Bug 1213060 (CVE-2023-43771) - VUL-1: CVE-2023-43771: nqptp: NULL pointer dereference caused by invalid control port message
Summary: VUL-1: CVE-2023-43771: nqptp: NULL pointer dereference caused by invalid cont...
Status: IN_PROGRESS
: 1215614 (view as bug list)
Alias: CVE-2023-43771
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P4 - Low : Normal (vote)
Target Milestone: ---
Assignee: Martin Pluskal
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-06 07:22 UTC by Wolfgang Frisch
Modified: 2024-04-15 07:18 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2023-07-06 07:22:04 UTC 
+++ This bug was initially created as a clone of Bug #1212951 +++
OBS devel project: network:time/nqptp
Upstream: https://github.com/mikebrady/nqptp

Unprivileged users can crash the nqptp daemon by sending an invalid packet to the control port. Any payload not containing a space character (0x20) will work.

Steps to reproduce:

> nc -w0 -u 127.0.0.1 9000 <<< ""

> $ ./nqptp
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==7787==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f19d7ac57cd bp 0x7ffe74976fe0 sp 0x7ffe74976770 T0)
> ==7787==The signal is caused by a READ memory access.
> ==7787==Hint: address points to the zero page.
> 	#0 0x7f19d7ac57cd  (/lib64/libasan.so.8+0xc57cd) (BuildId: 44194dcf14c212b57346030492309d59d5379ae1)
> 	#1 0x406f11 in handle_control_port_messages /home/wfrisch/audit/bsc-1212951-nqptp/nqptp/nqptp-message-handlers.c:72
> 	#2 0x403da3 in main /home/wfrisch/audit/bsc-1212951-nqptp/nqptp/nqptp.c:339
> 	#3 0x7f19d782abaf in __libc_start_call_main (/lib64/libc.so.6+0x27baf) (BuildId: 1390809fc3a065502adfa6735d294c2c86aebe4d)
> 	#4 0x7f19d782ac78 in __libc_start_main_alias_1 (/lib64/libc.so.6+0x27c78) (BuildId: 1390809fc3a065502adfa6735d294c2c86aebe4d)
> 	#5 0x402514 in _start ../sysdeps/x86_64/start.S:115
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xc57cd) (BuildId: 44194dcf14c212b57346030492309d59d5379ae1)
> ==7787==ABORTING

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Comment 1 Wolfgang Frisch 2023-07-20 16:13:52 UTC 
Forwarded to upstream
Comment 2 Wolfgang Frisch 2023-09-04 08:48:29 UTC 
2023-09-01: Upstreamed confirmed they're working on this.
Comment 3 Wolfgang Frisch 2023-09-21 10:58:54 UTC 
Fixed by upstream:
https://github.com/mikebrady/nqptp/releases/tag/1.2.3
Comment 4 Wolfgang Frisch 2023-09-25 07:46:21 UTC 
*** Bug 1215614 has been marked as a duplicate of this bug. ***
Comment 5 Wolfgang Frisch 2023-09-25 07:48:47 UTC 
(In reply to Hu from comment #1)
> Affected: 
> - openSUSE:Factory/nqptp 1.2.1