libsolv “pool_installable” function a heap-overflow vulnerability

[yangjiageng]

Description:
There are three heap-buffer overflow bugs in function:
static inline int pool_disabled_solvable(const Pool *pool, Solvable *s)
static inline int pool_installable(const Pool *pool, Solvable *s)
static inline int pool_installable_whatprovides(const Pool *pool, Solvable *s)
at src/repo.h: line 96, line 120 and line 138
The statement of these three lines are same, as follows:
if (!MAPTST(pool->considered, id))

The program defines “MAPTST(m, n)” that “((m)->map[(n) >> 3] & (1 << ((n) & 7)))”.

MAPTST(pool->considered, id) is same as pool->considered->map[id>>3] & (1 << (id & 7)).
This statement involves pool->considered->map[id>>3].

The variable pool->considered is a Map structure pointer.
The Map structure as following:
typedef struct s_Map {
unsigned char *map;
int size;
} Map;
If the index value “id>>3” is bigger than pool->considered->size, there is a heap overflow bug.

Please reproduce this issue through the following PoC: /libsolvBuildDir/tools/testsolv PoC-pool_installable-line120
If you configure CC with flag -fsanitize=address, you will get the following outputs:

str2job: unknown job 'multiversioo provides k- a 2 1 i686'
0׻^¡񙐧ase_read: cannot parse command 'MM%oÿ·¬ѫU
===========================================================
==77196==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000151 at pc 0x7f6441861fbc bp 0x7ffd25898280 sp 0x7ffd25898278
READ of size 1 at 0x602000000151 thread T0
#0 0x7f6441861fbb in pool_installable /root/Experiments/real-world/libsolv/src/repo.h:120:12
#1 0x7f6441861fbb in solver_addpkgrulesforweak /root/Experiments/real-world/libsolv/src/rules.c:1214:42
#2 0x7f64416ab54c in solver_solve /root/Experiments/real-world/libsolv/src/solver.c:3667:3
#3 0x4f1eea in main /root/Experiments/real-world/libsolv/tools/testsolv.c:241:8
#4 0x7f6440693bf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41e6f9 in _start (/root/Experiments/real-world/libsolv/build/tools/testsolv+0x41e6f9)

0x602000000151 is located 0 bytes to the right of 1-byte region [0x602000000150,0x602000000151)
allocated by thread T0 here:
#0 0x4abe48 in calloc /root/Downloads/llvm-build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
#1 0x7f64417f0f10 in solv_calloc /root/Experiments/real-world/libsolv/src/util.c:79:9
#2 0x7f644166adba in map_init /root/Experiments/real-world/libsolv/src/bitmap.c:24:22
#3 0x7f644ac3104a in testcase_read /root/Experiments/real-world/libsolv/ext/testcase.c:2318:8
#4 0x4f144b in main /root/Experiments/real-world/libsolv/tools/testsolv.c:159:11
#5 0x7f6440693bf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Experiments/real-world/libsolv/src/repo.h:120:12 in pool_installable
Shadow bytes around the buggy address:
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa fd fd fa fa 07 fa fa fa 00 00 fa fa 04 fa
0x0c047fff8010: fa fa 04 fa fa fa 00 02 fa fa 00 00 fa fa 04 fa
=>0x0c047fff8020: fa fa 04 fa fa fa 00 00 fa fa[01]fa fa fa 00 02
0x0c047fff8030: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 02 fa
0x0c047fff8040: fa fa 02 fa fa fa 01 fa fa fa 00 fa fa fa 04 fa
0x0c047fff8050: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==77196==ABORTING

The ASAN outputs information about these three heap overflow bugs.
And attacker can use anyone of these bugs to achieve a DoS attack.
Please reproduce and fix these three vulnerabilities.

[mlschroe]

Made testcase reader more robust.