Null-pointer-dereference - Envoy::Server::ActiveTcpSocket::GenericListenerFilter::onAccept

[stasos24]

Hello, i've found a Null-pointer dereference during fuzzing tls inspector harness.

Description:

What issue is being seen? Describe what should be happening instead of
the bug, for example: Envoy should not crash, the expected value isn't
returned, etc.

Repro steps:

config {
  enable_ja3_fingerprinting {
  }
}
fuzzed {
  data: ""
}

Logs:

Include the access logs and the Envoy logs.

Note: If there are privacy concerns, sanitize the data prior to
sharing.

Call Stack:

=2255801==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002d68388 bp 0x7fffb59bf850 sp 0x7fffb59bf830 T0)
==2255801==The signal is caused by a READ memory access.
==2255801==Hint: address points to the zero page.
#0 0x2d68388 in Envoy::Server::ActiveTcpSocket::GenericListenerFilter::onAccept(Envoy::Network::ListenerFilterCallbacks&) /proc/self/cwd/./source/server/active_tcp_socket.h:51:32
#1 0x2d668a9 in Envoy::Server::ActiveTcpSocket::continueFilterChain(bool) /proc/self/cwd/source/server/active_tcp_socket.cc:120:48
#2 0x2d48af8 in startFilterChain /proc/self/cwd/./source/server/active_tcp_socket.h:88:29
#3 0x2d48af8 in Envoy::Server::ActiveStreamListenerBase::onSocketAccepted(std::__1::unique_ptr<Envoy::Server::ActiveTcpSocket, std::__1::default_delete<Envoy::Server::ActiveTcpSocket> >) /proc/self/cwd/./source/server/active_stream_listener_base.h:88:22
#4 0x2d485f4 in Envoy::Server::ActiveTcpListener::onAcceptWorker(std::__1::unique_ptr<Envoy::Network::ConnectionSocket, std::__1::default_delete<Envoy::Network::ConnectionSocket> >&&, bool, bool) /proc/self/cwd/source/server/active_tcp_listener.cc:116:3
#5 0x2d46f80 in Envoy::Server::ActiveTcpListener::onAccept(std::__1::unique_ptr<Envoy::Network::ConnectionSocket, std::__1::default_delete<Envoy::Network::ConnectionSocket> >&&) /proc/self/cwd/source/server/active_tcp_listener.cc:87:3
#6 0x393a1c9 in Envoy::Network::TcpListenerImpl::onSocketEvent(short) /proc/self/cwd/source/common/network/tcp_listener_impl.cc:89:9
#7 0x394065c in operator() /proc/self/cwd/source/common/network/tcp_listener_impl.cc:105:55
#8 0x394065c in __invoke<(lambda at source/common/network/tcp_listener_impl.cc:105:21) &, unsigned int> /usr/local/bin/../include/c++/v1/type_traits:3592:23
#9 0x394065c in __call<(lambda at source/common/network/tcp_listener_impl.cc:105:21) &, unsigned int> /usr/local/bin/../include/c++/v1/__functional/invoke.h:61:9
#10 0x394065c in operator() /usr/local/bin/../include/c++/v1/__functional/function.h:181:16
#11 0x394065c in std::__1::__function::__func<Envoy::Network::TcpListenerImpl::TcpListenerImpl(Envoy::Event::DispatcherImpl&, Envoy::Random::RandomGenerator&, Envoy::Runtime::Loader&, std::__1::shared_ptr<Envoy::Network::Socket>, Envoy::Network::TcpListenerCallbacks&, bool, bool)::, std::__1::allocator<Envoy::Network::TcpListenerImpl::TcpListenerImpl(Envoy::Event::DispatcherImpl&, Envoy::Random::RandomGenerator&, Envoy::Runtime::Loader&, std::__1::shared_ptr<Envoy::Network::Socket>, Envoy::Network::TcpListenerCallbacks&, bool, bool)::>, void (unsigned int)>::operator()(unsigned int&&) /usr/local/bin/../include/c++/v1/__functional/function.h:355:12
#12 0x3869008 in operator() /usr/local/bin/../include/c++/v1/__functional/function.h:508:16
#13 0x3869008 in operator() /usr/local/bin/../include/c++/v1/__functional/function.h:1185:12
#14 0x3869008 in operator() /proc/self/cwd/source/common/event/dispatcher_impl.cc:184:9
#15 0x3869008 in __invoke<(lambda at source/common/event/dispatcher_impl.cc:182:7) &, unsigned int> /usr/local/bin/../include/c++/v1/type_traits:3592:23
#16 0x3869008 in __call<(lambda at source/common/event/dispatcher_impl.cc:182:7) &, unsigned int> /usr/local/bin/../include/c++/v1/__functional/invoke.h:61:9
#17 0x3869008 in operator() /usr/local/bin/../include/c++/v1/__functional/function.h:181:16
#18 0x3869008 in std::__1::__function::__func<Envoy::Event::DispatcherImpl::createFileEvent(int, std::__1::function<void (unsigned int)>, Envoy::Event::FileTriggerType, unsigned int)::, std::__1::allocator<Envoy::Event::DispatcherImpl::createFileEvent(int, std::__1::function<void (unsigned int)>, Envoy::Event::FileTriggerType, unsigned int)::>, void (unsigned int)>::operator()(unsigned int&&) /usr/local/bin/../include/c++/v1/__functional/function.h:355:12
#19 0x38738d4 in operator() /usr/local/bin/../include/c++/v1/__functional/function.h:508:16
#20 0x38738d4 in operator() /usr/local/bin/../include/c++/v1/__functional/function.h:1185:12
#21 0x38738d4 in Envoy::Event::FileEventImpl::mergeInjectedEventsAndRunCb(unsigned int) /proc/self/cwd/source/common/event/file_event_impl.cc:161:3
#22 0x38745d3 in operator() /proc/self/cwd/source/common/event/file_event_impl.cc:82:16
#23 0x38745d3 in Envoy::Event::FileEventImpl::assignEvents(unsigned int, event_base*)::::__invoke(int, short, void*) /proc/self/cwd/source/common/event/file_event_impl.cc:66:7
#24 0x3d6c3ea in event_persist_closure /root/.cache/bazel/_bazel_root/4e9824db8e7d11820cfa25090ed4ed10/execroot/envoy/external/com_github_libevent_libevent/event.c:1645:9
#25 0x3d6c3ea in event_process_active_single_queue /root/.cache/bazel/_bazel_root/4e9824db8e7d11820cfa25090ed4ed10/execroot/envoy/external/com_github_libevent_libevent/event.c:1704:4
#26 0x3d5f03b in event_process_active /root/.cache/bazel/_bazel_root/4e9824db8e7d11820cfa25090ed4ed10/execroot/envoy/external/com_github_libevent_libevent/event.c
#27 0x3d5f03b in event_base_loop /root/.cache/bazel/_bazel_root/4e9824db8e7d11820cfa25090ed4ed10/execroot/envoy/external/com_github_libevent_libevent/event.c:2047:12
#28 0x3cfa7d9 in Envoy::Event::LibeventScheduler::run(Envoy::Event::Dispatcher::RunType) /proc/self/cwd/source/common/event/libevent_scheduler.cc:60:3
#29 0x3859a88 in Envoy::Event::DispatcherImpl::run(Envoy::Event::Dispatcher::RunType) /proc/self/cwd/source/common/event/dispatcher_impl.cc:299:19
#30 0x164e072 in Envoy::Extensions::ListenerFilters::ListenerFilterWithDataFuzzer::disconnect() /proc/self/cwd/test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc:78:18
#31 0x164e7d1 in Envoy::Extensions::ListenerFilters::ListenerFilterWithDataFuzzer::fuzz(std::__1::unique_ptr<Envoy::Network::ListenerFilter, std::__1::default_delete<Envoy::Network::ListenerFilter> >, test::extensions::filters::listener::FilterFuzzWithDataTestCase const&) /proc/self/cwd/test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc:90:3
#32 0x15685d6 in TestOneProtoInput /proc/self/cwd/test/extensions/filters/listener/tls_inspector/tls_inspector_fuzz_test.cc:34:10
#33 0x15685d6 in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/listener/tls_inspector/tls_inspector_fuzz_test.cc:12:1
#34 0x143b9d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#35 0x143b1ba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#36 0x143c889 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
#37 0x143d555 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
#38 0x142bc6f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#39 0x1455f12 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#40 0x7fcdeec1c082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#41 0x141c6ad in _start (/harness/tls_inspector_fuzz_test+0x141c6ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /proc/self/cwd/./source/server/active_tcp_socket.h:51:32 in Envoy::Server::ActiveTcpSocket::GenericListenerFilter::onAccept(Envoy::Network::ListenerFilterCallbacks&)
==2255801==ABORTING

[soulxu]

I can take a look at this

[soulxu]

/assign

[soulxu]

/assign @KBaichoo

@KBaichoo already get a fix, he will submit soon tomorrow, thanks for that!