heap buffer overflow and stack buffer overflow in test suite

[asarubbo]

Our Gentoo tinderbox reported at bug 913966 a test failure.

Looking at the log attached to the downstream report, we can see:

==25==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000651b8 at pc 0x56273fab2a32 bp 0x7fffedf00ee0 sp 0x7fffedf00688
READ of size 65 at 0x6060000651b8 thread T0
    #0 0x56273fab2a31 in __interceptor_strlen.part.0 (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_compression_wrapper+0x63a31)
    #1 0x56273fb7cf0a in test_cr_get_zchunk_with_index /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_compression_wrapper.c:903
    #2 0x7fd72023e8ad  (/usr/lib64/libglib-2.0.so.0+0x838ad)
    #3 0x7fd72023e6a2  (/usr/lib64/libglib-2.0.so.0+0x836a2)
    #4 0x7fd72023edc1 in g_test_run_suite (/usr/lib64/libglib-2.0.so.0+0x83dc1)
    #5 0x7fd72023ee47 in g_test_run (/usr/lib64/libglib-2.0.so.0+0x83e47)
    #6 0x56273fa71687 in main /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_compression_wrapper.c:953
    #7 0x7fd71fe23c89  (/lib64/libc.so.6+0x23c89)
    #8 0x7fd71fe23d44 in __libc_start_main (/lib64/libc.so.6+0x23d44)
    #9 0x56273fa71750 in _start (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_compression_wrapper+0x22750)

0x6060000651b8 is located 0 bytes after 56-byte region [0x606000065180,0x6060000651b8)
allocated by thread T0 here:
    #0 0x56273fb2859f in malloc (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_compression_wrapper+0xd959f)
    #1 0x7fd72021b02d in g_malloc (/usr/lib64/libglib-2.0.so.0+0x6002d)
    #2 0x56273fb7ce75 in test_cr_get_zchunk_with_index /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_compression_wrapper.c:902
    #3 0x7fd72023e8ad  (/usr/lib64/libglib-2.0.so.0+0x838ad)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_compression_wrapper+0x63a31) in __interceptor_strlen.part.0

and

==29==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f2f5bb0025e at pc 0x55bfc3f3fd42 bp 0x7ffd86c788e0 sp 0x7ffd86c78088
READ of size 31 at 0x7f2f5bb0025e thread T0
    #0 0x55bfc3f3fd41 in __interceptor_strlen.part.0 (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_misc+0x67d41)
    #1 0x7f2f5ee019ce in g_strrstr (/usr/lib64/libglib-2.0.so.0+0x7c9ce)
    #2 0x55bfc4015da2 in compressfile_test_text_file /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_misc.c:560
    #3 0x7f2f5ee088ad  (/usr/lib64/libglib-2.0.so.0+0x838ad)
    #4 0x7f2f5ee086a2  (/usr/lib64/libglib-2.0.so.0+0x836a2)
    #5 0x7f2f5ee08dc1 in g_test_run_suite (/usr/lib64/libglib-2.0.so.0+0x83dc1)
    #6 0x7f2f5ee08e47 in g_test_run (/usr/lib64/libglib-2.0.so.0+0x83e47)
    #7 0x55bfc3efe9a4 in main /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_misc.c:1377
    #8 0x7f2f5ea23c89  (/lib64/libc.so.6+0x23c89)
    #9 0x7f2f5ea23d44 in __libc_start_main (/lib64/libc.so.6+0x23d44)
    #10 0x55bfc3efea60 in _start (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_misc+0x26a60)

Address 0x7f2f5bb0025e is located in stack of thread T0 at offset 94 in frame
    #0 0x55bfc4015bff in compressfile_test_text_file /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_misc.c:545

  This frame has 2 object(s):
    [32, 40) 'tmp_err' (line 547)
    [64, 94) 'buf' (line 558) <== Memory access at offset 94 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_misc+0x67d41) in __interceptor_strlen.part.0

I didn't look deeply if the failures are in the test-suite itself or in the libraries involved in the tests (and then possible security implications)
If I can help further please let me know.

[dralley]

@kontura I'm also seeing segfaults when using this version from Pulp. I don't have a coredump for you at the moment but there may be something broken in the Python bindings.

[kontura]

Thank you for the reports!

The overflows reported here are problems just in the test suite but running with the sanitizers I did find some more serious problems connected to the handling of duplicate packages. I think those could cause a crash easily.

I am working on it.

[kontura]

I made a PR: #385 that should fix this issue.

@dralley if you managed to gather more info about the crashes it would be great. It is possible it will be fixed by: 9855743