Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read out-of-bounds in git_oid_nfmt #3936

Closed
gaa-cifasis opened this issue Sep 25, 2016 · 0 comments

Comments

Projects
None yet
1 participant
@gaa-cifasis
Copy link

commented Sep 25, 2016

Hi,

We found a read-out-of-bounds parsing a malformed object file using the last version of libgit2. To reproduce, first compile libgit2 and its examples with AddressSanitizer support. Then:

$ git init ; mkdir -p .git/objects/32 ; printf 'eJwrKUpNVTBmMFRgAAAREQJV' | base64 -d > .git/objects/32/7b2768749122dbe850988d6fc544054d55a2ae 

Finally, you can trigger the bug using cat-file:

$ ASAN_OPTIONS='detect_leaks=0' cat-file -p 327b2768749122dbe850988d6fc544054d55a2ae

The AddressSanitizer report is here:

=9796==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000342b4 at pc 0x7f36f24005cf bp 0x7ffd9bc2cb60 sp 0x7ffd9bc2cb50
READ of size 1 at 0x6020000342b4 thread T0
    #0 0x7f36f24005ce in git_oid_nfmt /home/g/Work/Code/libgit2-master/src/oid.c:82
    #1 0x7f36f2400901 in git_oid_tostr /home/g/Work/Code/libgit2-master/src/oid.c:127
    #2 0x402f22 in show_tree /home/g/Work/Code/libgit2-master/examples/cat-file.c:58
    #3 0x403735 in main /home/g/Work/Code/libgit2-master/examples/cat-file.c:178
    #4 0x7f36f1d03290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #5 0x401919 in _start (/home/g/Work/Code/libgit2-master/examples/cat-file+0x401919)

0x6020000342b4 is located 0 bytes to the right of 4-byte region [0x6020000342b0,0x6020000342b4)
allocated by thread T0 here:
    #0 0x7f36f2868e60 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x7f36f23f4af7 in git__malloc /home/g/Work/Code/libgit2-master/src/util.h:162
    #2 0x7f36f23f5d1e in inflate_tail /home/g/Work/Code/libgit2-master/src/odb_loose.c:275
    #3 0x7f36f23f64a4 in inflate_disk_obj /home/g/Work/Code/libgit2-master/src/odb_loose.c:377
    #4 0x7f36f23f687f in read_loose /home/g/Work/Code/libgit2-master/src/odb_loose.c:417
    #5 0x7f36f23f7b2e in loose_backend__read /home/g/Work/Code/libgit2-master/src/odb_loose.c:642
    #6 0x7f36f23f26f1 in odb_read_1 /home/g/Work/Code/libgit2-master/src/odb.c:996
    #7 0x7f36f23f293b in git_odb_read /home/g/Work/Code/libgit2-master/src/odb.c:1028
    #8 0x7f36f23ec5ca in git_object_lookup_prefix /home/g/Work/Code/libgit2-master/src/object.c:167
    #9 0x7f36f24708f9 in maybe_sha_or_abbrev /home/g/Work/Code/libgit2-master/src/revparse.c:24
    #10 0x7f36f2470994 in maybe_sha /home/g/Work/Code/libgit2-master/src/revparse.c:34
    #11 0x7f36f2470cf6 in revparse_lookup_object /home/g/Work/Code/libgit2-master/src/revparse.c:96
    #12 0x7f36f2473b1c in ensure_base_rev_loaded /home/g/Work/Code/libgit2-master/src/revparse.c:625
    #13 0x7f36f24744f6 in revparse__ext /home/g/Work/Code/libgit2-master/src/revparse.c:802
    #14 0x7f36f2474854 in git_revparse_ext /home/g/Work/Code/libgit2-master/src/revparse.c:840
    #15 0x7f36f2474a8b in git_revparse_single /home/g/Work/Code/libgit2-master/src/revparse.c:863
    #16 0x40356c in main /home/g/Work/Code/libgit2-master/examples/cat-file.c:136
    #17 0x7f36f1d03290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

This issues was found using QuickFuzz.

Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.