You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/06/05 21:11:04 UTC

[jira] [Commented] (DRILL-5541) C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV

    [ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037601#comment-16037601 ] 

ASF GitHub Bot commented on DRILL-5541:
---------------------------------------

GitHub user superbstreak opened a pull request:

    https://github.com/apache/drill/pull/850

    DRILL-5541: C++ Client Crashes During Simple "Man in the Middle" Atta…

    …ck Test with Exploitable Write AV

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/superbstreak/drill DRILL-5541

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/drill/pull/850.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #850
    
----
commit 716db51df61d0ee47804217a6a133d1d1152b64a
Author: Rob Wu <ro...@gmail.com>
Date:   2017-06-05T21:06:33Z

    DRILL-5541: C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV

----


> C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV
> ------------------------------------------------------------------------------------------
>
>                 Key: DRILL-5541
>                 URL: https://issues.apache.org/jira/browse/DRILL-5541
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Client - C++
>    Affects Versions: 1.10.0
>            Reporter: Rob Wu
>            Priority: Minor
>
> drillClient!boost_sb::shared_ptr<exec::user::GetSchemasResp>::reset<exec::user::GetSchemasResp>+0xa7:
> 000007fe`c292f827 f0ff4b08        lock dec dword ptr [rbx+8] ds:000007fe`c2b3de78=c29e6060
> Exploitability Classification: EXPLOITABLE
> Recommended Bug Title: Exploitable - User Mode Write AV starting at drillClient!boost_sb::shared_ptr<exec::user::GetSchemasResp>::reset<exec::user::GetSchemasResp>+0x00000000000000a7 (Hash=0x4ae7fdff.0xb15af658)
> User mode write access violations that are not near NULL are exploitable.
> ======================================
> Stack Trace:
> Child-SP          RetAddr           Call Site
> 00000000`030df630 000007fe`c295bca1 drillClient!boost_sb::shared_ptr<exec::user::GetSchemasResp>::reset<exec::user::GetSchemasResp>+0xa7 [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp @ 620]
> 00000000`030df680 000007fe`c295433c drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp @ 1227]
> 00000000`030df7a0 000007fe`c294cbf6 drillClient!Drill::DrillClientImpl::handleRead+0x75c [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp @ 1555]
> 00000000`030df9c0 000007fe`c294ce9f drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op<boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::read_op<boost_sb::asio::basic_stream_socket<boost_sb::asio::ip::tcp,boost_sb::asio::stream_socket_service<boost_sb::asio::ip::tcp> >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t<void,boost_sb::_mfi::mf3<void,Drill::DrillClientImpl,unsigned char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned __int64>,boost_sb::_bi::list4<boost_sb::_bi::value<Drill::DrillClientImpl * __ptr64>,boost_sb::_bi::value<unsigned char * __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp @ 97]
> 00000000`030dfa90 000007fe`c296009d drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp @ 406]
> 00000000`030dfb70 000007fe`c295ffc9 drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp @ 164]
> 00000000`030dfbd0 000007fe`c2aa5b53 drillClient!boost_sb::asio::io_service::run+0x29 [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp @ 60]
> 00000000`030dfc10 000007fe`c2ad3e03 drillClient!boost_sb::`anonymous namespace'::thread_start_function+0x43
> 00000000`030dfc50 000007fe`c2ad404e drillClient!_callthreadstartex+0x17 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376]
> 00000000`030dfc80 00000000`779e59cd drillClient!_threadstartex+0x102 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354]
> 00000000`030dfcb0 00000000`77c1a561 kernel32!BaseThreadInitThunk+0xd
> 00000000`030dfce0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
> ======================================
> Register:
> rax=000000000284bae0 rbx=000007fec2b3de70 rcx=00000000027ec210
> rdx=00000000027ec210 rsi=00000000027f2638 rdi=00000000027f25d0
> rip=000007fec292f827 rsp=00000000030df630 rbp=00000000027ec210
>  r8=00000000027ec210  r9=0000000000000000 r10=00000000027d32fc
> r11=000027eb001b0003 r12=00000000ffffffff r13=00000000028035a0
> r14=00000000027ec210 r15=0000000000000000
> iopl=0         nv up ei pl nz na pe nc
> cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
> drillClient!boost_sb::shared_ptr<exec::user::GetSchemasResp>::reset<exec::user::GetSchemasResp>+0xa7:
> 000007fe`c292f827 f0ff4b08        lock dec dword ptr [rbx+8] ds:000007fe`c2b3de78=c29e6060



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)