rpmkeys out of bounds read in pgpPrtSig, rpmpgp.c:633 #151

Closed
hannob opened this Issue Feb 8, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@hannob

hannob commented Feb 8, 2017

The attached file causes an out of bounds read in pgpPrtSig. This is a different bug from #149, although it's in the same function.
oob-heap-pgpPrtSig-rpmpgp-633.zip

Here's the asan output:

==10690==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001a9f at pc 0x00000066c892 bp 0x7ffda160f2f0 sp 0x7ffda160f2e8
READ of size 2 at 0x602000001a9f thread T0
    #0 0x66c891 in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:633:6
    #1 0x66c891 in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:842
    #2 0x66c891 in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:1003
    #3 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6
    #4 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7
    #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #7 0x7fd009f7878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

0x602000001a9f is located 0 bytes to the right of 15-byte region [0x602000001a90,0x602000001a9f)
allocated by thread T0 here:
    #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8)
    #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13
    #2 0x5d0677 in copyTdEntry /f/rpm/rpm/lib/header.c:1096:12
    #3 0x5cf8e4 in headerNext /f/rpm/rpm/lib/header.c:1712:7
    #4 0x52d310 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:262:12
    #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #7 0x7fd009f7878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

pmatilai added a commit that referenced this issue Feb 14, 2017

Validate boundaries for pgpGrab() when reading V4 signatures (#151)
In V4 signature packets there are multiple data sections, whose length
is stored as two bytes before the data. We've been checking the data
boundaries, but a truncated/malformed packet might be missing the
length data too. Add + use a little helper function to check the
length is actually there.
@pmatilai

This comment has been minimized.

Show comment
Hide comment
@pmatilai

pmatilai Feb 14, 2017

Contributor

Pooh. Thanks for the report, fixed in commit e125247.
Actually commit b04dcc3 already prevented this from happening but doesn't hurt...

Needs backporting so leaving it open for now.

Contributor

pmatilai commented Feb 14, 2017

Pooh. Thanks for the report, fixed in commit e125247.
Actually commit b04dcc3 already prevented this from happening but doesn't hurt...

Needs backporting so leaving it open for now.

pmatilai added a commit that referenced this issue Feb 16, 2017

Validate boundaries for pgpGrab() when reading V4 signatures (#151)
In V4 signature packets there are multiple data sections, whose length
is stored as two bytes before the data. We've been checking the data
boundaries, but a truncated/malformed packet might be missing the
length data too. Add + use a little helper function to check the
length is actually there.

(cherry picked from commit e125247)
@pmatilai

This comment has been minimized.

Show comment
Hide comment
@pmatilai

pmatilai Feb 17, 2017

Contributor

Rpm 4.13.0.1 released with the fix, closing.

Contributor

pmatilai commented Feb 17, 2017

Rpm 4.13.0.1 released with the fix, closing.

@pmatilai pmatilai closed this Feb 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment