rpmkeys out of bounds heap read in pgpPrtSubType, rpmpgp.c line 444 #148

Closed
hannob opened this Issue Feb 6, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@hannob

hannob commented Feb 6, 2017

The attached file will cause an oud of bounds heap read in "rpmkeys -K".

rpmkeys-pgpPrtSubType-rpmpgp-444.zip

Here's the address sanitizer output:

==15315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001a81 at pc 0x000000677361 bp 0x7fff631cdeb0 sp 0x7fff631cdea8
READ of size 8 at 0x602000001a81 thread T0
    #0 0x677360 in pgpPrtSubType /f/rpm/rpm/rpmio/rpmpgp.c:444:3
    #1 0x669d1d in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:594:6
    #2 0x669d1d in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:819
    #3 0x669d1d in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:978
    #4 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6
    #5 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7
    #6 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #7 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #8 0x7ff690a0078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #9 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

0x602000001a81 is located 1 bytes to the right of 16-byte region [0x602000001a70,0x602000001a80)
allocated by thread T0 here:
    #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8)
    #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13

pmatilai added a commit that referenced this issue Feb 7, 2017

Fix out of bounds copy on malformed PGP packet (#148)
Validate the packet is of correct size for the keyid type before
copying. Ditto for similar code in signature creation time.
@pmatilai

This comment has been minimized.

Show comment
Hide comment
@pmatilai

pmatilai Feb 7, 2017

Contributor

Thanks for the report, fixed in commit 657553f.
This needs backporting to older versions too (so keeping open for now)

Contributor

pmatilai commented Feb 7, 2017

Thanks for the report, fixed in commit 657553f.
This needs backporting to older versions too (so keeping open for now)

@hannob

This comment has been minimized.

Show comment
Hide comment
@hannob

hannob Feb 7, 2017

Just for completeness: Here's a different file triggering an out of bounds a few lines earlier. It seems it is fixed by the same commit (sidenote: I think it'd be a good idea to have regression tests with all the fuzzed files that triggered bugs).

rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip

asan message (from a 4.13.0 compile):

==27208==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000019bd at pc 0x000000677a6a bp 0x7ffe5597dc70 sp 0x7ffe5597dc68
READ of size 4 at 0x6020000019bd thread T0
    #0 0x677a69 in pgpPrtSubType /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:427:3
    #1 0x66a45d in pgpPrtSig /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:594:6
    #2 0x66a45d in pgpPrtPkt /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:819
    #3 0x66a45d in pgpPrtParams /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:978
    #4 0x592c67 in rpmSigInfoParse /f/rpm/rpm-4.13.0/lib/signature.c:90:6
    #5 0x52d789 in rpmpkgVerifySigs /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:270:7
    #6 0x52f19a in rpmcliVerifySignatures /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:388:13
    #7 0x50415d in main /f/rpm/rpm-4.13.0/rpmkeys.c:70:7
    #8 0x7f36453fb78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #9 0x41c4a8 in _start (/f/rpm/rpm-4.13.0/rpmkeys+0x41c4a8)

0x6020000019bd is located 0 bytes to the right of 13-byte region [0x6020000019b0,0x6020000019bd)
allocated by thread T0 here:
    #0 0x4cc608 in malloc (/f/rpm/rpm-4.13.0/rpmkeys+0x4cc608)
    #1 0x664d64 in rmalloc /f/rpm/rpm-4.13.0/rpmio/rpmmalloc.c:44:13

hannob commented Feb 7, 2017

Just for completeness: Here's a different file triggering an out of bounds a few lines earlier. It seems it is fixed by the same commit (sidenote: I think it'd be a good idea to have regression tests with all the fuzzed files that triggered bugs).

rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip

asan message (from a 4.13.0 compile):

==27208==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000019bd at pc 0x000000677a6a bp 0x7ffe5597dc70 sp 0x7ffe5597dc68
READ of size 4 at 0x6020000019bd thread T0
    #0 0x677a69 in pgpPrtSubType /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:427:3
    #1 0x66a45d in pgpPrtSig /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:594:6
    #2 0x66a45d in pgpPrtPkt /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:819
    #3 0x66a45d in pgpPrtParams /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:978
    #4 0x592c67 in rpmSigInfoParse /f/rpm/rpm-4.13.0/lib/signature.c:90:6
    #5 0x52d789 in rpmpkgVerifySigs /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:270:7
    #6 0x52f19a in rpmcliVerifySignatures /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:388:13
    #7 0x50415d in main /f/rpm/rpm-4.13.0/rpmkeys.c:70:7
    #8 0x7f36453fb78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #9 0x41c4a8 in _start (/f/rpm/rpm-4.13.0/rpmkeys+0x41c4a8)

0x6020000019bd is located 0 bytes to the right of 13-byte region [0x6020000019b0,0x6020000019bd)
allocated by thread T0 here:
    #0 0x4cc608 in malloc (/f/rpm/rpm-4.13.0/rpmkeys+0x4cc608)
    #1 0x664d64 in rmalloc /f/rpm/rpm-4.13.0/rpmio/rpmmalloc.c:44:13

pmatilai added a commit that referenced this issue Feb 16, 2017

Fix out of bounds copy on malformed PGP packet (#148)
Validate the packet is of correct size for the keyid type before
copying. Ditto for similar code in signature creation time.

(cherry picked from commit 657553f)
@pmatilai

This comment has been minimized.

Show comment
Hide comment
@pmatilai

pmatilai Feb 17, 2017

Contributor

Rpm 4.13.0.1 released with the fix, closing.

Contributor

pmatilai commented Feb 17, 2017

Rpm 4.13.0.1 released with the fix, closing.

@pmatilai pmatilai closed this Feb 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment