heap out of bounds read in rpmfilesFDepends() #139

Closed
hannob opened this Issue Jan 28, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@hannob

hannob commented Jan 28, 2017

The attached file causes an out of bounds heap read.
rpm-heap-oob-rpmfilesFDepends.zip

asan error:

==27195==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000011d0 at pc 0x00000056a3e5 bp 0x7fff75d8fb10 sp 0x7fff75d8fb08
READ of size 4 at 0x6020000011d0 thread T0
    #0 0x56a3e4 in rpmfilesFDepends /f/rpm/rpm/lib/rpmfi.c:676:16
    #1 0x56a3e4 in rpmfiFDepends /f/rpm/rpm/lib/rpmfi.c:1809
    #2 0x5940b8 in rpmteColorDS /f/rpm/rpm/lib/rpmte.c:488:8
    #3 0x58f783 in addTE /f/rpm/rpm/lib/rpmte.c:188:5
    #4 0x58f783 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241
    #5 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9
    #6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12
    #7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11
    #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
    #9 0x7efce4abc78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x41c648 in _start (/r/rpm/rpm+0x41c648)

0x6020000011d2 is located 0 bytes to the right of 2-byte region [0x6020000011d0,0x6020000011d2)
allocated by thread T0 here:
    #0 0x4cc7a8 in malloc (/r/rpm/rpm+0x4cc7a8)
    #1 0x67546e in rstrdup /f/rpm/rpm/rpmio/rpmmalloc.c:74:29
    #2 0x5dd0f4 in copyTdEntry /f/rpm/rpm/lib/header.c:1095:28
    #3 0x5d82af in intGetTdEntry /f/rpm/rpm/lib/header.c:1294:7
    #4 0x5d71b1 in headerGet /f/rpm/rpm/lib/header.c:1317:10
    #5 0x55f0bf in rpmfilesPopulate /f/rpm/rpm/lib/rpmfi.c:1448:2
    #6 0x55f0bf in rpmfilesNew /f/rpm/rpm/lib/rpmfi.c:1576
    #7 0x593a8c in getFiles /f/rpm/rpm/lib/rpmte.c:110:12
    #8 0x58f5db in addTE /f/rpm/rpm/lib/rpmte.c:173:16
    #9 0x58f5db in rpmteNew /f/rpm/rpm/lib/rpmte.c:241
    #10 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9
    #11 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12
    #12 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11
    #13 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
    #14 0x7efce4abc78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #15 0x41c648 in _start (/r/rpm/rpm+0x41c648)

pmatilai added a commit that referenced this issue Feb 3, 2017

Sanity check header tag values. Like, doh.
There's a check for total number of tags, and their types and all
but absolutely no check for the actual tag numbers. So we end up
accepting negative tags which should not exist. The tag type should
really be uint32_t but that's another can of worms, lets have something
easily backportable for now.

This is enough to fix issues #133, #135, #136, #138 and #139 on the
level of detecting header structural inconsistency.

pmatilai added a commit that referenced this issue Feb 16, 2017

Sanity check header tag values. Like, doh.
There's a check for total number of tags, and their types and all
but absolutely no check for the actual tag numbers. So we end up
accepting negative tags which should not exist. The tag type should
really be uint32_t but that's another can of worms, lets have something
easily backportable for now.

This is enough to fix issues #133, #135, #136, #138 and #139 on the
level of detecting header structural inconsistency.

Backported from commit 3a07ba3:
headerVerifyInfo() is so different in git master we can't use the
same exact thing here. Instead we do things in two steps,
headerVerifyInfo() catches totally garbage values and duplicate
regions are caught in regionSwab().
@pmatilai

This comment has been minimized.

Show comment
Hide comment
@pmatilai

pmatilai Jun 28, 2017

Contributor

The immediate crasher was already addressed, the underlying larger issue of tag validation will be tracked in #242 from here on.

Contributor

pmatilai commented Jun 28, 2017

The immediate crasher was already addressed, the underlying larger issue of tag validation will be tracked in #242 from here on.

@pmatilai pmatilai closed this Jun 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment