Openvas-scanner 6.0 dies with segfault for too many hosts

tdussa · May 24, 2019, 12:23pm

Hi,

the update to OpenVAS Scanner 6.0 broke one of my scan jobs. On closer inspection, /var/log/gvm/openvassd.log shows that the scanner tries to resolve interesting host names and subsequently falls over:

[...]
base hosts:WARNING:2019-05-24 09h09.08 utc:27074: Couldn't resolve hostname 0
base hosts:WARNING:2019-05-24 09h09.08 utc:27074: Couldn't resolve hostname 
base hosts:WARNING:2019-05-24 09h09.09 utc:27074: Couldn't resolve hostname ) $|crea1
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: SIGSEGV occurred!
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(sighand_segv+0x39) [0x40dc29]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libc.so.6(+0x36280) [0x7f20d21dc280]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libgvm_base.so.10(gvm_hosts_resolve+0x40) [0x7f20d3a67dc0]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(attack_network+0x213) [0x407923]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock() [0x40ab0e]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(create_process+0xdd) [0x40d9dd]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(main+0x34b) [0x405c9b]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f20d21c83d5]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock() [0x405eb8]
[...]

This very much looks like a buffer overflow to me, and some bisection testing shows that for a hostname list that is 242 characters long, everything works fine, but one hostname more (for a total of 265 characters) triggers the problem. This suspiciously looks like a static buffer of size 256 to me.

Can anyone comment on this? This problem is a show stopper here, unfortunately – chunking up host lists to short-enough strings is not really an option.

Thanks a lot and cheers,
Toby.

cfi · May 24, 2019, 5:30pm

Please report segmentation faults directly to the team working on the scanner at https://github.com/greenbone/openvas-scanner/issues. Such issues posted here might get lost too easily.

There was also a recent PR fixing something on the hostname / host resolve topic (and especially the gvm_hosts_resolve function mentioned in the segfault), this could be related or even already fixed:

tdussa · May 29, 2019, 6:46am

Issue report here. Thanks for the pointer! Is it documented somewhere at all where people expect bug reports to go? I looked for some hints for like half a day before posting here.

k0nrad · May 31, 2019, 2:35pm

I have the same issue. It happens with a list of domain names but not with a list of ips. It looks to a buffer overflow to me too

cfi · July 21, 2019, 12:13pm

For the records, the PR below is now included in the last maintenance release for gvm-libs (10.0.1) since a few days: Release GVM Libraries v10.0.1 · greenbone/gvm-libs · GitHub