HI Tmoasz, Thanks for you quick followup!
On Sun, Feb 26, 2017 at 02:33:23PM +0100, Tomasz Buchert wrote:
> On 26/02/17 13:19, Salvatore Bonaccorso wrote:
> > [...]
>
> Does it really affect 0.8.1 in stable?
> If yes, then why not 1.1.7 in testing too (which makes the bug RC)?
The bts should track that correctly, and mark 1.1.7-1 as well as
affcted (there actually I was not able to produce the out-of-bounds
read with the reproducer, but that does not mean the issue is not
there, maybe just covered by something else).
For stable and unstable the issue is seen easily by compiling
pax-utils with ASAN, and using the reproducer, causing:
root@sid:~# cd pax-utils-1.2.2/
root@sid:~/pax-utils-1.2.2# ./scanelf -s '*' -axetrnibSDIYZB ~/poc
scanelf: /root/poc: Invalid section header info (2)
=================================================================
==10193==ERROR: AddressSanitizer: unknown-crash on address 0x7f5b7b29c3a0 at pc
0x55b1450a0394 bp 0x7ffc5cb94f50 sp 0x7ffc5cb94f48
READ of size 4 at 0x7f5b7b29c3a0 thread T0
#0 0x55b1450a0393 in scanelf_file_get_symtabs scanelf.c:357
#1 0x55b1450b3634 in scanelf_file_sym scanelf.c:1282
#2 0x55b1450b76af in scanelf_elfobj scanelf.c:1502
#3 0x55b1450b7fbe in scanelf_elf scanelf.c:1567
#4 0x55b1450b86ce in scanelf_fileat scanelf.c:1634
#5 0x55b1450b892f in scanelf_dirat scanelf.c:1668
#6 0x55b1450b8ea9 in scanelf_dir scanelf.c:1718
#7 0x55b1450bc306 in parseargs scanelf.c:2228
#8 0x55b1450bc897 in main scanelf.c:2316
#9 0x7f5b79d752b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#10 0x55b145099959 in _start (/root/pax-utils-1.2.2/scanelf+0x11959)
AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: unknown-crash scanelf.c:357 in
scanelf_file_get_symtabs
Shadow bytes around the buggy address:
0x0febef64b820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0febef64b870: fe fe fe fe[fe]fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b8a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b8b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0febef64b8c0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10193==ABORTING
The same for 0.8.1. The same issue *should* be in 1.1.7, but I suspect
the issue is somehow covered/masked here.
*but* I do not think this is RC (have choosen severity important), and
I don't think it would warrant a DSA on it's own at least.
Regards,
Salvatore
signature.asc
Description: PGP signature
