Malformed DATA submessage leads to bad-free error

Summary

This was initially found in v2.9.0 and reported as issue #3207. The issue is still persistent in v2.11.1.

Details

When the following DATA submessage is sent to a discovery locator, it triggers ASan's bad-free error:

0000   15 17 18 00 00 00 10 92 00 00 00 00 00 01 00 c2
0010   00 00 00 00 02 00 00 00 01 00 00 00

The octetsToInlineQoS field is malformed (0x9210), which normally is 16.

In proc_Submsg_Data(), ch.serializedPayload.data = nullptr; triggers ASan:

In file: /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp
   882     {
   883         payload_pool->release_payload(ch);
   884     }
   885
   886     //TODO(Ricardo) If an exception is thrown (ex, by fastcdr), these lines are not executed -> segmentation fault
 ► 887     ch.serializedPayload.data = nullptr;
   888     ch.inline_qos.data = nullptr;
   889
   890     EPROSIMA_LOG_INFO(RTPS_MSG_IN, IDSTRING "Sub Message DATA processed");
   891     return true;
   892 }

ASan report:

    #0 0x4db152 in free (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x4db152)
    #1 0x54c125 in eprosima::fastrtps::rtps::SerializedPayload_t::empty() (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x54c125)
    #2 0x54b46c in eprosima::fastrtps::rtps::SerializedPayload_t::~SerializedPayload_t() (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x54b46c)
    #3 0x7ffff5f5daca in eprosima::fastrtps::rtps::CacheChange_t::~CacheChange_t() /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/include/fastdds/rtps/common/CacheChange.h:184:5
    #4 0x7ffff6111e01 in eprosima::fastrtps::rtps::MessageReceiver::proc_Submsg_Data(eprosima::fastrtps::rtps::CDRMessage_t*, eprosima::fastrtps::rtps::SubmessageHeader_t*, eprosima::fastrtps::rtps::EntityId_t&) const /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:892:1
    #5 0x7ffff61003b8 in eprosima::fastrtps::rtps::MessageReceiver::processCDRMsg(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::CDRMessage_t*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/messages/MessageReceiver.cpp:439:33
    #6 0x7ffff61769b6 in eprosima::fastrtps::rtps::ReceiverResource::OnDataReceived(unsigned char const*, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastrtps::rtps::Locator_t const&) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:134:14
    #7 0x7ffff65c1773 in eprosima::fastdds::rtps::UDPChannelResource::perform_listen_operation(eprosima::fastrtps::rtps::Locator_t) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:70:33
    #8 0x7ffff65cc2dd in void std::__invoke_impl<void, void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(std::__invoke_memfun_deref, void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73:14
    #9 0x7ffff65cbeca in std::__invoke_result<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>::type std::__invoke<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t>(void (eprosima::fastdds::rtps::UDPChannelResource::*&&)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*&&, eprosima::fastrtps::rtps::Locator_t&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
    #10 0x7ffff65cbe3a in void std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:244:13
    #11 0x7ffff65cbda4 in std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> >::operator()() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:251:11
    #12 0x7ffff65cb6b8 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (eprosima::fastdds::rtps::UDPChannelResource::*)(eprosima::fastrtps::rtps::Locator_t), eprosima::fastdds::rtps::UDPChannelResource*, eprosima::fastrtps::rtps::Locator_t> > >::_M_run() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:195:13
    #13 0x7ffff473edf3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6df3)
    #14 0x7ffff4be4608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #15 0x7ffff4429132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x63100002882c is located 44 bytes inside of 65500-byte region [0x631000028800,0x6310000387dc)
allocated by thread T0 here:
    #0 0x4db3bd in malloc (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x4db3bd)
    #1 0x7ffff60e7b43 in eprosima::fastrtps::rtps::CDRMessage_t::CDRMessage_t(unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/include/fastdds/rtps/common/CDRMessage_t.h:79:30
    #2 0x7ffff65bff63 in eprosima::fastdds::rtps::ChannelResource::ChannelResource(unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/ChannelResource.cpp:45:7
    #3 0x7ffff65c0dd7 in eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp>&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:35:7
    #4 0x7ffff6700393 in eprosima::fastdds::rtps::UDPTransportInterface::CreateInputChannelResource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastrtps::rtps::Locator_t const&, bool, unsigned int, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:233:50
    #5 0x7ffff6705a83 in eprosima::fastdds::rtps::UDPTransportInterface::OpenAndBindInputSockets(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, bool, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:207:34
    #6 0x7ffff66500a9 in eprosima::fastdds::rtps::UDPv4Transport::OpenInputChannel(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPv4Transport.cpp:328:19
    #7 0x7ffff61748eb in eprosima::fastrtps::rtps::ReceiverResource::ReceiverResource(eprosima::fastdds::rtps::TransportInterface&, eprosima::fastrtps::rtps::Locator_t const&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:45:24
    #8 0x7ffff6162155 in eprosima::fastrtps::rtps::NetworkFactory::BuildReceiverResources(eprosima::fastrtps::rtps::Locator_t&, std::vector<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource>, std::allocator<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource> > >&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/network/NetworkFactory.cpp:74:25
    #9 0x7ffff618910a in eprosima::fastrtps::rtps::RTPSParticipantImpl::createReceiverResources(eprosima::fastdds::rtps::LocatorList&, bool, bool) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:1701:38
    #10 0x7ffff6181598 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:357:5
    #11 0x7ffff618aba9 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:450:7
    #12 0x7ffff6219ace in eprosima::fastrtps::rtps::RTPSDomainImpl::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:199:21
    #13 0x7ffff621bd07 in eprosima::fastrtps::rtps::RTPSDomain::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:88:12
    #14 0x7ffff64e91eb in eprosima::fastdds::dds::DomainParticipantImpl::enable() /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantImpl.cpp:277:16
    #15 0x7ffff6569195 in eprosima::fastdds::dds::DomainParticipant::enable() /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/fastdds/domain/DomainParticipant.cpp:110:36
    #16 0x7ffff64bad1a in eprosima::fastdds::dds::DomainParticipantFactory::create_participant(unsigned int, eprosima::fastdds::dds::DomainParticipantQos const&, eprosima::fastdds::dds::DomainParticipantListener*, eprosima::fastdds::dds::StatusMask const&) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantFactory.cpp:189:55
    #17 0x56c9cc in HelloWorldSubscriber::init(bool) (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x56c9cc)
    #18 0x574de1 in main (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x574de1)
    #19 0x7ffff432e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

Thread T4 created by T0 here:
    #0 0x4c571c in pthread_create (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x4c571c)
    #1 0x7ffff473f0c9 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd70c9)
    #2 0x7ffff65c0f99 in eprosima::fastdds::rtps::UDPChannelResource::UDPChannelResource(eprosima::fastdds::rtps::UDPTransportInterface*, asio::basic_datagram_socket<asio::ip::udp>&, unsigned int, eprosima::fastrtps::rtps::Locator_t const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPChannelResource.cpp:42:12
    #3 0x7ffff6700393 in eprosima::fastdds::rtps::UDPTransportInterface::CreateInputChannelResource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, eprosima::fastrtps::rtps::Locator_t const&, bool, unsigned int, eprosima::fastdds::rtps::TransportReceiverInterface*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:233:50
    #4 0x7ffff6705a83 in eprosima::fastdds::rtps::UDPTransportInterface::OpenAndBindInputSockets(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, bool, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPTransportInterface.cpp:207:34
    #5 0x7ffff66500a9 in eprosima::fastdds::rtps::UDPv4Transport::OpenInputChannel(eprosima::fastrtps::rtps::Locator_t const&, eprosima::fastdds::rtps::TransportReceiverInterface*, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/transport/UDPv4Transport.cpp:328:19
    #6 0x7ffff61748eb in eprosima::fastrtps::rtps::ReceiverResource::ReceiverResource(eprosima::fastdds::rtps::TransportInterface&, eprosima::fastrtps::rtps::Locator_t const&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/network/ReceiverResource.cpp:45:24
    #7 0x7ffff6162155 in eprosima::fastrtps::rtps::NetworkFactory::BuildReceiverResources(eprosima::fastrtps::rtps::Locator_t&, std::vector<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource>, std::allocator<std::shared_ptr<eprosima::fastrtps::rtps::ReceiverResource> > >&, unsigned int) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/network/NetworkFactory.cpp:74:25
    #8 0x7ffff618910a in eprosima::fastrtps::rtps::RTPSParticipantImpl::createReceiverResources(eprosima::fastdds::rtps::LocatorList&, bool, bool) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:1701:38
    #9 0x7ffff6181598 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:357:5
    #10 0x7ffff618aba9 in eprosima::fastrtps::rtps::RTPSParticipantImpl::RTPSParticipantImpl(unsigned int, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::GuidPrefix_t const&, eprosima::fastrtps::rtps::RTPSParticipant*, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/participant/RTPSParticipantImpl.cpp:450:7
    #11 0x7ffff6219ace in eprosima::fastrtps::rtps::RTPSDomainImpl::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:199:21
    #12 0x7ffff621bd07 in eprosima::fastrtps::rtps::RTPSDomain::createParticipant(unsigned int, bool, eprosima::fastrtps::rtps::RTPSParticipantAttributes const&, eprosima::fastrtps::rtps::RTPSParticipantListener*) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/rtps/RTPSDomain.cpp:88:12
    #13 0x7ffff64e91eb in eprosima::fastdds::dds::DomainParticipantImpl::enable() /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantImpl.cpp:277:16
    #14 0x7ffff6569195 in eprosima::fastdds::dds::DomainParticipant::enable() /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/fastdds/domain/DomainParticipant.cpp:110:36
    #15 0x7ffff64bad1a in eprosima::fastdds::dds::DomainParticipantFactory::create_participant(unsigned int, eprosima::fastdds::dds::DomainParticipantQos const&, eprosima::fastdds::dds::DomainParticipantListener*, eprosima::fastdds::dds::StatusMask const&) /home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/src/cpp/fastdds/domain/DomainParticipantFactory.cpp:189:55
    #16 0x56c9cc in HelloWorldSubscriber::init(bool) (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x56c9cc)
    #17 0x574de1 in main (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x574de1)
    #18 0x7ffff432e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: bad-free (/home/seulbae/ddssecurity/targets/fastdds-master/src/fastrtps/examples/cpp/dds/HelloWorldExample/DDSHelloWorldExample+0x4db152) in free
==2597607==ABORTING

PoC

Run any fastdds process on domain 0.
Send the DATA submessage above to 127.0.0.1:7400.

Impact

This can remotely crash any Fast-DDS process.
As free()'s ptr is controlled, this vulnerability can potentially be exploited to do double free attacks or UAF.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Malformed DATA submessage leads to bad-free error

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits