Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Invalid
-
0.11.0, 0.12.0
-
None
-
None
-
Ubuntu 16.04.3 LTS
Open JDK version "1.8.0_191" build 25.191-b12
Description
Operations: During Apache Thrift integration testing, I developed a calculator application with a client and a server. The client sent a computational command and get the result from the server. After I applied dynamic taint analyzer (distTaint), I found bugs from taint paths finally.
The source: org.apache.thrift.transport.TIOStreamTransport:
public int read(byte[] buf, int off, int len) throws TTransportException {
if (inputStream_ == null)
int bytesRead;
......
bytesRead = inputStream_.read(buf, off, len);
......
}
The sink: org.apache.thrift.transport.TSocket:
public void close() {
......
if (socket_ != null) {
try
catch (IOException iox)
{ LOGGER.warn("Could not close socket.", iox); } socket_ = null;
}
}
Sensitive information about socket input stream or output stream is leaked.
The taint path:
org.apache.thrift.transport.TIOStreamTransport -->
org.apache.thrift.transport.TTransport -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TTransport -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TTransport -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TTransport -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TTransport -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TTransport -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TTransport -->
CalculatorService$add_result$add_resultStandardScheme -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.TServiceClient -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TIOStreamTransport -->
CalculatorService$add_result$add_resultStandardScheme -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TIOStreamTransport -->
CalculatorService$add_result$add_resultStandardScheme -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$Client -->
org.apache.thrift.protocol.TMessage -->
org.apache.thrift.protocol.TField -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_result$add_resultStandardScheme -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_result$add_resultStandardScheme -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.protocol.TField -->
CalculatorService$Client -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_result -->
org.apache.thrift.TServiceClient -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.TServiceClient -->
org.apache.thrift.protocol.TField -->
CalculatorService$add_result$add_resultStandardScheme -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$Client -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$Client -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.protocol.TMessage -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.TServiceClient -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.TServiceClient -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_result$add_resultStandardScheme -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.protocol.TMessage -->
CalculatorService$add_result$add_resultStandardScheme -->
CalculatorService$add_args -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_result -->
CalculatorService$add_args -->
org.apache.thrift.TServiceClient -->
CalculatorService$add_result -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_args -->
CalculatorService$add_result$add_resultStandardScheme -->
CalculatorService$add_result -->
org.apache.thrift.EncodingUtils -->
CalculatorClient -->
CalculatorService$add_result -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.TServiceClient -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_result -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.EncodingUtils -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.EncodingUtils -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.EncodingUtils -->
CalculatorService$add_args -->
CalculatorService$add_args$add_argsStandardSchemeFactory -->
CalculatorClient -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_result$add_resultStandardSchemeFactory -->
CalculatorService$add_result -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorClient -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_args -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorService$add_args -->
org.apache.thrift.protocol.TBinaryProtocol -->
CalculatorClient -->
CalculatorService$add_result -->
org.apache.thrift.protocol.TBinaryProtocol -->
org.apache.thrift.transport.TSocket
I am going to submit a CVE, so please confirm this is not a true positive.
Attachments
Attachments
Issue Links
- duplicates
-
THRIFT-4928 Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException
- Closed
- links to