[jira] [Commented] (DRILL-5541) C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV
[ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16039939#comment-16039939 ] ASF GitHub Bot commented on DRILL-5541: --- Github user parthchandra commented on the issue: https://github.com/apache/drill/pull/850 +1 > C++ Client Crashes During Simple "Man in the Middle" Attack Test with > Exploitable Write AV > -- > > Key: DRILL-5541 > URL: https://issues.apache.org/jira/browse/DRILL-5541 > Project: Apache Drill > Issue Type: Bug > Components: Client - C++ >Affects Versions: 1.10.0 >Reporter: Rob Wu >Priority: Minor > > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 > Exploitability Classification: EXPLOITABLE > Recommended Bug Title: Exploitable - User Mode Write AV starting at > drillClient!boost_sb::shared_ptr::reset+0x00a7 > (Hash=0x4ae7fdff.0xb15af658) > User mode write access violations that are not near NULL are exploitable. > == > Stack Trace: > Child-SP RetAddr Call Site > `030df630 07fe`c295bca1 > drillClient!boost_sb::shared_ptr::reset+0xa7 > > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp > @ 620] > `030df680 07fe`c295433c > drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1227] > `030df7a0 07fe`c294cbf6 > drillClient!Drill::DrillClientImpl::handleRead+0x75c > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1555] > `030df9c0 07fe`c294ce9f > drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op > > >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned > __int64>,boost_sb::_bi::list4 __ptr64>,boost_sb::_bi::value __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp > @ 97] > `030dfa90 07fe`c296009d > drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 406] > `030dfb70 07fe`c295ffc9 > drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 164] > `030dfbd0 07fe`c2aa5b53 > drillClient!boost_sb::asio::io_service::run+0x29 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp > @ 60] > `030dfc10 07fe`c2ad3e03 drillClient!boost_sb::`anonymous > namespace'::thread_start_function+0x43 > `030dfc50 07fe`c2ad404e drillClient!_callthreadstartex+0x17 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] > `030dfc80 `779e59cd drillClient!_threadstartex+0x102 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] > `030dfcb0 `77c1a561 kernel32!BaseThreadInitThunk+0xd > `030dfce0 ` ntdll!RtlUserThreadStart+0x1d > == > Register: > rax=0284bae0 rbx=07fec2b3de70 rcx=027ec210 > rdx=027ec210 rsi=027f2638 rdi=027f25d0 > rip=07fec292f827 rsp=030df630 rbp=027ec210 > r8=027ec210 r9= r10=027d32fc > r11=27eb001b0003 r12= r13=028035a0 > r14=027ec210 r15= > iopl=0 nv up ei pl nz na pe nc > cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (DRILL-5541) C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV
[ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16039896#comment-16039896 ] Rob Wu commented on DRILL-5541: --- Correct this is the patch for the crashes I was seeing. After this patch, I ran the test for another 750,000 more iterations (with 10 different queries that exercise different part of the C++ client) without any crashes. I'll see what I can do with the proxy and get back to you on that :) > C++ Client Crashes During Simple "Man in the Middle" Attack Test with > Exploitable Write AV > -- > > Key: DRILL-5541 > URL: https://issues.apache.org/jira/browse/DRILL-5541 > Project: Apache Drill > Issue Type: Bug > Components: Client - C++ >Affects Versions: 1.10.0 >Reporter: Rob Wu >Priority: Minor > > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 > Exploitability Classification: EXPLOITABLE > Recommended Bug Title: Exploitable - User Mode Write AV starting at > drillClient!boost_sb::shared_ptr::reset+0x00a7 > (Hash=0x4ae7fdff.0xb15af658) > User mode write access violations that are not near NULL are exploitable. > == > Stack Trace: > Child-SP RetAddr Call Site > `030df630 07fe`c295bca1 > drillClient!boost_sb::shared_ptr::reset+0xa7 > > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp > @ 620] > `030df680 07fe`c295433c > drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1227] > `030df7a0 07fe`c294cbf6 > drillClient!Drill::DrillClientImpl::handleRead+0x75c > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1555] > `030df9c0 07fe`c294ce9f > drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op > > >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned > __int64>,boost_sb::_bi::list4 __ptr64>,boost_sb::_bi::value __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp > @ 97] > `030dfa90 07fe`c296009d > drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 406] > `030dfb70 07fe`c295ffc9 > drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 164] > `030dfbd0 07fe`c2aa5b53 > drillClient!boost_sb::asio::io_service::run+0x29 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp > @ 60] > `030dfc10 07fe`c2ad3e03 drillClient!boost_sb::`anonymous > namespace'::thread_start_function+0x43 > `030dfc50 07fe`c2ad404e drillClient!_callthreadstartex+0x17 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] > `030dfc80 `779e59cd drillClient!_threadstartex+0x102 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] > `030dfcb0 `77c1a561 kernel32!BaseThreadInitThunk+0xd > `030dfce0 ` ntdll!RtlUserThreadStart+0x1d > == > Register: > rax=0284bae0 rbx=07fec2b3de70 rcx=027ec210 > rdx=027ec210 rsi=027f2638 rdi=027f25d0 > rip=07fec292f827 rsp=030df630 rbp=027ec210 > r8=027ec210 r9= r10=027d32fc > r11=27eb001b0003 r12= r13=028035a0 > r14=027ec210 r15= > iopl=0 nv up ei pl nz na pe nc > cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (DRILL-5541) C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV
[ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16039545#comment-16039545 ] Parth Chandra commented on DRILL-5541: -- Nice. Is this server somewhat shareable? We could use it to test future releases. I'm assuming the patch submitted fixes the issue(s)? > C++ Client Crashes During Simple "Man in the Middle" Attack Test with > Exploitable Write AV > -- > > Key: DRILL-5541 > URL: https://issues.apache.org/jira/browse/DRILL-5541 > Project: Apache Drill > Issue Type: Bug > Components: Client - C++ >Affects Versions: 1.10.0 >Reporter: Rob Wu >Priority: Minor > > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 > Exploitability Classification: EXPLOITABLE > Recommended Bug Title: Exploitable - User Mode Write AV starting at > drillClient!boost_sb::shared_ptr::reset+0x00a7 > (Hash=0x4ae7fdff.0xb15af658) > User mode write access violations that are not near NULL are exploitable. > == > Stack Trace: > Child-SP RetAddr Call Site > `030df630 07fe`c295bca1 > drillClient!boost_sb::shared_ptr::reset+0xa7 > > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp > @ 620] > `030df680 07fe`c295433c > drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1227] > `030df7a0 07fe`c294cbf6 > drillClient!Drill::DrillClientImpl::handleRead+0x75c > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1555] > `030df9c0 07fe`c294ce9f > drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op > > >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned > __int64>,boost_sb::_bi::list4 __ptr64>,boost_sb::_bi::value __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp > @ 97] > `030dfa90 07fe`c296009d > drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 406] > `030dfb70 07fe`c295ffc9 > drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 164] > `030dfbd0 07fe`c2aa5b53 > drillClient!boost_sb::asio::io_service::run+0x29 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp > @ 60] > `030dfc10 07fe`c2ad3e03 drillClient!boost_sb::`anonymous > namespace'::thread_start_function+0x43 > `030dfc50 07fe`c2ad404e drillClient!_callthreadstartex+0x17 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] > `030dfc80 `779e59cd drillClient!_threadstartex+0x102 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] > `030dfcb0 `77c1a561 kernel32!BaseThreadInitThunk+0xd > `030dfce0 ` ntdll!RtlUserThreadStart+0x1d > == > Register: > rax=0284bae0 rbx=07fec2b3de70 rcx=027ec210 > rdx=027ec210 rsi=027f2638 rdi=027f25d0 > rip=07fec292f827 rsp=030df630 rbp=027ec210 > r8=027ec210 r9= r10=027d32fc > r11=27eb001b0003 r12= r13=028035a0 > r14=027ec210 r15= > iopl=0 nv up ei pl nz na pe nc > cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (DRILL-5541) C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV
[ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037936#comment-16037936 ] Rob Wu commented on DRILL-5541: --- I set up a proxy server that mess with the incoming data randomly before returning it to see if the C++ client handles invalid data gracefully. DrillClient <--> Proxy <---> Server connect() O---> select * from Tab O---> <--- Flip random bits (do work on the data) <- Data Process X CrashX > C++ Client Crashes During Simple "Man in the Middle" Attack Test with > Exploitable Write AV > -- > > Key: DRILL-5541 > URL: https://issues.apache.org/jira/browse/DRILL-5541 > Project: Apache Drill > Issue Type: Bug > Components: Client - C++ >Affects Versions: 1.10.0 >Reporter: Rob Wu >Priority: Minor > > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 > Exploitability Classification: EXPLOITABLE > Recommended Bug Title: Exploitable - User Mode Write AV starting at > drillClient!boost_sb::shared_ptr::reset+0x00a7 > (Hash=0x4ae7fdff.0xb15af658) > User mode write access violations that are not near NULL are exploitable. > == > Stack Trace: > Child-SP RetAddr Call Site > `030df630 07fe`c295bca1 > drillClient!boost_sb::shared_ptr::reset+0xa7 > > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp > @ 620] > `030df680 07fe`c295433c > drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1227] > `030df7a0 07fe`c294cbf6 > drillClient!Drill::DrillClientImpl::handleRead+0x75c > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1555] > `030df9c0 07fe`c294ce9f > drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op > > >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned > __int64>,boost_sb::_bi::list4 __ptr64>,boost_sb::_bi::value __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp > @ 97] > `030dfa90 07fe`c296009d > drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 406] > `030dfb70 07fe`c295ffc9 > drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 164] > `030dfbd0 07fe`c2aa5b53 > drillClient!boost_sb::asio::io_service::run+0x29 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp > @ 60] > `030dfc10 07fe`c2ad3e03 drillClient!boost_sb::`anonymous > namespace'::thread_start_function+0x43 > `030dfc50 07fe`c2ad404e drillClient!_callthreadstartex+0x17 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] > `030dfc80 `779e59cd drillClient!_threadstartex+0x102 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] > `030dfcb0 `77c1a561 kernel32!BaseThreadInitThunk+0xd > `030dfce0 ` ntdll!RtlUserThreadStart+0x1d > == > Register: > rax=0284bae0 rbx=07fec2b3de70 rcx=027ec210 > rdx=027ec210 rsi=027f2638 rdi=027f25d0 > rip=07fec292f827 rsp=030df630 rbp=027ec210 > r8=027ec210 r9= r10=027d32fc > r11=27eb001b0003 r12= r13=028035a0 > r14=027ec210 r15= > iopl=0 nv up ei pl nz na pe nc > cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 -- This message was sent by Atlassian JIRA
[jira] [Commented] (DRILL-5541) C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV
[ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037935#comment-16037935 ] Rob Wu commented on DRILL-5541: --- I set up a server > C++ Client Crashes During Simple "Man in the Middle" Attack Test with > Exploitable Write AV > -- > > Key: DRILL-5541 > URL: https://issues.apache.org/jira/browse/DRILL-5541 > Project: Apache Drill > Issue Type: Bug > Components: Client - C++ >Affects Versions: 1.10.0 >Reporter: Rob Wu >Priority: Minor > > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 > Exploitability Classification: EXPLOITABLE > Recommended Bug Title: Exploitable - User Mode Write AV starting at > drillClient!boost_sb::shared_ptr::reset+0x00a7 > (Hash=0x4ae7fdff.0xb15af658) > User mode write access violations that are not near NULL are exploitable. > == > Stack Trace: > Child-SP RetAddr Call Site > `030df630 07fe`c295bca1 > drillClient!boost_sb::shared_ptr::reset+0xa7 > > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp > @ 620] > `030df680 07fe`c295433c > drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1227] > `030df7a0 07fe`c294cbf6 > drillClient!Drill::DrillClientImpl::handleRead+0x75c > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1555] > `030df9c0 07fe`c294ce9f > drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op > > >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned > __int64>,boost_sb::_bi::list4 __ptr64>,boost_sb::_bi::value __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp > @ 97] > `030dfa90 07fe`c296009d > drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 406] > `030dfb70 07fe`c295ffc9 > drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 164] > `030dfbd0 07fe`c2aa5b53 > drillClient!boost_sb::asio::io_service::run+0x29 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp > @ 60] > `030dfc10 07fe`c2ad3e03 drillClient!boost_sb::`anonymous > namespace'::thread_start_function+0x43 > `030dfc50 07fe`c2ad404e drillClient!_callthreadstartex+0x17 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] > `030dfc80 `779e59cd drillClient!_threadstartex+0x102 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] > `030dfcb0 `77c1a561 kernel32!BaseThreadInitThunk+0xd > `030dfce0 ` ntdll!RtlUserThreadStart+0x1d > == > Register: > rax=0284bae0 rbx=07fec2b3de70 rcx=027ec210 > rdx=027ec210 rsi=027f2638 rdi=027f25d0 > rip=07fec292f827 rsp=030df630 rbp=027ec210 > r8=027ec210 r9= r10=027d32fc > r11=27eb001b0003 r12= r13=028035a0 > r14=027ec210 r15= > iopl=0 nv up ei pl nz na pe nc > cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (DRILL-5541) C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV
[ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037912#comment-16037912 ] Parth Chandra commented on DRILL-5541: -- Curious to know how you created this issue. > C++ Client Crashes During Simple "Man in the Middle" Attack Test with > Exploitable Write AV > -- > > Key: DRILL-5541 > URL: https://issues.apache.org/jira/browse/DRILL-5541 > Project: Apache Drill > Issue Type: Bug > Components: Client - C++ >Affects Versions: 1.10.0 >Reporter: Rob Wu >Priority: Minor > > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 > Exploitability Classification: EXPLOITABLE > Recommended Bug Title: Exploitable - User Mode Write AV starting at > drillClient!boost_sb::shared_ptr::reset+0x00a7 > (Hash=0x4ae7fdff.0xb15af658) > User mode write access violations that are not near NULL are exploitable. > == > Stack Trace: > Child-SP RetAddr Call Site > `030df630 07fe`c295bca1 > drillClient!boost_sb::shared_ptr::reset+0xa7 > > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp > @ 620] > `030df680 07fe`c295433c > drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1227] > `030df7a0 07fe`c294cbf6 > drillClient!Drill::DrillClientImpl::handleRead+0x75c > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1555] > `030df9c0 07fe`c294ce9f > drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op > > >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned > __int64>,boost_sb::_bi::list4 __ptr64>,boost_sb::_bi::value __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp > @ 97] > `030dfa90 07fe`c296009d > drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 406] > `030dfb70 07fe`c295ffc9 > drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 164] > `030dfbd0 07fe`c2aa5b53 > drillClient!boost_sb::asio::io_service::run+0x29 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp > @ 60] > `030dfc10 07fe`c2ad3e03 drillClient!boost_sb::`anonymous > namespace'::thread_start_function+0x43 > `030dfc50 07fe`c2ad404e drillClient!_callthreadstartex+0x17 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] > `030dfc80 `779e59cd drillClient!_threadstartex+0x102 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] > `030dfcb0 `77c1a561 kernel32!BaseThreadInitThunk+0xd > `030dfce0 ` ntdll!RtlUserThreadStart+0x1d > == > Register: > rax=0284bae0 rbx=07fec2b3de70 rcx=027ec210 > rdx=027ec210 rsi=027f2638 rdi=027f25d0 > rip=07fec292f827 rsp=030df630 rbp=027ec210 > r8=027ec210 r9= r10=027d32fc > r11=27eb001b0003 r12= r13=028035a0 > r14=027ec210 r15= > iopl=0 nv up ei pl nz na pe nc > cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (DRILL-5541) C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV
[ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037601#comment-16037601 ] ASF GitHub Bot commented on DRILL-5541: --- GitHub user superbstreak opened a pull request: https://github.com/apache/drill/pull/850 DRILL-5541: C++ Client Crashes During Simple "Man in the Middle" Atta… …ck Test with Exploitable Write AV You can merge this pull request into a Git repository by running: $ git pull https://github.com/superbstreak/drill DRILL-5541 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/drill/pull/850.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #850 commit 716db51df61d0ee47804217a6a133d1d1152b64a Author: Rob Wu Date: 2017-06-05T21:06:33Z DRILL-5541: C++ Client Crashes During Simple "Man in the Middle" Attack Test with Exploitable Write AV > C++ Client Crashes During Simple "Man in the Middle" Attack Test with > Exploitable Write AV > -- > > Key: DRILL-5541 > URL: https://issues.apache.org/jira/browse/DRILL-5541 > Project: Apache Drill > Issue Type: Bug > Components: Client - C++ >Affects Versions: 1.10.0 >Reporter: Rob Wu >Priority: Minor > > drillClient!boost_sb::shared_ptr::reset+0xa7: > 07fe`c292f827 f0ff4b08lock dec dword ptr [rbx+8] > ds:07fe`c2b3de78=c29e6060 > Exploitability Classification: EXPLOITABLE > Recommended Bug Title: Exploitable - User Mode Write AV starting at > drillClient!boost_sb::shared_ptr::reset+0x00a7 > (Hash=0x4ae7fdff.0xb15af658) > User mode write access violations that are not near NULL are exploitable. > == > Stack Trace: > Child-SP RetAddr Call Site > `030df630 07fe`c295bca1 > drillClient!boost_sb::shared_ptr::reset+0xa7 > > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp > @ 620] > `030df680 07fe`c295433c > drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1227] > `030df7a0 07fe`c294cbf6 > drillClient!Drill::DrillClientImpl::handleRead+0x75c > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1555] > `030df9c0 07fe`c294ce9f > drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op > > >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned > __int64>,boost_sb::_bi::list4 __ptr64>,boost_sb::_bi::value __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp > @ 97] > `030dfa90 07fe`c296009d > drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 406] > `030dfb70 07fe`c295ffc9 > drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 164] > `030dfbd0 07fe`c2aa5b53 > drillClient!boost_sb::asio::io_service::run+0x29 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp > @ 60] > `030dfc10 07fe`c2ad3e03 drillClient!boost_sb::`anonymous > namespace'::thread_start_function+0x43 > `030dfc50 07fe`c2ad404e drillClient!_callthreadstartex+0x17 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] > `030dfc80 `779e59cd drillClient!_threadstartex+0x102 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] > `030dfcb0 `77c1a561 kernel32!BaseThreadInitThunk+0xd > `030dfce0 ` ntdll!RtlUserThreadStart+0x1d > == > Register: > rax=0284bae0 rbx=07fec2b3de70 rcx=027ec210 > rdx=027ec210 rsi=027f2638 rdi=027f25d0 > rip=07fec292f827 rsp=030df630 rbp=027ec210 > r8=027ec210 r9= r10=027d32fc > r11=27eb001b0003 r12= r13=028035a0 > r14=027ec210 r15= > iopl=0 nv up ei pl nz na pe nc > cs=0033 ss=002b ds=002b es=002