

Conflicts:
	Makefile
	adapters/libevent.h
@RoeyPrat RoeyPrat mentioned this pull request Mar 31, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lamby @mnunberg @shouc @michael-grunder @stevelipinski