Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap out of bounds read in rpmfilesFDepends() #139

Closed
hannob opened this issue Jan 28, 2017 · 1 comment
Closed

heap out of bounds read in rpmfilesFDepends() #139

hannob opened this issue Jan 28, 2017 · 1 comment

Comments

@hannob
Copy link

@hannob hannob commented Jan 28, 2017

The attached file causes an out of bounds heap read.
rpm-heap-oob-rpmfilesFDepends.zip

asan error:

==27195==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000011d0 at pc 0x00000056a3e5 bp 0x7fff75d8fb10 sp 0x7fff75d8fb08
READ of size 4 at 0x6020000011d0 thread T0
    #0 0x56a3e4 in rpmfilesFDepends /f/rpm/rpm/lib/rpmfi.c:676:16
    #1 0x56a3e4 in rpmfiFDepends /f/rpm/rpm/lib/rpmfi.c:1809
    #2 0x5940b8 in rpmteColorDS /f/rpm/rpm/lib/rpmte.c:488:8
    #3 0x58f783 in addTE /f/rpm/rpm/lib/rpmte.c:188:5
    #4 0x58f783 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241
    #5 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9
    #6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12
    #7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11
    #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
    #9 0x7efce4abc78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x41c648 in _start (/r/rpm/rpm+0x41c648)

0x6020000011d2 is located 0 bytes to the right of 2-byte region [0x6020000011d0,0x6020000011d2)
allocated by thread T0 here:
    #0 0x4cc7a8 in malloc (/r/rpm/rpm+0x4cc7a8)
    #1 0x67546e in rstrdup /f/rpm/rpm/rpmio/rpmmalloc.c:74:29
    #2 0x5dd0f4 in copyTdEntry /f/rpm/rpm/lib/header.c:1095:28
    #3 0x5d82af in intGetTdEntry /f/rpm/rpm/lib/header.c:1294:7
    #4 0x5d71b1 in headerGet /f/rpm/rpm/lib/header.c:1317:10
    #5 0x55f0bf in rpmfilesPopulate /f/rpm/rpm/lib/rpmfi.c:1448:2
    #6 0x55f0bf in rpmfilesNew /f/rpm/rpm/lib/rpmfi.c:1576
    #7 0x593a8c in getFiles /f/rpm/rpm/lib/rpmte.c:110:12
    #8 0x58f5db in addTE /f/rpm/rpm/lib/rpmte.c:173:16
    #9 0x58f5db in rpmteNew /f/rpm/rpm/lib/rpmte.c:241
    #10 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9
    #11 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12
    #12 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11
    #13 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
    #14 0x7efce4abc78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #15 0x41c648 in _start (/r/rpm/rpm+0x41c648)
pmatilai added a commit that referenced this issue Feb 3, 2017
There's a check for total number of tags, and their types and all
but absolutely no check for the actual tag numbers. So we end up
accepting negative tags which should not exist. The tag type should
really be uint32_t but that's another can of worms, lets have something
easily backportable for now.

This is enough to fix issues #133, #135, #136, #138 and #139 on the
level of detecting header structural inconsistency.
pmatilai added a commit that referenced this issue Feb 16, 2017
There's a check for total number of tags, and their types and all
but absolutely no check for the actual tag numbers. So we end up
accepting negative tags which should not exist. The tag type should
really be uint32_t but that's another can of worms, lets have something
easily backportable for now.

This is enough to fix issues #133, #135, #136, #138 and #139 on the
level of detecting header structural inconsistency.

Backported from commit 3a07ba3:
headerVerifyInfo() is so different in git master we can't use the
same exact thing here. Instead we do things in two steps,
headerVerifyInfo() catches totally garbage values and duplicate
regions are caught in regionSwab().
@pmatilai
Copy link
Contributor

@pmatilai pmatilai commented Jun 28, 2017

The immediate crasher was already addressed, the underlying larger issue of tag validation will be tracked in #242 from here on.

@pmatilai pmatilai closed this Jun 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.