Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix panic in MSSQL when Login7 package is invalid #10452

Merged
merged 3 commits into from
Mar 1, 2022
Merged

Fix panic in MSSQL when Login7 package is invalid #10452

merged 3 commits into from
Mar 1, 2022

Conversation

jakule
Copy link
Contributor

@jakule jakule commented Feb 18, 2022

I decided to give a shoot to new Go's fuzzer and this is one of my findings. Function ReadLogin7Packet panics for some inputs. I added a fix for the inputs that fuzzed discovered. I also added a fuzz test guarded by go1.18 for now, as it would fail to build with our current setup.

@jakule jakule requested a review from r0mant February 18, 2022 14:15
@github-actions github-actions bot added the database-access Database access related issues and PRs label Feb 18, 2022
r0mant
r0mant reviewed Feb 23, 2022
View reviewed changes
lib/srv/db/sqlserver/protocol/fuzz_test.go Outdated
f.Fuzz(func(t *testing.T, packet []byte) {
reader := bytes.NewReader(packet)
// no assertion, check for panic
ReadLogin7Packet(reader)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about using https://pkg.go.dev/github.com/stretchr/testify/require#NotPanics?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea. I forgot about that function. testify has an assertion for every occasion :)

lib/srv/db/sqlserver/protocol/login7.go Outdated
Comment on lines 153 to 151
if len(pkt.Data) <= int(header.IbUserName) {
return "", errInvalidPackage
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this condition already covered by the check above? Unless CchUserName is somehow negative...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. I remamber that at some point I was getting a negative value, but after some cleanup now this if is not needed anymore and CchUserName is uint16, so it will never be negative. Re-tested and removed.

lib/srv/db/sqlserver/protocol/login7.go Outdated Show resolved Hide resolved
lib/srv/db/sqlserver/protocol/login7.go Outdated
Comment on lines 173 to 167
if len(pkt.Data) < int(header.IbDatabase) {
return "", errInvalidPackage
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same q as above. Also, you have < condition here and <= condition in a similar check above.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same as above. Removed, but here is why < is required in this case:

% go test -count=1 ./...
--- FAIL: TestReadLogin7 (0.00s)
    protocol_test.go:50: 
                Error Trace:    protocol_test.go:50
                Error:          Received unexpected error:
                                invalid login7 packet
                Test:           TestReadLogin7
FAIL
FAIL    github.com/gravitational/teleport/lib/srv/db/sqlserver/protocol 0.496s
?       github.com/gravitational/teleport/lib/srv/db/sqlserver/protocol/fixtures        [no test files]
FAIL

Otherwise the TestReadLogin7 fails as it tries to read the last element from the slice (it won't panic. In this case last element is bounded by last element here: pkt.Data[136:136] with len 136).

@jakule jakule force-pushed the jakule/mssql-fuzz-panic branch from 1a5d620 to 7982cad Compare February 24, 2022 19:06
@jakule jakule requested a review from r0mant February 24, 2022 19:06
@jakule jakule force-pushed the jakule/mssql-fuzz-panic branch from 7982cad to c69479f Compare February 24, 2022 19:08
smallinsky
smallinsky approved these changes Feb 28, 2022
View reviewed changes
Copy link
Contributor

@smallinsky smallinsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. @r0mant Could you take a second look ?

@jakule jakule force-pushed the jakule/mssql-fuzz-panic branch from c69479f to 8d33c45 Compare March 1, 2022 03:15
@jakule
Copy link
Contributor Author

jakule commented Mar 1, 2022

@r0mant Should we backport this to v9 branch?

@jakule jakule enabled auto-merge (squash) March 1, 2022 03:17
@r0mant
Copy link
Collaborator

r0mant commented Mar 1, 2022

@jakule Sure but please make sure that MSSQL access still works with this fix cc @smallinsky

@jakule jakule merged commit 24cafec into master Mar 1, 2022
@jakule jakule deleted the jakule/mssql-fuzz-panic branch March 1, 2022 03:35
jakule added a commit that referenced this pull request Mar 1, 2022
@jakule
Fix panic in MSSQL when Login7 package is invalid (#10452)
f590f50
@jakule jakule mentioned this pull request Mar 1, 2022
Merged
jakule added a commit that referenced this pull request Mar 5, 2022
@jakule
Fix panic in MSSQL when Login7 package is invalid (#10709)
3ff81b8 
Backport of #10452
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smallinsky smallinsky smallinsky approved these changes

@r0mant r0mant r0mant approved these changes

@jimbishopp jimbishopp Awaiting requested review from jimbishopp

Assignees
No one assigned
Labels
database-access Database access related issues and PRs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jakule @r0mant @smallinsky