Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-4930

An information leakage about socket input stream or output stream from TIOStreamTransport to TSocket

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Invalid
    • 0.11.0, 0.12.0
    • None
    • Java - Library
    • None

    • Ubuntu 16.04.3 LTS
      Open JDK version "1.8.0_191" build 25.191-b12

    Description

      Operations: During Apache Thrift integration testing, I developed a calculator application with a client and a server. The client sent a computational command and get the result from the server. After I applied dynamic taint analyzer (distTaint), I found bugs from taint paths finally.

      The source: org.apache.thrift.transport.TIOStreamTransport:
      public int read(byte[] buf, int off, int len) throws TTransportException {
      if (inputStream_ == null)

      { throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read from null inputStream"); }

      int bytesRead;
      ......
      bytesRead = inputStream_.read(buf, off, len);
      ......
      }
      The sink: org.apache.thrift.transport.TSocket:
      public void close() {
      ......
      if (socket_ != null) {
      try

      { socket_.close(); }

      catch (IOException iox)

      { LOGGER.warn("Could not close socket.", iox); }

      socket_ = null;
      }
      }
      Sensitive information about socket input stream or output stream is leaked.
      The taint path:
      org.apache.thrift.transport.TIOStreamTransport -->
      org.apache.thrift.transport.TTransport -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TTransport -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TTransport -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TTransport -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TTransport -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TTransport -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TTransport -->
      CalculatorService$add_result$add_resultStandardScheme -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.TServiceClient -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TIOStreamTransport -->
      CalculatorService$add_result$add_resultStandardScheme -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TIOStreamTransport -->
      CalculatorService$add_result$add_resultStandardScheme -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$Client -->
      org.apache.thrift.protocol.TMessage -->
      org.apache.thrift.protocol.TField -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_result$add_resultStandardScheme -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_result$add_resultStandardScheme -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.protocol.TField -->
      CalculatorService$Client -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_result -->
      org.apache.thrift.TServiceClient -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.TServiceClient -->
      org.apache.thrift.protocol.TField -->
      CalculatorService$add_result$add_resultStandardScheme -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$Client -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$Client -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.protocol.TMessage -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.TServiceClient -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.TServiceClient -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_result$add_resultStandardScheme -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.protocol.TMessage -->
      CalculatorService$add_result$add_resultStandardScheme -->
      CalculatorService$add_args -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_result -->
      CalculatorService$add_args -->
      org.apache.thrift.TServiceClient -->
      CalculatorService$add_result -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_args -->
      CalculatorService$add_result$add_resultStandardScheme -->
      CalculatorService$add_result -->
      org.apache.thrift.EncodingUtils -->
      CalculatorClient -->
      CalculatorService$add_result -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.TServiceClient -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_result -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.EncodingUtils -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.EncodingUtils -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.EncodingUtils -->
      CalculatorService$add_args -->
      CalculatorService$add_args$add_argsStandardSchemeFactory -->
      CalculatorClient -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_result$add_resultStandardSchemeFactory -->
      CalculatorService$add_result -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorClient -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_args -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorService$add_args -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      CalculatorClient -->
      CalculatorService$add_result -->
      org.apache.thrift.protocol.TBinaryProtocol -->
      org.apache.thrift.transport.TSocket

      I am going to submit a CVE, so please confirm this is not a true positive.

      Attachments

        1. TaintPath
          125 kB
          xiaoqin.fu

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. THRIFT-4928 Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #2179

          Activity

            People

              jensg Jens Geyer
              xiaoqin.fu xiaoqin.fu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h