Bug 1213060 (CVE-2023-43771)

Summary: VUL-1: CVE-2023-43771: nqptp: NULL pointer dereference caused by invalid control port message
Product: [openSUSE] openSUSE Tumbleweed Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: SecurityAssignee: Martin Pluskal <mpluskal>
Status: IN_PROGRESS --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P4 - Low CC: carlos.lopez, cathy.hu, florian.meissner, mpluskal, qa-bugs, stoyan.manolov
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1212951
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2023-07-06 07:22:04 UTC 
+++ This bug was initially created as a clone of Bug #1212951 +++
OBS devel project: network:time/nqptp
Upstream: https://github.com/mikebrady/nqptp

Unprivileged users can crash the nqptp daemon by sending an invalid packet to the control port. Any payload not containing a space character (0x20) will work.

Steps to reproduce:

> nc -w0 -u 127.0.0.1 9000 <<< ""

> $ ./nqptp
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==7787==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f19d7ac57cd bp 0x7ffe74976fe0 sp 0x7ffe74976770 T0)
> ==7787==The signal is caused by a READ memory access.
> ==7787==Hint: address points to the zero page.
> 	#0 0x7f19d7ac57cd  (/lib64/libasan.so.8+0xc57cd) (BuildId: 44194dcf14c212b57346030492309d59d5379ae1)
> 	#1 0x406f11 in handle_control_port_messages /home/wfrisch/audit/bsc-1212951-nqptp/nqptp/nqptp-message-handlers.c:72
> 	#2 0x403da3 in main /home/wfrisch/audit/bsc-1212951-nqptp/nqptp/nqptp.c:339
> 	#3 0x7f19d782abaf in __libc_start_call_main (/lib64/libc.so.6+0x27baf) (BuildId: 1390809fc3a065502adfa6735d294c2c86aebe4d)
> 	#4 0x7f19d782ac78 in __libc_start_main_alias_1 (/lib64/libc.so.6+0x27c78) (BuildId: 1390809fc3a065502adfa6735d294c2c86aebe4d)
> 	#5 0x402514 in _start ../sysdeps/x86_64/start.S:115
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xc57cd) (BuildId: 44194dcf14c212b57346030492309d59d5379ae1)
> ==7787==ABORTING

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Comment 1 Wolfgang Frisch 2023-07-20 16:13:52 UTC 
Forwarded to upstream
Comment 2 Wolfgang Frisch 2023-09-04 08:48:29 UTC 
2023-09-01: Upstreamed confirmed they're working on this.
Comment 3 Wolfgang Frisch 2023-09-21 10:58:54 UTC 
Fixed by upstream:
https://github.com/mikebrady/nqptp/releases/tag/1.2.3
Comment 4 Wolfgang Frisch 2023-09-25 07:46:21 UTC 
*** Bug 1215614 has been marked as a duplicate of this bug. ***
Comment 5 Wolfgang Frisch 2023-09-25 07:48:47 UTC 
(In reply to Hu from comment #1)
> Affected: 
> - openSUSE:Factory/nqptp 1.2.1