While many parts of batctl are rather simple, tcpdump is one of the most complex parts - which unfortunately is also dealing all the time with potentially harmful input. It is therefore a good idea to perform some tests to figure out how bad the current state of the code is. The findings will be presented here - including some information how other people can reproduce these problems.
With afl++, it is possible to fuzz batctl tcpdump and find parsing errors (easier). But it needs an entry point to actually send data to. So for simplicity, a fuzzme subcommand was added which just gets new data from afl++ and then runs the main ethernet parsing function.
diff --git a/split_pcap.py b/split_pcap.py new file mode 100755 index 0000000000000000000000000000000000000000..11a1f5ce8ec60fac141693b0449d5c3955f9ad28 --- /dev/null +++ b/split_pcap.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python3 + +import sys + +from hashlib import sha256 +from scapy.utils import rdpcap + + +def main(): + for pcap in sys.argv[1:]: + packets = rdpcap(pcap) + for packet in packets: + m = sha256() + m.update(packet.load) + fname = m.hexdigest() + with open(fname, "wb") as f: + f.write(packet.load) + + +if __name__ == "__main__": + main() diff --git a/tcpdump.c b/tcpdump.c index 5e7c76c69bd192d7485958aafabc0e9264b41b90..d340af986f99bdf2e8e6dae0d91a641bc80e82a2 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -1556,3 +1556,41 @@ static int tcpdump(struct state *state __maybe_unused, int argc, char **argv)
COMMAND(SUBCOMMAND, tcpdump, "td", 0, NULL, "<interface> \ttcpdump layer 2 traffic on the given interface"); + +__AFL_FUZZ_INIT(); + +static int fuzzme(struct state *state __maybe_unused, int argc, char **argv) +{ + dump_level = dump_level_all; + +#ifdef __AFL_HAVE_MANUAL_CONTROL + __AFL_INIT(); +#endif + + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + while (__AFL_LOOP(10000)) { + int len = __AFL_FUZZ_TESTCASE_LEN; + + /* safety check from tcpdump */ + if ((size_t)len < sizeof(struct ether_header)) + continue; + + /* move into new buffer to allow ASAN to detect invalid memory access */ + unsigned char *p = malloc(len); + if (!p) + continue; + + memcpy(p, buf, len); + + /* function under test */ + parse_eth_hdr(p, len, 0, 0); + + /* drop buffer from asan */ + free(p); + } + + return 0; +} + +COMMAND(SUBCOMMAND, fuzzme, "fz", 0, NULL,
To build the fuzzing test, it is necessary to build batctl slightly differently:
make clean export AFL_USE_ASAN=1; CC=afl-clang-fast make V=s
And the some input files (containing raw ethernet fames have to be generated from existing pcaps):
mkdir in cd in ../split_pcap.py ~/wireshark-batman-adv/tests/* cd ..
And then multiple afl++ fuzzer instances can be started.
if [ -z "${STY}" ]; then echo "must be started inside a screen session" >&2 exit 1 fi
for i in $(seq 1 $(nproc)); do start_mode=-M [ "${i}" = "1" ] || start_mode=-S screen afl-fuzz "${start_mode}" "fuzzer${i}" -i in -o out ./batctl fuzzme done
The crashes can then be analyzed further by sending them to the fuzzme subcommand:
./batctl fuzzme < out/fuzzer1/crashes/id:000000,sig:06,src:000528,time:12,execs:23992,op:havoc,rep:8
Signed-off-by: Sven Eckelmann sven@narfation.org --- Sven Eckelmann (6): batctl: tcpdump: Fix missing sanity check for batman-adv header batctl: tcpdump: Add missing throughput header length check batctl: tcpdump: Fix IPv4 header length check batctl: tcpdump: Add missing ICMPv6 Neighbor Advert length check batctl: tcpdump: Add missing ICMPv6 Neighbor Solicit length check batctl: tcpdump: Fix ICMPv4 inner IPv4 header length check
tcpdump.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) --- base-commit: a57de3183e67ec27cf96f1761e69d542e6dfac03 change-id: 20240127-tcpdump_fuzzing-736774906f60
Best regards,
parse_eth_hdr() is assuming that every ETH_P_BATMAN ethernet packet has a valid, minimal batman-adv header (packet_type, version, ttl) attached. But it doesn't actually check if the received buffer has enough bytes to access the two bytes packet_type + version. So it is possible that it tries to read outside of the received data.
Fixes: 3bdfc388e74b ("implement simple tcpdump, first only batman packets") Signed-off-by: Sven Eckelmann sven@narfation.org --- tcpdump.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/tcpdump.c b/tcpdump.c index d340af9..d15c32e 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -1167,6 +1167,9 @@ static void parse_eth_hdr(unsigned char *packet_buff, ssize_t buff_len, int read dump_vlan(packet_buff, buff_len, read_opt, time_printed); break; case ETH_P_BATMAN: + /* check for batman-adv packet_type + version */ + LEN_CHECK(buff_len, sizeof(*eth_hdr) + 2, "BAT HEADER") + batman_ogm_packet = (struct batadv_ogm_packet *)(packet_buff + ETH_HLEN);
if ((read_opt & COMPAT_FILTER) &&
dump_batman_icmp() is only doing a length check for the original ICMP packet length. But the throughput packet (which is also handled by this function) is accessed without doing an additional length check. So it is possible that it tries to read outside of the received data.
Fixes: f109b3473f86 ("batctl: introduce throughput meter support") Signed-off-by: Sven Eckelmann sven@narfation.org --- tcpdump.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tcpdump.c b/tcpdump.c index d15c32e..9bb4b9e 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -911,7 +911,6 @@ static void dump_batman_icmp(unsigned char *packet_buff, ssize_t buff_len, int r LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(struct batadv_icmp_packet), "BAT ICMP");
icmp_packet = (struct batadv_icmp_packet *)(packet_buff + sizeof(struct ether_header)); - tp = (struct batadv_icmp_tp_packet *)icmp_packet;
if (!time_printed) print_time(); @@ -942,6 +941,10 @@ static void dump_batman_icmp(unsigned char *packet_buff, ssize_t buff_len, int r (size_t)buff_len - sizeof(struct ether_header)); break; case BATADV_TP: + LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(*tp), "BAT TP"); + + tp = (struct batadv_icmp_tp_packet *)icmp_packet; + printf("%s: ICMP TP type %s (%hhu), id %hhu, seq %u, ttl %2d, v %d, length %zu\n", name, tp->subtype == BATADV_TP_MSG ? "MSG" : tp->subtype == BATADV_TP_ACK ? "ACK" : "N/A",
dump_ip() is directly accessing the header in the header length check and assumes that ihl can be trusted. But when when ihl is set to something less than 5 then it would not even be possible to store the basic IPv4 header in it. But dump_ip would have still accepted it because it didn't check if there are at least enough bytes available to read the basic IPv4 header. So it is possible that it tries to read outside of the received data.
Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support") Signed-off-by: Sven Eckelmann sven@narfation.org --- tcpdump.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/tcpdump.c b/tcpdump.c index 9bb4b9e..3fdd7c3 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -694,7 +694,9 @@ static void dump_ip(unsigned char *packet_buff, ssize_t buff_len, struct icmphdr *icmphdr;
iphdr = (struct iphdr *)packet_buff; + LEN_CHECK((size_t)buff_len, sizeof(*iphdr), ip_string); LEN_CHECK((size_t)buff_len, (size_t)(iphdr->ihl * 4), ip_string); + LEN_CHECK((size_t)(iphdr->ihl * 4), sizeof(*iphdr), ip_string);
if (!time_printed) print_time();
dump_ipv6() is doing a length check for the original ICMPv6 header length. But the neighbor advertisement (which is also handled by this function) is accessed without doing an additional length check. So it is possible that it tries to read outside of the received data.
Fixes: 35b37756f4a3 ("add IPv6 support to tcpdump parser") Cc: Marco Dalla Torre marco.dallato@gmail.com Signed-off-by: Sven Eckelmann sven@narfation.org --- tcpdump.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/tcpdump.c b/tcpdump.c index 3fdd7c3..2ae3909 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -659,6 +659,8 @@ static void dump_ipv6(unsigned char *packet_buff, ssize_t buff_len, nd_nas_target, buff_len); break; case ND_NEIGHBOR_ADVERT: + LEN_CHECK((size_t)buff_len - (size_t)(sizeof(struct ip6_hdr)), + sizeof(*nd_advert), "ICMPv6 Neighbor Advertisement"); nd_advert = (struct nd_neighbor_advert *)icmphdr; inet_ntop(AF_INET6, &(nd_advert->nd_na_target), nd_nas_target, 40);
dump_ipv6() is doing a length check for the original ICMPv6 header length. But the neighbor solicitation (which is also handled by this function) is accessed without doing an additional length check. So it is possible that it tries to read outside of the received data.
Fixes: 35b37756f4a3 ("add IPv6 support to tcpdump parser") Cc: Marco Dalla Torre marco.dallato@gmail.com Signed-off-by: Sven Eckelmann sven@narfation.org --- tcpdump.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/tcpdump.c b/tcpdump.c index 2ae3909..c253755 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -652,6 +652,8 @@ static void dump_ipv6(unsigned char *packet_buff, ssize_t buff_len, (size_t)buff_len - sizeof(struct icmp6_hdr)); break; case ND_NEIGHBOR_SOLICIT: + LEN_CHECK((size_t)buff_len - (size_t)(sizeof(struct ip6_hdr)), + sizeof(*nd_neigh_sol), "ICMPv6 Neighbor Solicitation"); nd_neigh_sol = (struct nd_neighbor_solicit *)icmphdr; inet_ntop(AF_INET6, &(nd_neigh_sol->nd_ns_target), nd_nas_target, 40);
dump_ip() is doing a length check for the inner (inside ICMP) IPv4 header length. But it is just assuming that the inner ICMPv4 header has ihl set to 5 - without actually checking for this. The more complex IPv4 header length check for the outer IPv4 header is missing before it tries to access the UDP header using the inner ihl IPv4 header length information. So it is possible that it tries to read outside of the received data.
Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support") Signed-off-by: Sven Eckelmann sven@narfation.org --- tcpdump.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/tcpdump.c b/tcpdump.c index c253755..c6aca27 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -730,12 +730,20 @@ static void dump_ip(unsigned char *packet_buff, ssize_t buff_len, (size_t)buff_len - (iphdr->ihl * 4)); break; case ICMP_DEST_UNREACH: - LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), - sizeof(struct iphdr) + 8, "ICMP DEST_UNREACH"); - switch (icmphdr->code) { case ICMP_PORT_UNREACH: + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), + sizeof(struct iphdr), "ICMP DEST_UNREACH"); + + /* validate inner IP header information */ tmp_iphdr = (struct iphdr *)(((char *)icmphdr) + sizeof(struct icmphdr)); + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), + (size_t)(tmp_iphdr->ihl * 4), "ICMP DEST_UNREACH"); + LEN_CHECK((size_t)(tmp_iphdr->ihl * 4), sizeof(*iphdr), "ICMP DEST_UNREACH"); + + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr) - (tmp_iphdr->ihl * 4), + sizeof(*tmp_udphdr), "ICMP DEST_UNREACH"); + tmp_udphdr = (struct udphdr *)(((char *)tmp_iphdr) + (tmp_iphdr->ihl * 4));
printf("%s: ICMP ", ipdst);
On Saturday, 27 January 2024 13:48:58 CET Sven Eckelmann wrote:
While many parts of batctl are rather simple, tcpdump is one of the most complex parts - which unfortunately is also dealing all the time with potentially harmful input. It is therefore a good idea to perform some tests to figure out how bad the current state of the code is. The findings will be presented here - including some information how other people can reproduce these problems.
Attached are also the actual reproducers.
Kind regards, Sven
b.a.t.m.a.n@lists.open-mesh.org
-
Sven Eckelmann