Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV bug in pkg/server/fsm.go #2725

Open
grandnew opened this issue Oct 21, 2023 · 7 comments
Open

SEGV bug in pkg/server/fsm.go #2725

grandnew opened this issue Oct 21, 2023 · 7 comments

Comments

@grandnew
Copy link

grandnew commented Oct 21, 2023
edited
Loading

I triggered a SEGV bug when fuzzing gobgp.

The config of the under-test node is as follows, and its IP is 10.0.255.6

[global.config]
  as = 65001
  router-id = "192.168.10.6"


[[neighbors]]
  [neighbors.config]
    neighbor-address = "10.0.255.5"
    peer-as = 64512

The fuzzing node is deployed on 10.0.255.5.

The log snippet around the crash point:

{"Key":"10.0.255.5","State":"BGP_FSM_ESTABLISHED","Topic":"Peer","data":{"Header":{"Marker":null,"Len":19,"Type":4},"Body":{}},"level":"debug","msg":"sent","time":"2023-10-21T09:40:07Z"}
{"Key":"10.0.255.5","Topic":"Peer","attributes":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"},{"type":4,"metric":150}],"level":"debug","msg":"received update","nlri":[{"prefix":"192.168.101.0/24"}],"time":"2023-10-21T09:40:07Z","withdrawals":[]}
{"Nlri":{"prefix":"192.168.101.0/24"},"Topic":"Table","level":"debug","msg":"create Destination","time":"2023-10-21T09:40:07Z"}
{"Nlri":{"prefix":"192.168.101.0/24"},"Topic":"Table","level":"debug","msg":"create Destination","time":"2023-10-21T09:40:07Z"}
{"Data":{"nlri":{"prefix":"192.168.101.0/24"},"attrs":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"},{"type":4,"metric":150}],"age":1697881207,"source-id":"192.168.10.5","neighbor-ip":"10.0.255.5"},"Key":"10.0.255.5","Topic":"Peer","level":"debug","msg":"From me, ignore","time":"2023-10-21T09:40:07Z"}
{"Key":"10.0.255.5","Topic":"Peer","attributes":[],"level":"debug","msg":"received update","nlri":[],"time":"2023-10-21T09:40:10Z","withdrawals":[{"prefix":"192.168.101.0/24"}]}
{"Key":"192.168.101.0/24","Topic":"Table","level":"debug","msg":"Removing withdrawals","time":"2023-10-21T09:40:10Z"}
{"Data":{"nlri":{"prefix":"192.168.101.0/24"},"attrs":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"},{"type":4,"metric":150}],"age":1697881207,"withdrawal":true,"source-id":"192.168.10.5","neighbor-ip":"10.0.255.5"},"Key":"10.0.255.5","Topic":"Peer","level":"debug","msg":"From me, ignore","time":"2023-10-21T09:40:10Z"}
{"Key":"10.0.255.5","Topic":"Peer","attributes":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"},{"type":4,"metric":200}],"level":"debug","msg":"received update","nlri":[{"prefix":"192.168.101.0/24"}],"time":"2023-10-21T09:40:13Z","withdrawals":[]}
{"Nlri":{"prefix":"192.168.101.0/24"},"Topic":"Table","level":"debug","msg":"create Destination","time":"2023-10-21T09:40:13Z"}
{"Nlri":{"prefix":"192.168.101.0/24"},"Topic":"Table","level":"debug","msg":"create Destination","time":"2023-10-21T09:40:13Z"}
{"Data":{"nlri":{"prefix":"192.168.101.0/24"},"attrs":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"},{"type":4,"metric":200}],"age":1697881213,"source-id":"192.168.10.5","neighbor-ip":"10.0.255.5"},"Key":"10.0.255.5","Topic":"Peer","level":"debug","msg":"From me, ignore","time":"2023-10-21T09:40:13Z"}
{"Key":"10.0.255.5","Topic":"Peer","attributes":[],"level":"debug","msg":"received update","nlri":[],"time":"2023-10-21T09:40:16Z","withdrawals":[{"prefix":"192.168.101.0/24"}]}
{"Key":"192.168.101.0/24","Topic":"Table","level":"debug","msg":"Removing withdrawals","time":"2023-10-21T09:40:16Z"}
{"Data":{"nlri":{"prefix":"192.168.101.0/24"},"attrs":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"},{"type":4,"metric":200}],"age":1697881213,"withdrawal":true,"source-id":"192.168.10.5","neighbor-ip":"10.0.255.5"},"Key":"10.0.255.5","Topic":"Peer","level":"debug","msg":"From me, ignore","time":"2023-10-21T09:40:16Z"}
{"Key":"10.0.255.5","Topic":"Peer","attributes":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"}],"level":"debug","msg":"received update","nlri":[{"prefix":"192.168.102.0/24"}],"time":"2023-10-21T09:40:19Z","withdrawals":[]}
{"Nlri":{"prefix":"192.168.102.0/24"},"Topic":"Table","level":"debug","msg":"create Destination","time":"2023-10-21T09:40:19Z"}
{"Nlri":{"prefix":"192.168.102.0/24"},"Topic":"Table","level":"debug","msg":"create Destination","time":"2023-10-21T09:40:19Z"}
{"Data":{"nlri":{"prefix":"192.168.102.0/24"},"attrs":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"}],"age":1697881219,"source-id":"192.168.10.5","neighbor-ip":"10.0.255.5"},"Key":"10.0.255.5","Topic":"Peer","level":"debug","msg":"From me, ignore","time":"2023-10-21T09:40:19Z"}
{"Key":"10.0.255.5","Topic":"Peer","attributes":[],"level":"debug","msg":"received update","nlri":[],"time":"2023-10-21T09:40:22Z","withdrawals":[{"prefix":"192.168.102.0/24"}]}
{"Key":"192.168.102.0/24","Topic":"Table","level":"debug","msg":"Removing withdrawals","time":"2023-10-21T09:40:22Z"}
{"Data":{"nlri":{"prefix":"192.168.102.0/24"},"attrs":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"}],"age":1697881219,"withdrawal":true,"source-id":"192.168.10.5","neighbor-ip":"10.0.255.5"},"Key":"10.0.255.5","Topic":"Peer","level":"debug","msg":"From me, ignore","time":"2023-10-21T09:40:22Z"}
{"Key":"10.0.255.5","Topic":"Peer","attributes":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"}],"level":"debug","msg":"received update","nlri":[{"prefix":"192.168.102.0/24"}],"time":"2023-10-21T09:40:25Z","withdrawals":[]}
{"Nlri":{"prefix":"192.168.102.0/24"},"Topic":"Table","level":"debug","msg":"create Destination","time":"2023-10-21T09:40:25Z"}
{"Nlri":{"prefix":"192.168.102.0/24"},"Topic":"Table","level":"debug","msg":"create Destination","time":"2023-10-21T09:40:25Z"}
{"Data":{"nlri":{"prefix":"192.168.102.0/24"},"attrs":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"}],"age":1697881225,"source-id":"192.168.10.5","neighbor-ip":"10.0.255.5"},"Key":"10.0.255.5","Topic":"Peer","level":"debug","msg":"From me, ignore","time":"2023-10-21T09:40:25Z"}
{"Key":"10.0.255.5","Topic":"Peer","attributes":[],"level":"debug","msg":"received update","nlri":[],"time":"2023-10-21T09:40:28Z","withdrawals":[{"prefix":"192.168.102.0/24"}]}
{"Key":"192.168.102.0/24","Topic":"Table","level":"debug","msg":"Removing withdrawals","time":"2023-10-21T09:40:28Z"}
{"Data":{"nlri":{"prefix":"192.168.102.0/24"},"attrs":[{"type":1,"value":2},{"type":2,"as_paths":[{"segment_type":2,"num":1,"asns":[64512]}]},{"type":3,"nexthop":"10.0.255.5"}],"age":1697881225,"withdrawal":true,"source-id":"192.168.10.5","neighbor-ip":"10.0.255.5"},"Key":"10.0.255.5","Topic":"Peer","level":"debug","msg":"From me, ignore","time":"2023-10-21T09:40:28Z"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x1a pc=0xb1f5e7]

goroutine 413 [running]:
github.com/osrg/gobgp/v3/pkg/server.(*fsmHandler).handlingError(0xc00009fec0?, 0xc00034d0c0?, {0xea7160?, 0xc0003f9140?}, 0x88?)
	github.com/osrg/gobgp/v3/pkg/server/fsm.go:913 +0x27
github.com/osrg/gobgp/v3/pkg/server.(*fsmHandler).recvMessageWithError(0xc00011bce0)
	github.com/osrg/gobgp/v3/pkg/server/fsm.go:1017 +0x685
github.com/osrg/gobgp/v3/pkg/server.(*fsmHandler).recvMessageloop(0xc00011bce0, {0x0?, 0x0?}, 0x0?)
	github.com/osrg/gobgp/v3/pkg/server/fsm.go:1783 +0x5b
created by github.com/osrg/gobgp/v3/pkg/server.(*fsmHandler).established in goroutine 411
	github.com/osrg/gobgp/v3/pkg/server/fsm.go:1805 +0x270

The full logs and network capture are as attached.

SEGV_debugMode.log
SEGV_network_capture.pcap.zip
@grandnew
Copy link
Author

Dear maintainers, what's the possible reason for this bug? @fragmede @rubenk

@fujita
Copy link
Member

fujita commented Oct 31, 2023

You use two GoBGP daemons?

@grandnew
Copy link
Author

You use two GoBGP daemons?

No, only the under-test node uses the GoBGP daemon.

@fujita
Copy link
Member

fujita commented Oct 31, 2023

What BGP daemon other side?

@grandnew
Copy link
Author

grandnew commented Nov 3, 2023

What BGP daemon other side?

The other side is a fuzzer that continuously generates BGP packets and sends them to the under-test node for testing. @fujita

@abergmann
Copy link

CVE-2023-46565 was assigned to this issue.

@matbits
Copy link

matbits commented May 13, 2024

Hello together,

I looked into the code and found a possible reason for the segv message (unfortunate I do not have time to test the pcap stream against a fixed version to confirm my assumptions), anyway here are my thoughts:

The function (h *fsmHandler) recvMessageWithError() calls hd.DecodeFromBytes which parses the bytes into BGPHeader, but does not check the type. Later the function recvMessageWithError() calls ParseBGPBody, which actually calls parseBody which checks the header type and if it is unknown, it returns nil and an error.
Thus the check for an error is true and it calls handlingError with m being a nil BGPMessage and the function deferences a nil pointer.

What do you think about it, does this make sense?
Could this be the reason for the segv?

@GoVulnBot GoVulnBot mentioned this issue Sep 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fujita @abergmann @grandnew @matbits