Bug 1543825 (CVE-2018-6644)
Summary: | CVE-2018-6644 sblim-sfcb: NULL pointer dereference (DoS) vulnerability via POST request to /cimom | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dkholia, praveenkpaladugu, srinivas_g_gowda, vcrhonek |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A NULL pointer dereference flaw was found in the way sblim-sfcb handled processing of POST requests to the /cimom URI. A remote attacker could use this flaw to cause a sblim-sfcb child process to crash via a specially crafted HTTP POST request.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-02-23 08:06:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1543826 | ||
Bug Blocks: | 1543827 |
Description
Pedro Sampaio
2018-02-09 11:50:30 UTC
Created sblim-sfcb tracking bugs for this issue: Affects: fedora-all [bug 1543826] Information for Fedora 27. Attach GDB to the "http daemon" and run the public reproducer, Thread 2.1 "sfcbd" received signal SIGSEGV, Segmentation fault... (gdb) bt #0 scanCimXmlRequest (ctx=ctx@entry=0x7fff15d5d020, xmlData=0x564fe41bb220 "<?xml version=\"1.0\" ?>\n<CIM CIMVERSION=\"2.0\" DTDVERSION=\"2.0\">\n <MESSAGE ID=\"4711\" PROTOCOLVERSION=\"1.0\">\n <SIMPLEREQ>\n <IMETHODCALL NAME=\"EnumerateInstances\">\n", ' ' <repeats 12 times>, "<LOCALNAMESPA"..., rc=rc@entry=0x7fff15d5cbfc) at cimXmlParserProcessed.c:1739 #1 0x00007fb3b85f140e in handleCimRequest (ctx=ctx@entry=0x7fff15d5d020, flags=flags@entry=0, more=more@entry=0x564fe41bd6d0 "") at cimRequest.c:1850 #2 0x00007fb3b88046ed in doHttpRequest (conn_fd=...) at httpAdapter.c:1400 #3 0x00007fb3b8805dd5 in handleHttpRequest (sslMode=<optimized out>, connFd=141) at httpAdapter.c:1742 #4 acceptRequest (sock=<optimized out>, ssin=<optimized out>, sin_len=<optimized out>, sslMode=<optimized out>) at httpAdapter.c:2023 #5 0x00007fb3b8807854 in httpDaemon (argc=<optimized out>, argv=<optimized out>, sslMode=<optimized out>, adapterNum=<optimized out>, ipAddr=<optimized out>, ipAddrFam=<optimized out>, sfcbPid=0) at httpAdapter.c:2464 #6 0x0000564fe3622335 in startHttpd (argc=1, argv=0x7fff15d5ed78, sslMode=1) at sfcBroker.c:538 #7 0x0000564fe36218b6 in main (argc=1, argv=0x7fff15d5ed78) at sfcBroker.c:1060 cimXmlParserProcessed.c:1739 -> if (strncmp(ctx->contentType,"application/xml",15) !=0 ) { *rc=1; return control.reqHdr; } (gdb) print ctx->contentType $3 = 0x0 This looks like a standard NULL pointer dereference flaw. ... Perhaps the following untested patch could fix this crash, diff --git a/cimXmlParserProcessed.c b/cimXmlParserProcessed.c index 7098392..065a38b 100644 --- a/cimXmlParserProcessed.c +++ b/cimXmlParserProcessed.c @@ -1736,6 +1736,11 @@ scanCimXmlRequest(CimRequestContext *ctx, char *xmlData, int *rc) control.MQs = 0; control.MPQs = 0; + if (!ctx->contentType) + *rc=1; + return control.reqHdr; + } + if (strncmp(ctx->contentType,"application/xml",15) !=0 ) { *rc=1; return control.reqHdr; Statement: This issue did not affect the versions of sblim-sfcb as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. |