rpmkeys out of bound heap read in pgpPrtSig, rpmpgp.c:533 #149

Closed
hannob opened this Issue Feb 7, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@hannob

hannob commented Feb 7, 2017

The attached file triggers an out of bounds heap read in rmpkeys -K.

rpmkeys-heap-oob-pgpPrtSig-rpmpgp-533.zip

asan error with current git (you get more meaningful ones with ASAN_OPTIONS="fast_unwind_on_malloc=0"):

==23681==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001a80 at pc 0x00000066c870 bp 0x7fff5c578470 sp 0x7fff5c578468
READ of size 1 at 0x602000001a80 thread T0
    #0 0x66c86f in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:533:23
    #1 0x66c86f in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:823
    #2 0x66c86f in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:982
    #3 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6
    #4 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7
    #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #7 0x7f9783a7378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

0x602000001a80 is located 0 bytes to the right of 16-byte region [0x602000001a70,0x602000001a80)
allocated by thread T0 here:
    #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8)
    #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13
    #2 0x5d0677 in copyTdEntry /f/rpm/rpm/lib/header.c:1096:12
    #3 0x5cf8e4 in headerNext /f/rpm/rpm/lib/header.c:1712:7
    #4 0x52d310 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:262:12
    #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #7 0x7f9783a7378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

pmatilai added a commit that referenced this issue Feb 8, 2017

Fix out of bounds read(s) when determining PGP packet version (#149)
Add a helper function for checking boundaries (can I have just one
teeny weeny bite - erm - byte, please?) and returning the version,
use systematically where it matters.

It *might* be okay to do this at start of pgpPrtPkt() once and for all,
but then AFAICT OpenPGP does not forbid zero length body in general,
plus there are multiple callers for getFingerprint() so might as well
check individually in the callers that actually care.
@pmatilai

This comment has been minimized.

Show comment
Hide comment
@pmatilai

pmatilai Feb 8, 2017

Contributor

Thanks for the report, fixed in commit 4ab3e0c.

This too needs backporting...

Contributor

pmatilai commented Feb 8, 2017

Thanks for the report, fixed in commit 4ab3e0c.

This too needs backporting...

pmatilai added a commit that referenced this issue Feb 16, 2017

Fix out of bounds read(s) when determining PGP packet version (#149)
Add a helper function for checking boundaries (can I have just one
teeny weeny bite - erm - byte, please?) and returning the version,
use systematically where it matters.

It *might* be okay to do this at start of pgpPrtPkt() once and for all,
but then AFAICT OpenPGP does not forbid zero length body in general,
plus there are multiple callers for getFingerprint() so might as well
check individually in the callers that actually care.

(cherry picked from commit 4ab3e0c)
@pmatilai

This comment has been minimized.

Show comment
Hide comment
@pmatilai

pmatilai Feb 17, 2017

Contributor

Rpm 4.13.0.1 released with the fix, closing.

Contributor

pmatilai commented Feb 17, 2017

Rpm 4.13.0.1 released with the fix, closing.

@pmatilai pmatilai closed this Feb 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment