#6 1.4rc3 Crash - free() on invalid pointer in simclist.c
Hi, I've tried out sshguard 1.4rc3. There seems to be a problem with simclist.c (or possibly with sshguard passing bad data to the simclist library). When sshguard tries to add an IP to the blacklist database it crashes on trying to free() an invalid pointer. (IP address partly masked to protect the (not so) innocent)
# cat /var/log/sshguard.fifo | ./sshguard -b 3:test.db -d
Blacklist loaded, 0 addresses.
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 162 ("Apr 15 07:51:52")
Next token is token TIMESTAMP_SYSLOG ()
...
Stack now 0
Matched address 85.25.139.xx:4 attacking service 100
Blocking 85.25.139.xx:4 for >1680secs: 4 failures over 0 seconds.
Setting environment: SSHG_ADDR=85.25.139.xx;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Offender '85.25.139.xx:4' seen 3 times (threshold 3) -> blacklisted.
Looking for address '85.25.139.xx:4'...
Not found.
*** glibc detected *** ./sshguard: free(): invalid pointer: 0x0806e320 ***
======= Backtrace: =========
/lib/libc.so.6[0x9f6b16]
/lib/libc.so.6(cfree+0x90)[0x9fa070]
./sshguard[0x804ed05]
./sshguard[0x804f078]
./sshguard[0x804d5d8]
./sshguard[0x804ba30]
./sshguard[0x804c226]
/lib/libc.so.6(__libc_start_main+0xdc)[0x9a3dec]
./sshguard[0x80491a1]
======= Memory map: ========
00110000-0011b000 r-xp 00000000 03:01 455839 /lib/libgcc_s-4.1.2-20080102.so.1
0011b000-0011c000 rwxp 0000a000 03:01 455839 /lib/libgcc_s-4.1.2-20080102.so.1
0062e000-0062f000 r-xp 0062e000 00:00 0 [vdso]
0096b000-00985000 r-xp 00000000 03:01 455808 /lib/ld-2.5.so
00985000-00986000 r-xp 00019000 03:01 455808 /lib/ld-2.5.so
00986000-00987000 rwxp 0001a000 03:01 455808 /lib/ld-2.5.so
0098e000-00acb000 r-xp 00000000 03:01 455840 /lib/libc-2.5.so
00acb000-00acd000 r-xp 0013c000 03:01 455840 /lib/libc-2.5.so
00acd000-00ace000 rwxp 0013e000 03:01 455840 /lib/libc-2.5.so
00ace000-00ad1000 rwxp 00ace000 00:00 0
00b02000-00b15000 r-xp 00000000 03:01 455859 /lib/libpthread-2.5.so
00b15000-00b16000 r-xp 00012000 03:01 455859 /lib/libpthread-2.5.so
00b16000-00b17000 rwxp 00013000 03:01 455859 /lib/libpthread-2.5.so
00b17000-00b19000 rwxp 00b17000 00:00 0
08048000-0806e000 r-xp 00000000 03:01 3775604 /usr/local/src/sshguard-1.4rc3/src/sshguard
0806e000-0806f000 rw-p 00025000 03:01 3775604 /usr/local/src/sshguard-1.4rc3/src/sshguard
0806f000-08071000 rw-p 0806f000 00:00 0
096ad000-096ef000 rw-p 096ad000 00:00 0
b7400000-b7421000 rw-p b7400000 00:00 0
b7421000-b7500000 ---p b7421000 00:00 0
b75b1000-b75b2000 ---p b75b1000 00:00 0
b75b2000-b7fb4000 rw-p b75b2000 00:00 0
b7fc4000-b7fc5000 rw-p b7fc4000 00:00 0
bffb5000-bffcb000 rw-p bffb5000 00:00 0 [stack]
Doing a bt in GDB:
Program received signal SIGABRT, Aborted.
[Switching to Thread -1208637760 (LWP 6277)]
0x00c90402 in __kernel_vsyscall ()
(gdb) bt
#0 0x00c90402 in __kernel_vsyscall ()
#1 0x009b6d20 in raise () from /lib/libc.so.6
#2 0x009b8631 in abort () from /lib/libc.so.6
#3 0x009eee6b in __libc_message () from /lib/libc.so.6
#4 0x009f6b16 in _int_free () from /lib/libc.so.6
#5 0x009fa070 in free () from /lib/libc.so.6
#6 0x0804ed05 in list_dump_filedescriptor (l=0x9d06428, fd=3, len=0x0) at simclist.c:1009
#7 0x0804f078 in list_dump_file (l=0x9d06428, filename=0x9d06418 "test.db", len=0x0) at simclist.c:1246
#8 0x0804d5d8 in blacklist_add (filename=0x9d06418 "test.db", newel=0x9d223e0) at sshguard_blacklist.c:182
#9 0x0804ba30 in report_address (attack={address = {value = "85.25.139.xx", '\0' <repeats 33 times>, kind = 4}, service = 100}) at sshguard.c:371
#10 0x0804c226 in main (argc=Cannot access memory at address 0x1885
) at sshguard.c:241
I tried removing the free() calls in simclist.c at lines 1009 and 1038. sshguard then work properly, but possibly leaks memory? I haven't investigated further.
Thanks for a useful product :)
I am seeing the same issue on FreeBSD 7 with the svn source from today.
I am running into an issue with the new blacklist support in the svn version of sshguard on FreeBSD 7:
When running with blacklist support enabled. e.g.:
sshguard -d -b 2:/var/db/sshguard.blacklist
I input a valid attack string 8 times. e.g.:
Mar 23 19:09:38 dhorn-bsd sshd[20872]: error: PAM: authentication error for root from 1.2.3.4
<snip of non-interesting debug output>
Offender '1.2.3.4:4' seen 2 times (threshold 2) -> blacklisted.
Looking for address '1.2.3.4:4'...
Not found.
Segmentation fault (core dumped)
gdb backtrace shows:
#0 0x28104862 in calloc () from /lib/libc.so.7
[New Thread 0x28201200 (LWP 100147)]
[New Thread 0x28201100 (LWP 100057)]
(gdb) bt
#0 0x28104862 in calloc () from /lib/libc.so.7
#1 0x28104b7e in free () from /lib/libc.so.7
#2 0x0804eebb in list_dump_filedescriptor (l=0x28207200, fd=3, len=0x0) at simclist.c:1005
#3 0x0804f1e8 in list_dump_file (l=0x28207200, filename=0x282060e0 "/var/db/sshguard.blacklist", len=0x0) at simclist.c:1242
#4 0x0804d5b8 in blacklist_add (filename=0x282060e0 "/var/db/sshguard.blacklist", newel=0x282090b0) at sshguard_blacklist.c:182
#5 0x0804bb9f in report_address (attack={address = {value = "1.2.3.4", '\0' <repeats 38 times>, kind = 4}, service = 100}) at sshguard.c:371
#6 0x0804c4bf in main (argc=Cannot access memory at address 0xc
) at sshguard.c:241
Keep up the good work Mij. I like the idea of the blacklist feature.
Thanks for reporting.
The error is in how sshguard uses it, and it's pretty l4m3 :)
Please test this:
1] fetch SVN version
2] open sshguard_blacklist.c
2] locate function "static void *attacker_serializer"
3] change the line
static char serialization_buf[ATTACKER_T_LEN];
to
char *serialization_buf;
AND few lines later, after "assert(len != NULL);", add
serialization_buf = (char *)malloc(ATTACKER_T_LEN);
4] recompile, reinstall, test again
I integrated the fix in the SVN version. Further testing is still welcome.
Fix in SVN looks good on my FreeBSD 7 machine. Blacklisting and persistance across invocations is working well now. Thanks again!