There’s a null pointer dereference bug in libparted/libparted.c that can cause a seg fault. I repreduced it by compiling under Adress Sanitizer.
Specificly on line 239+ This part here:
```C
ped_malloc (size_t size)
{
void* mem;
mem = (void*) malloc (size);
if (!mem) {
ped_exception_throw (PED_EXCEPTION_FATAL, PED_EXCEPTION_CANCEL,
_("Out of memory."));
return NULL;
}
return mem;
}
void* ped_calloc (size_t size)
{
void* buf = ped_malloc (size);
memset (buf, 0, size);
return buf;
}
```
You can see above that ped_malloc can return NULL in line 248 of the code but
ped_calloc does not check for NULL values. It then calls memset on a NULL
resulting in the seg fault.
I freshly compiled under Raspbian on Raspberry Pi 5 (aarch64) to show the bug
works. I’m attaching a file, poc.sh, to trigger the seg fault under a parted
build with ASAN enabled. I’m also attaching the patch.
You run the POC after making sure you have the ASAN build in your path, like:
```$ ASAN_PRELOAD="$ASAN" LD_LIBRARY_PATH=/home/dan/local/parted-asan/lib
PARTED_BIN=/home/dan/local/parted-asan/sbin/parted ./poc.sh```
I also ran the POC against the patched code and the patch works!
Full disclosure I found this but using the N184 bug and security vulnerability
scanner. I wrote the bug report and patch myself. You can read more about
N184 here: https://github.com/MillaFleurs/N184
Let me know if you have any questions.
Thanks,
Dan
patch.diff
Description: Binary data
poc.sh
Description: Binary data
created ./ped-calloc-null-mbr.img image layout: raw MBR disk image with one Linux partition Running with ped_malloc failure injected only from a ped_calloc() call stack: /home/dan/local/parted-asan/sbin/parted -s ./ped-calloc-null-mbr.img unit s print parted exit status: 139 stderr: fail-ped-malloc: returning NULL for ped_malloc(16) from ped_calloc stack You found a bug in GNU Parted! Here's what you have to do: Don't panic! The bug has most likely not affected any of your data. Help us to fix this bug by doing the following: Check whether the bug has already been fixed by checking the last version of GNU Parted that you can find at: http://ftp.gnu.org/gnu/parted/ Please check this version prior to bug reporting. If this has not been fixed yet or if you don't know how to check, please visit the GNU Parted website: http://www.gnu.org/software/parted for further information. Your report should contain the version of this release (3.7.5-4fdb) along with the error message below, the output of parted DEVICE unit co print unit s print and the following history of commands you entered. Also include any additional information about your setup you consider important. Segmentation fault (core dumped) BUG TRIGGERED: real GNU Parted crashed after ped_calloc() received NULL.
