libsolv “resolve_weak” function a heap-overflow bug and an UaF bug #426
Comments
|
Made testcase reader more robust. I think the use after free is also fixed with this. |
|
This was assigned CVE-2021-44576. |
|
CVE-2021-44575CVE-2021-44569CVE-2021-44576CVE-2021-44574 CVE-2021-44573CVE-2021-44577CVE-2021-44571CVE-2021-44568 |
|
Yes, that's correct. |
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Mar 31, 2022
The existing patch for CVE-2021-3200 also fixes CVE-2021-44568 through CVE-2021-44671 and CVE-2021-44573 through CVE-2021-44677, so update CVE tags in patch to reflect this. Reference: openSUSE/libsolv#426 Signed-off-by: Steve Sakoman <steve@sakoman.com>
splitice
pushed a commit
to HalleyAssist/poky
that referenced
this issue
Mar 31, 2022
The existing patch for CVE-2021-3200 also fixes CVE-2021-44568 through CVE-2021-44671 and CVE-2021-44573 through CVE-2021-44677, so update CVE tags in patch to reflect this. Reference: openSUSE/libsolv#426 (From OE-Core rev: 3096134d25fc4cf9bd18839838a62a6c89344e31) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this issue
Jun 3, 2022
Source: poky MR: 118243 Type: Integration Disposition: Merged from poky ChangeID: e779ccdf4e75f3fe6f0d68b6973bff311003b8a7 Description: The existing patch for CVE-2021-3200 also fixes CVE-2021-44568 through CVE-2021-44671 and CVE-2021-44573 through CVE-2021-44677, so update CVE tags in patch to reflect this. Reference: openSUSE/libsolv#426 (From OE-Core rev: 3096134d25fc4cf9bd18839838a62a6c89344e31) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
There are two memory vulnerabilities in function:
static int resolve_weak (Solver *solv, int level, int disablerules, Queue *dq, Queue *dqs, int *rerunp)
at src/solver.c: line 2222 & 2249
if (solv->decisionmap[i] < 0) // line 2222
continue;
The first bug is caused by the dangerous variable “decisionmap[]”.
If the value of index variable “i” is bigger than the size of decisionmap[], there will be a heap overflow bug.
Our PoC file will trigger this bug.
Please reproduce this issue through the following PoC: /libsolvBuildDir/tools/testsolv resolve_weak-2222
If you configure CC with flag -fsanitize=address, you will get the following outputs:
testcase_read: cannot parse command 'sys#>=Req:'
test 1:
test 2:
test 3:
test 4:
AddressSanitizer: heap-buffer-overflow on address 0x6020000008c0 at pc 0x7ff8dafd9495 bp 0x7ffc1b98e350 sp 0x7ffc1b98e348
READ of size 4 at 0x6020000008c0 thread T0
#0 0x7ff8dafd9494 in resolve_weak /root/Experiments/real-world/libsolv/src/solver.c:2222:11
#1 0x7ff8dafd9494 in solver_run_sat /root/Experiments/real-world/libsolv/src/solver.c:2740:12
#2 0x7ff8daffe65a in solver_solve /root/Experiments/real-world/libsolv/src/solver.c:4137:3
#3 0x4f1eea in main /root/Experiments/real-world/libsolv/tools/testsolv.c:241:8
#4 0x7ff8d9fdabf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41e6f9 in _start (/root/Experiments/real-world/libsolv/build/tools/testsolv+0x41e6f9)
0x6020000008c0 is located 0 bytes to the right of 16-byte region [0x6020000008b0,0x6020000008c0)
allocated by thread T0 here:
#0 0x4abe48 in calloc /root/Downloads/llvm-build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
#1 0x7ff8db137f10 in solv_calloc /root/Experiments/real-world/libsolv/src/util.c:79:9
#2 0x7ff8dafbfb9a in solver_create /root/Experiments/real-world/libsolv/src/solver.c:1327:29
#3 0x7ff8e45772d4 in testcase_read /root/Experiments/real-world/libsolv/ext/testcase.c:2268:15
#4 0x4f144b in main /root/Experiments/real-world/libsolv/tools/testsolv.c:159:11
#5 0x7ff8d9fdabf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Experiments/real-world/libsolv/src/solver.c:2222:11 in resolve_weak
Shadow bytes around the buggy address:
0x0c047fff80c0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff80d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff80e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff80f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8100: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 01 fa
=>0x0c047fff8110: fa fa 01 fa fa fa 00 00[fa]fa fd fd fa fa 05 fa
0x0c047fff8120: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 00 04
0x0c047fff8130: fa fa 04 fa fa fa 04 fa fa fa 01 fa fa fa fd fa
0x0c047fff8140: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 01 fa
0x0c047fff8150: fa fa 04 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff8160: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==90772==ABORTING
The second bug is a use-after-free bug.
Please reproduce this issue through the following PoC: /libsolvBuildDir/tools/testsolv resolve_weak-2249
If you configure CC with flag -fsanitize=address, you will get the following outputs:
testcase_read: cannot parse command '¤repo'
testcase_read: system: unknown repo 'system'
setsolverflags: unknown flag 'strongrongrecommends'
str2job: bad line 'in'
testcase_read: cannot parse command 'to'
setsolverflags: unknown flag 'strecommends'
===========================================================
==69476==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000070 at pc 0x7fdd5adaa5fe bp 0x7ffe681b5090 sp 0x7ffe681b5088
READ of size 4 at 0x603000000070 thread T0
#0 0x7fdd5adaa5fd in resolve_weak /root/Experiments/real-world/libsolv/src/solver.c:2249:13
#1 0x7fdd5adaa5fd in solver_run_sat /root/Experiments/real-world/libsolv/src/solver.c:2740:12
#2 0x7fdd5add065a in solver_solve /root/Experiments/real-world/libsolv/src/solver.c:4137:3
#3 0x4f1eea in main /root/Experiments/real-world/libsolv/tools/testsolv.c:241:8
#4 0x7fdd59dacbf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41e6f9 in _start (/root/Experiments/real-world/libsolv/build/tools/testsolv+0x41e6f9)
0x603000000070 is located 0 bytes inside of 28-byte region [0x603000000070,0x60300000008c)
freed by thread T0 here:
#0 0x4ab960 in free /root/Downloads/llvm-build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123
#1 0x7fdd5af0a17d in solv_free /root/Experiments/real-world/libsolv/src/util.c:113:5
#2 0x7fdd5ad83e2d in map_free /root/Experiments/real-world/libsolv/src/bitmap.c:31:12
#3 0x7fdd5b052564 in pool_addfileprovides_queue /root/Experiments/real-world/libsolv/src/fileprovides.c:596:3
#4 0x7fdd5b052564 in pool_addfileprovides /root/Experiments/real-world/libsolv/src/fileprovides.c:635:3
#5 0x7fdd6434757f in testcase_read /root/Experiments/real-world/libsolv/ext/testcase.c:2180:8
#6 0x4f144b in main /root/Experiments/real-world/libsolv/tools/testsolv.c:159:11
#7 0x7fdd59dacbf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x4abe48 in calloc /root/Downloads/llvm-build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
#1 0x7fdd5af09f10 in solv_calloc /root/Experiments/real-world/libsolv/src/util.c:79:9
#2 0x7fdd5ad83dba in map_init /root/Experiments/real-world/libsolv/src/bitmap.c:24:22
#3 0x7fdd5b051ee6 in pool_addfileprovides_queue /root/Experiments/real-world/libsolv/src/fileprovides.c:565:3
#4 0x7fdd5b051ee6 in pool_addfileprovides /root/Experiments/real-world/libsolv/src/fileprovides.c:635:3
#5 0x7fdd6434757f in testcase_read /root/Experiments/real-world/libsolv/ext/testcase.c:2180:8
#6 0x4f144b in main /root/Experiments/real-world/libsolv/tools/testsolv.c:159:11
#7 0x7fdd59dacbf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free /root/Experiments/real-world/libsolv/src/solver.c:2249:13 in resolve_weak
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa[fd]fd
0x0c067fff8010: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c067fff8020: fd fd fd fa fa fa 00 00 00 00 fa fa fd fd fd fd
0x0c067fff8030: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
0x0c067fff8040: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==69476==ABORTING
The ASAN outputs information about these overflow bug.
And attacker can use this bug to achieve a DoS attack.
Please reproduce and fix these two bugs.
The text was updated successfully, but these errors were encountered: