fix disque-cli buffer overflow (related to CVE-2018-12326)

[WOOSEUNGHOON]

Hi.

We discovered that the CVE-2018-12326 vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2018-12326), discovered in Redis, affects the latest version of disque.

• Tested machine: Ubuntu 18.04.4 LTS

• Tested disque: Master version (March 17, 2021)

• GCC version: gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

• Compile option: CFLAGS=-fsanitize=address CXXFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address make

• Log:

$ ./src/disque -h `python -c 'print "a" * 3000'`

==17372==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55ea0415f2dd at pc 0x7f6e0816ff09 bp 0x7fffb707a780 sp 0x7fffb7079f10
WRITE of size 3 at 0x55ea0415f2dd thread T0
#0 0x7f6e0816ff08 in __interceptor_vsnprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xa0f08)
#1 0x7f6e08170286 in snprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xa1286)
#2 0x55ea03e895fa in repl /home/ksyang/test/disque/src/disque-cli.c:906
#3 0x55ea03e895fa in main /home/ksyang/test/disque/src/disque-cli.c:1976
#4 0x7f6e07ae0b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#5 0x55ea03e8a469 in _start (/home/ksyang/test/disque/src/disque+0x22469)

0x55ea0415f2dd is located 3 bytes to the left of global variable 'dss_prev' defined in 'src/chunk_dss.c:25:15' (0x55ea0415f2e0) of size 8
0x55ea0415f2dd is located 53 bytes to the right of global variable 'dss_max' defined in 'src/chunk_dss.c:27:15' (0x55ea0415f2a0) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xa0f08) in __interceptor_vsnprintf
Shadow bytes around the buggy address:
0x0abdc0823e00: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0abdc0823e10: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0abdc0823e20: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0abdc0823e30: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0abdc0823e40: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0abdc0823e50: 00 00 00 00 00 f9 f9 f9 f9 f9 f9[f9]00 f9 f9 f9
0x0abdc0823e60: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0abdc0823e70: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0abdc0823e80: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0abdc0823e90: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
0x0abdc0823ea0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17372==ABORTING

This is an arbitrary write vulnerability due to confusion in snprintf return values.
Although this disque repository seems to not currently being managed, many people still utilize this software, so the vulnerability should be patched and thus we reported.

We applied a code patch similar to that of CVE-2018-12326, and confirmed that the vulnerability did not be triggered after applying the patch.

We would appreciate it if you reflect it after confirmation.

Thank you.
Seunghoon Woo, Kyeongseok Yang