DoS vulnerability: cause resource exhaustion

Bug #1881982 reported by Seong-Joong Kim
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
whoopsie (Ubuntu)
Medium
Marc Deslauriers
Xenial
Medium
Marc Deslauriers
Bionic
Medium
Marc Deslauriers
Eoan
Medium
Marc Deslauriers
Focal
Medium
Marc Deslauriers
Groovy
Medium
Marc Deslauriers

Bug Description

Hi,

I have found a security issue on whoopsie 0.2.69 and earlier.

# Vulnerability description
The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file.
Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process.
This results in the process being terminated by the OOM killer.

# Details
We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert().
According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value.
If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function.
Unfortunately, whoopsie does not handle the old value and the passed key when collision happens.
If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service.

[1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g-hash-table-insert

# PoC (*Please check the below PoC: whoopsie_killer.py)
1) Generates a certain malformed crash file that contains same repetitive key-value pairs.
2) Trigger the whoopsie to read the generated crash file.
3) After then, the whoopsie process has been killed.

# Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch)
We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new().
Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it.

Sincerely,

Related branches

Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

Modification:
Correct the above issue.
Replace g_hash_table_new() with g_hash_table_new_full() and add 'key_destroy_func' and 'value_destroy_func' function.

description: updated
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "g_hash_table_memory_leak.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Mathew Hodson (mhodson)
Changed in whoopsie (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

This vulnerability may cause a memory exhaustion vulnerability in the function parse_report() in whoopsie.c, which allows attackers to cause a denial of service.

summary: - Memory leak in parse_report()
+ memory exhaustion in parse_report()
description: updated
Revision history for this message
Seong-Joong Kim (sungjungk) wrote : Re: memory exhaustion in parse_report()

Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process.
This results in the process being terminated by the OOM killer.
Please check the following PoC: whoopsie_killer.py

description: updated
summary: - memory exhaustion in parse_report()
+ DoS vulnerability: cause resource exhaustion
Changed in whoopsie (Ubuntu):
status: New → Confirmed
assignee: nobody → Alex Murray (alexmurray)
Changed in whoopsie (Ubuntu):
assignee: Alex Murray (alexmurray) → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in whoopsie (Ubuntu Xenial):
status: New → Confirmed
Changed in whoopsie (Ubuntu Bionic):
status: New → Confirmed
Changed in whoopsie (Ubuntu Eoan):
status: New → Confirmed
Changed in whoopsie (Ubuntu Focal):
status: New → Confirmed
Changed in whoopsie (Ubuntu Xenial):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Bionic):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Eoan):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Focal):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Eoan):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in whoopsie (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Please use CVE-2020-11937 for this issue. Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.69ubuntu0.1

---------------
whoopsie (0.2.69ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Focal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.52.5ubuntu0.5

---------------
whoopsie (0.2.52.5ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.62ubuntu0.5

---------------
whoopsie (0.2.62ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 08:55:26 -0400

Changed in whoopsie (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.71

---------------
whoopsie (0.2.71) groovy; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: integer overflow in bson parsing (LP: #1872560)
    - lib/bson/*: updated to latest upstream release.
    - CVE-2020-12135
  * SECURITY UPDATE: resource exhaustion via memory leak (LP: #1881982)
    - src/whoopsie.c, src/tests/test_parse_report.c: properly handle
      GHashTable.
    - CVE-2020-11937
  * SECURITY UPDATE: DoS via large data length (LP: #1882180)
    - src/whoopsie.c, src/whoopsie.h, src/tests/test_parse_report.c: limit
      the size of a report file.
    - CVE-2020-15570

 -- Brian Murray <email address hidden> Wed, 05 Aug 2020 15:00:45 -0700

Changed in whoopsie (Ubuntu Groovy):
status: Confirmed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

The Eoan Ermine has reached end of life, so this bug will not be fixed for that release

Changed in whoopsie (Ubuntu Eoan):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers