invalid memory read in function providePackageNVR / doFind #136

Closed
hannob opened this Issue Jan 28, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@hannob

hannob commented Jan 28, 2017

This file causes a read access to an invalid memory area.

rpm-invalid-read-doFind-providePackageNVR.zip

asan error:

==10120==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000444fe0 bp 0x7ffc6b5de6d0 sp 0x7ffc6b5dde40 T0)
==10120==The signal is caused by a READ memory access.
==10120==Hint: address points to the zero page.
    #0 0x444fdf in __interceptor_strcmp.part.26 (/r/rpm/rpm+0x444fdf)
    #1 0x53d4d4 in doFind /f/rpm/rpm/lib/rpmds.c:830:15
    #2 0x5cbc79 in providePackageNVR /f/rpm/rpm/lib/headerutil.c:362:9
    #3 0x5cbc79 in legacyRetrofit /f/rpm/rpm/lib/headerutil.c:391
    #4 0x5cbc79 in headerConvert /f/rpm/rpm/lib/headerutil.c:410
    #5 0x6378a7 in rpmpkgRead /f/rpm/rpm/lib/package.c:403:6
    #6 0x6378a7 in rpmReadPackageFile /f/rpm/rpm/lib/package.c:432
    #7 0x579658 in tryReadHeader /f/rpm/rpm/lib/rpminstall.c:353:17
    #8 0x579658 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:537
    #9 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
    #10 0x7fc1d8fc478f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #11 0x41c648 in _start (/r/rpm/rpm+0x41c648)

pmatilai added a commit that referenced this issue Feb 3, 2017

Sanity check header tag values. Like, doh.
There's a check for total number of tags, and their types and all
but absolutely no check for the actual tag numbers. So we end up
accepting negative tags which should not exist. The tag type should
really be uint32_t but that's another can of worms, lets have something
easily backportable for now.

This is enough to fix issues #133, #135, #136, #138 and #139 on the
level of detecting header structural inconsistency.

pmatilai added a commit that referenced this issue Feb 16, 2017

Sanity check header tag values. Like, doh.
There's a check for total number of tags, and their types and all
but absolutely no check for the actual tag numbers. So we end up
accepting negative tags which should not exist. The tag type should
really be uint32_t but that's another can of worms, lets have something
easily backportable for now.

This is enough to fix issues #133, #135, #136, #138 and #139 on the
level of detecting header structural inconsistency.

Backported from commit 3a07ba3:
headerVerifyInfo() is so different in git master we can't use the
same exact thing here. Instead we do things in two steps,
headerVerifyInfo() catches totally garbage values and duplicate
regions are caught in regionSwab().
@pmatilai

This comment has been minimized.

Show comment
Hide comment
@pmatilai

pmatilai Jun 28, 2017

Contributor

The immediate crasher was already addressed, the underlying larger issue of tag validation will be tracked in #242 from here on.

Contributor

pmatilai commented Jun 28, 2017

The immediate crasher was already addressed, the underlying larger issue of tag validation will be tracked in #242 from here on.

@pmatilai pmatilai closed this Jun 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment