New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
out of bounds heap read in rpmstrPoolId / rstrlenhash #135
Comments
I'm attaching another file, this creates a use after free, but it's in the same line of code, so I assume it's a variation of the same bug.
|
Thanks for the pile of reports, will start looking into them once recovered from devconf.cz trip. |
There's a check for total number of tags, and their types and all but absolutely no check for the actual tag numbers. So we end up accepting negative tags which should not exist. The tag type should really be uint32_t but that's another can of worms, lets have something easily backportable for now. This is enough to fix issues #133, #135, #136, #138 and #139 on the level of detecting header structural inconsistency.
There's a check for total number of tags, and their types and all but absolutely no check for the actual tag numbers. So we end up accepting negative tags which should not exist. The tag type should really be uint32_t but that's another can of worms, lets have something easily backportable for now. This is enough to fix issues #133, #135, #136, #138 and #139 on the level of detecting header structural inconsistency. Backported from commit 3a07ba3: headerVerifyInfo() is so different in git master we can't use the same exact thing here. Instead we do things in two steps, headerVerifyInfo() catches totally garbage values and duplicate regions are caught in regionSwab().
The immediate crasher was already addressed, the underlying larger issue of tag validation will be tracked in #242 from here on. |
The attached file will cause an out of bounds memory read in rpm (tested with rpm -i --test [input]).
rpm-oob-heap-read-rstrlenhash-rpmstrPoolId.zip
Found with american fuzzy lop and address sanitizer.
Here's a stack trace from asan:
The text was updated successfully, but these errors were encountered: