20906 – DoS when OOo is listening

Issue 20906 - DoS when OOo is listening

Summary: DoS when OOo is listening

Status:	CLOSED FIXED

Alias:	None

Product:	udk
Classification:	Code
Component:	code (show other issues)
Version:	OOo 1.1
Hardware:	All All

Importance:	P2 Trivial (vote)
Target Milestone:	OOo 1.1.1
Assignee:	pavel
QA Contact:	issues@udk

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-10-08 18:03 UTC by pavel
Modified:	2003-11-14 09:15 UTC (History)
CC List:	2 users (show)

See Also:
Issue Type:	DEFECT
Latest Confirmation in:	---
Developer Difficulty:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description pavel 2003-10-08 18:03:24 UTC

As reported on bugtraq:

================================
Illegalaccess.org Security Alert
================================

 Date        : 08/10/2003
 Application : Openoffice
 Version     : 1.1.0
 Website     : http://www.Openoffice.org
 Problems    : Desktop Denial-Of-Service
 Severity    : Low
 Contributor : Marc Schoenefeld, marc@org.illegalaccess

When enabling remote access (UNO) to OpenOffice,
it opens a port (default 8100). This is done typically with
the following command:

C:\Programme\oo1.1.0\program> soffice
"-accept=socket,host=<ip>,port=8100;urp;"

where <ip> states the listening address

When issuing the commands listed below, Openoffice crashes and
prompts the error reporting box.

===================================================================
C:\Dokumente und Einstellungen\User>telnet 127.0.0.1 8100
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
0
0
0
0
0
0
0
0
0
0
0
0
===================================================================

Immediate response: firewall this port as stated in the Developers guide in the
section "Make the office listen".

Comment 1 pavel 2003-10-08 18:04:14 UTC

Setting target for the next release.

Comment 2 atr 2003-10-09 07:45:02 UTC

atr->cn: Hi Christoph, please have a look.

Comment 3 chne 2003-10-10 10:42:16 UTC

I could not reproduce the behavior neither on Windows nor on Linux.
Can you more specity your environement?

Comment 4 pavel 2003-10-10 10:50:51 UTC

I could not reproduce exactly this too, but this works on GNU/Linux:

pavel@pavel:~> telnet localhost 8100
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
crash me !
Connection closed by foreign host.
pavel@pavel:~> 

system is SuSE Linux 8.2, OOo self-compiled with gcc 3.0.4. Can
procide any other details on request.

Comment 5 pavel 2003-10-15 09:16:39 UTC

cn: could you reproduce?

Comment 6 chne 2003-10-15 10:03:10 UTC

No I could not reproduces. I use also Suse 8.2. I've used actual
OOo1.1, no fault. Office works without any error, telnet try to
connect but could not. May be it's depends on you own complation?

Comment 7 pavel 2003-10-15 10:10:32 UTC

telnet did not connect?

Like this?

pavel@snowwhite:~> telnet localhost 8100
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

This means you do not have OOo running with listening enabled. Try this:
soffice "-accept=socket,host=127.0.0.1,port=8100;urp;"

Comment 8 chne 2003-10-15 10:37:50 UTC

I've got an enabled office. My result of telnet is:

my@host:/> telnet localhost 8100
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Comment 9 pavel 2003-10-15 10:41:07 UTC

great - now type:

crash me !

:-)

Comment 10 chne 2003-10-15 11:24:37 UTC

Yes, I can reproduce it :-(
But IMHO it is not realy a bug, because the UNO-Bridge does not
validate the traffic like CORBA it does. While UNO does not check the
traffic it is much faster then CORBA.
I try to figure out if it is fixable

Comment 11 lsuarezpotts 2003-10-23 23:34:30 UTC

btw, this is being reported on O'Reilly: 
 http://linux.oreillynet.com/pub/a/linux/2003/10/20/insecurities.html#ope
-louis, by way of Gordon S.

Comment 12 chne 2003-10-24 11:14:13 UTC

CN->KR: can you please hanlde this bug.

Comment 13 ingenstans 2003-10-24 17:43:09 UTC

But if this port is firewalled then OOo can only be crashed by someone 
telnetting in from the trusted network, right?

Comment 14 chne 2003-10-28 09:23:37 UTC

CN->KSO: as discussed I send this bug to you.

Comment 15 kai.sommerfeld 2003-10-28 14:49:32 UTC

Let's see what we can do here...

Comment 16 kai.sommerfeld 2003-10-30 11:48:32 UTC

KSO->MHU: As we've seen rtl_reAllocateMemory does not handle
out-of-memory condition correctly.

Comment 17 matthias.huetsch 2003-10-30 12:09:51 UTC

Accepting...

Comment 18 matthias.huetsch 2003-11-03 12:43:35 UTC

Files modified:

(1) porting/sal/rtl/source/alloc.c, r1.11.12.1
Fixed rtl_reallocateMemory() to properly handle 'used' bit even under
out-of-memory conditions.

(2) udk/bridges/source/remote/urp/urp_unmarhal.hxx, r1.6.80.1
Fixed Unmarshal::setSize() buffer reallocation to properly handle
out-of-memory conditions.

Both revisions with tag 'cws_srx645_ooo111fix1'.

Comment 19 pavel 2003-11-03 20:11:02 UTC

On my system compiled with uptodate fix1 with both changes applied:

oo@oo:~/OpenOffice.org1.1.0> ./soffice
"-accept=socket,host=127.0.0.1,port=8100;urp;"
sh: crash_report: command not found
Xlib: unexpected async reply (sequence 0x32fc)!

I did this in the other window:
oo@oo:~> telnet localhost 8100
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
crash me!

SuSe Linux 8.0 with gcc 3.0.4.

Comment 20 matthias.huetsch 2003-11-03 20:34:39 UTC

Hi Pavel,

Well, Kai and I checked it during debugging on Windows, and I checked
it on Solaris (Sparc) during fixing this. Both cases were okay after
my fix.

I haven't had the time to check it on Linux, yet (and I currently have
no complete up-to-date build either).

So, perhaps we need a few more days until the (supposed) fix is cross
checked on all platforms, with complete builds.

Matthias

Comment 21 pavel 2003-11-03 20:37:15 UTC

No problem. Should you need any help from me, I'm here. i can even
provide builds for you ;-)

Comment 22 matthias.huetsch 2003-11-06 17:33:40 UTC

Hi Pavel,

I've now cross checked the supposed fix under Linux (unxlngi5) as well,
and it is indeed fixed.

Your error message of 'Unexpected async X reply' looks suspicious, and
I think what you are seeing is something else.

Can you please compile both (alloc.c and the 'urp' remote bridge) with
debug? You should then see two assertions:

(1) '__rtl_memory_dequeue(): out of memory' and
(2) 'urp bridge: message size too large, terminating connection'

and a 'Connection closed by foreign host' or such from your telnet
client.

If you still crash, I need at least a backtrace of that crash.

I know the principle 'a single counter example disproves any theory',
but I still regard this issue as fixed, working for me on 3 platforms.

Matthias

Comment 23 pavel 2003-11-06 18:06:24 UTC

It does not crash directly after entering crash me!, but when trying
to open new window.

Please look at http://tmp.janik.cz/ooo-accept-crash.png

It is very clear from that screenshot. It is reproducible.

Could you please try it too?

1. run soffice
2. enter crash me! to telnet
3. try to open new window in OOo (File -> New).

I asked Dan to test it on his system too, so we have more data here.

Comment 24 matthias.huetsch 2003-11-06 18:59:57 UTC

Hi Pavel,

Well, I even did run the 'smoketest_oo/data/10erTest_auto.sxw' and did
that 'crash me !' test before, after, and even during, running that
'smoketest'. I did this multiple times, on Solaris and LinuxIntel.

Sorry, but the issue that you are seeing on your build is not
reproducable with my builds.

I really need more data (assertions from 'alloc.c', backtrace of the
crash, ...) if I shall investigate deeper into your crash.

Matthias

Comment 25 pavel 2003-11-06 19:07:12 UTC

Of course - I will provide them. Dan tested my build on his machine
and it worked correctly. On the other hand when he run the build from
the same machine as I do, the behavior was the same.

I'll provide more data.

Comment 26 pavel 2003-11-06 19:17:23 UTC

Here is the log when I compiled both projects with OSL_DEBUG_LEVEL 10:

Assertion Failed: File alloc.c, Line 935: __rtl_memory_dequeue(): out
of memory.
Backtrace: [0] /home/oo/OpenOffice.org1.1.0/program/libsal.so.3:
osl_assertFailedLine+0xa3
Backtrace: [1] /home/oo/OpenOffice.org1.1.0/program/libsal.so.3:
???+0x290dd
Backtrace: [2] /home/oo/OpenOffice.org1.1.0/program/libsal.so.3:
rtl_allocateMemory+0x5a
Backtrace: [3] /home/oo/OpenOffice.org1.1.0/program/libsal.so.3:
rtl_byte_sequence_constructNoDefault+0x3e
Backtrace: [4]
/home/oo/OpenOffice.org1.1.0/program/remotebridge.uno.so: ???+0x6958
Backtrace: [5] /home/oo/OpenOffice.org1.1.0/program/liburp_uno.so:
???+0x1d610
Backtrace: [6] /home/oo/OpenOffice.org1.1.0/program/liburp_uno.so:
???+0x113a2
Backtrace: [7] /home/oo/OpenOffice.org1.1.0/program/liburp_uno.so:
???+0x19e30
Backtrace: [8] /home/oo/OpenOffice.org1.1.0/program/libsal.so.3:
???+0x1a65e
Backtrace: [9] /lib/libpthread.so.0: ???+0x6e67
Backtrace: [10] /lib/libc.so.6: __clone+0x3a
Trace Message: 41e77000      65520          0
Trace Message: 42624000      65520          0
Trace Message: 4290d000      65520          0
Trace Message: 4291d000      65520          0
Trace Message: 429bb000      65520          0
Trace Message: 429cb000      65520          0
Trace Message: 429db000      65520         16
Trace Message: 429eb000      65520          0
Trace Message: 429fb000      65520          0
Trace Message: 42a0b000      65520          0
Trace Message: 42a1b000      65520          0
Trace Message: 4299a000      65520          0
Trace Message: 429aa000      65520          0
Trace Message: 42a2b000      65520          0
Trace Message: 42a3b000      65520          0
Trace Message: 42a4b000      65520          0
Trace Message: 42a5b000      65520          0
Trace Message: 42a6b000      65520          0
Trace Message: 42a7b000      65520          0
Trace Message: 42a8b000     135152          0
Trace Message: 4430c000      65520          0
Trace Message: 4431c000      65520          0
Trace Message: 4432c000      65520          0
Trace Message: 446ab000      65520         16
Trace Message: 44844000      65520         48
Trace Message: 44854000      65520          0
Trace Message: 44864000      65520          0
Trace Message: 44874000      65520          0
Trace Message: 44884000      65520          0
Trace Message: 44894000      65520          0
Trace Message: 448a4000      65520          0
Trace Message: 448b4000      65520          0
Trace Message: 448c4000      65520          0
Trace Message: 448e6000      65520          0
Trace Message: 448f6000      65520          0
Trace Message: 44923000      65520          0
Trace Message: 44933000      65520          0
Trace Message: 44953000      65520         80
Trace Message: 44973000      65520          0
Trace Message: 44983000      65520          0
Trace Message: 44993000      65520          0
Trace Message: 44906000      65520          0
Trace Message: 449a3000      65520          0
Trace Message: 449b3000      65520          0
Trace Message: 449c3000      65520          0
Trace Message: 449d3000      65520          0
Trace Message: 449e3000      65520          0
Trace Message: 449f3000      65520          0
Trace Message: 44a03000      65520          0
Trace Message: 44a13000      65520          0
Trace Message: 44943000      65520         48
Trace Message: 44963000      65520          0
Trace Message: 44a23000      65520         16
Trace Message: 44a33000      65520          0
Trace Message: 44a43000      65520          0
Trace Message: 44a53000      65520          0
Trace Message: 44a63000      65520          0
Trace Message: 44a73000      65520         32
Trace Message: 44a83000      65520         16
Trace Message: 44a93000      65520         16
Trace Message: 44aa3000      65520         16
Trace Message: 44ab3000      65520         32
Trace Message: 44ac3000      65520         16
Trace Message: 44ad3000      65520         16
Trace Message: 44ae3000      65520          0
Trace Message: 44af3000      65520         32
Trace Message: 44b03000      65520         16
Trace Message: 44b13000      65520          0
Trace Message: 45753000      65520          0
Trace Message: 45796000      65520          0
Trace Message: 457a6000      65520          0
Trace Message: 457b6000      65520          0
Trace Message: 457c6000      65520          0
Trace Message: 457d6000      65520          0
Trace Message: 458a7000      65520          0
Trace Message: 45ce4000      65520          0
Trace Message: 45cf4000      65520          0
Trace Message: 45d04000      65520         80
Trace Message: 45d14000      65520        336
Trace Message: 45d24000     208880          0
Trace Message: 45d57000     311280          0
Trace Message: 45da3000      65520         48
Trace Message: 45db3000      65520        624
Trace Message: 45dc3000      65520        384
Trace Message: 45dd3000      65520        416
Trace Message: 45de3000      65520        224
Trace Message: 45df3000      65520          0
Trace Message: 45e03000      65520      41320
Trace Message: 45e39000 1668444144          0
sh: crash_report: command not found


Fatal exception: Signal 11
Stack:
/home/oo/OpenOffice.org1.1.0/program/libsal.so.3[0x40be99e5]
/home/oo/OpenOffice.org1.1.0/program/libsal.so.3[0x40be9b57]
/home/oo/OpenOffice.org1.1.0/program/libsal.so.3[0x40be9ca0]
/lib/libpthread.so.0[0x41143a74]
/lib/libc.so.6[0x41301a38]
/home/oo/OpenOffice.org1.1.0/program/remotebridge.uno.so[0x4491c958]
/home/oo/OpenOffice.org1.1.0/program/liburp_uno.so[0x45e30610]
/home/oo/OpenOffice.org1.1.0/program/liburp_uno.so[0x45e243a2]
/home/oo/OpenOffice.org1.1.0/program/liburp_uno.so[0x45e2ce30]
/home/oo/OpenOffice.org1.1.0/program/libsal.so.3[0x40bdf65e]
/lib/libpthread.so.0[0x41140e67]
/lib/libc.so.6(__clone+0x3a)[0x413aa72a]

I can provide more data if you want to.

Comment 27 pavel 2003-11-06 19:20:02 UTC

The system on which this is running is:

SuSE Linux 8.0
gcc 3.0.4

Comment 28 matthias.huetsch 2003-11-06 20:46:59 UTC

Hi Pavel,

Here are the assertion traces that I get (on my Solaris build):

Assertion Failed: File alloc.c, Line 933: __rtl_memory_dequeue(): out
of memory.
Backtrace: [0]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/libsal.so.3:
osl_assertFailedLine+0xc0
Backtrace: [1]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/libsal.so.3:
osl_getFileStatus+0x2aac
Backtrace: [2]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/libsal.so.3:
rtl_reallocateMemory+0x3f4
Backtrace: [3]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/liburp_uno.so:
component_canUnload+0x20e04
Backtrace: [4]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/liburp_uno.so:
component_canUnload+0x201a0
Backtrace: [5]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/liburp_uno.so:
component_canUnload+0x1c3a0
Backtrace: [6]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/liburp_uno.so:
component_canUnload+0x241c
Backtrace: [7]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/libsal.so.3:
osl_getTextEncodingFromLocale+0x6a4
Backtrace: [8] /usr/lib/libthread.so.1: _getfp+0x124
Backtrace: [9]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/libsal.so.3:
osl_getTextEncodingFromLocale+0x568
Trace Message: ff150000      65520          0
Trace Message: fcfc0000      65520          0
Trace Message: fcd70000      65520          0
Trace Message: fccc0000      65520         96
Trace Message: fcc80000      65520         16
Trace Message: fcc60000      65520         16
Trace Message: fccf0000      65520          0
Trace Message: fcc40000      65520          0
Trace Message: fc3e0000      65520          0
Trace Message: fc3c0000      65520          0
Trace Message: fc3a0000      65520          0
Trace Message: fc060000      65520         48
Trace Message: fbff0000      65520          0
Trace Message: fbae0000      65520         48
Trace Message: fb9e0000      65520        128
Trace Message: fb900000      65520         80
Trace Message: fb3e0000      65520        480
Trace Message: fb020000      65520          0
Trace Message: fae40000      65520        448
Trace Message: fad20000      65520        280
Trace Message: fb060000      65520        160
Trace Message: fb040000      65520        320
Trace Message: fae60000      65520        368
Trace Message: fad00000      65520         64
Trace Message: fa7e0000      65520        128
Trace Message: fa7c0000      65520        256
Trace Message: fa6e0000      65520        176
Trace Message: fa5e0000      65520        384
Trace Message: fa5c0000      65520          0
Trace Message: fa5a0000      65520         48
Trace Message: fa440000      65520        176
Trace Message: f9fe0000      65520        160
Trace Message: f9e60000      65520        528
Trace Message: f9e20000      65520        480
Trace Message: f9e00000      65520        496
Trace Message: f9de0000      65520        320
Trace Message: f9d30000      65520       3528
Assertion Failed: File
/export/home/mhu/cws/ooo111fix1/bridges/source/remote/urp/urp_reader.cxx,
Line 347: urp bridge: messages size too large, terminating connection
Backtrace: [0]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/libsal.so.3:
osl_assertFailedLine+0xc0
Backtrace: [1]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/liburp_uno.so:
component_canUnload+0x20288
Backtrace: [2]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/liburp_uno.so:
component_canUnload+0x1c3a0
Backtrace: [3]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/liburp_uno.so:
component_canUnload+0x241c
Backtrace: [4]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/libsal.so.3:
osl_getTextEncodingFromLocale+0x6a4
Backtrace: [5] /usr/lib/libthread.so.1: _getfp+0x124
Backtrace: [6]
/export/home/mhu/office/cws_srx645_ooo111fix1/program/libsal.so.3:
osl_getTextEncodingFromLocale+0x568
(tid=8) Packet-size too big, couln't allocate necessary memory
(2004318071)

The thing that irritates me, is that your '__rtl_memory_dequeue()'
assertion is from 'Line 935', while mine is from 'Line 933'.

But otherwise, your assertion traces (almost) clearly indicates where
your issue originates from: you have too much memory :-)

The 'Trace message's right after the 'out of memory' assertion from
'__rtl_memory_dequeue()' also is from 'alloc.c' (__dbg_memory_usage).
The last block allocated on your system is ~1.6GB large, and 'used'.

I.e., you've never run into the case that I've fixed, but are now just
stumbling over one (of a probably infinite number) of cases where OOo
crashes due to an 'out of memory' condition. You're crashing in
'rtl_allocateMemory()' called by some 'sequence construct' function.

AFAIR, Kai said that there's not much of 'input validation' in the
'urp' remote bridge. As in your case allocation of a ~1.6GB memory
block succeded, the urp reader thread now tries to read that much
(the 'rest' of the packet) from the network, while other places inside
OOo run into the 'out of memory' condition (and most probably crash).

Don't know what Kai can do here, but I'm reopening this issue and
reassign it back to Kai for further evaluation.

The places that I fixed where definitely wrong before, but obviously
not the only ones.

Matthias

Comment 29 matthias.huetsch 2003-11-06 20:48:10 UTC

Hi Kai,

please have a look at my last comments, and evaluate again.

Thanks,
Matthias

Comment 30 pavel 2003-11-06 21:16:58 UTC

This could be it: the server I run it on has 1GB of RAM + 2GB of swap.
And both my machine and Dan's has a little bit less.

Thank you for very fast evaluation!
Great work.

Kai, if you want some other data or something to test here, I'm here
to help.

Comment 31 kai.sommerfeld 2003-11-07 07:42:31 UTC

Comment 32 kai.sommerfeld 2003-11-11 15:08:29 UTC

I'm able to reproduce the problem, even on my Windows box with 512MB
memory. The 'magic characters' that make it happen here are 8 spaces.

And, I'm able to provide a fix. ;-) BUT, this is just a point-patch
fixing exactly the crash Pavel reported. As Matthias already
mentioned, there are possibly thousands of situations where the Office
does not handle out-of-memory conditions. I don't want to see this
issue reopened for every one of these ;-)

Note: The root cause of this bug is that rtl::ByteSequence does not
handle out-of-memory situations correctly. I filed an OOo 2.0 issue
(22343) against myself to fix this.

Pavel, I already commited the fixed files. Affected modules are
remotebridges and sal (cws ooo111fix1) . Could you please test the fix
on your problematic Linux machines.

Comment 33 pavel 2003-11-12 05:52:50 UTC

Verified.

Thanks!

Comment 34 kai.sommerfeld 2003-11-14 08:24:55 UTC

Reassigning to submitter for closing.

Comment 35 pavel 2003-11-14 09:12:09 UTC

fixed, will close it.

Comment 36 pavel 2003-11-14 09:15:03 UTC

Closing