Bug#730487: marked as done (libxdg-basedir: Writing beyond allocated buffer)

[Debian Bug Tracking System]

Your message dated Tue, 11 Feb 2014 19:50:58 +0000
with message-id <e1wdjma-0005ct...@franck.debian.org>
and subject line Bug#730487: fixed in libxdg-basedir 1.2.0-1
has caused the Debian Bug report #730487,
regarding libxdg-basedir: Writing beyond allocated buffer
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
730487: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730487
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxdg-basedir1
Version: 1.1.1-2
Severity: critical
File: libxdg-basedir
Tags: patch upstream

Dear Maintainer,

Any application using xdgDataHome, xdgConfigHome and possibly others will trigger invalid reads and writes in valgrind. For example the following code:

        const char *xdg_data_home = xdgDataHome(NULL);
        printf("%s\n", xdg_data_home);

It triggers:
==14808== Invalid write of size 1
==14808==    at 0x4C2D97A: memcpy@GLIBC_2.2.5 (mc_replace_strmem.c:881)
==14808==    by 0x4E352A0: xdgGetRelativeHome (basedir.c:577)
==14808==    by 0x4006A5: main (in /tmp/a.out)
==14808==  Address 0x53e305b is 0 bytes after a block of size 27 alloc'd
==14808==    at 0x4C294A0: malloc (vg_replace_malloc.c:291)
==14808==    by 0x4E35278: xdgGetRelativeHome (basedir.c:575)
==14808==    by 0x4006A5: main (in /tmp/a.out)
==14808==
==14808== Invalid read of size 1
==14808==    at 0x4C2C954: __GI_strlen (mc_replace_strmem.c:405)
==14808==    by 0x50A42DB: puts (ioputs.c:36)
==14808==    by 0x4006B5: main (in /tmp/a.out)
==14808==  Address 0x53e305b is 0 bytes after a block of size 27 alloc'd
==14808==    at 0x4C294A0: malloc (vg_replace_malloc.c:291)
==14808==    by 0x4E35278: xdgGetRelativeHome (basedir.c:575)
==14808==    by 0x4006A5: main (in /tmp/a.out)
==14808==

The solution is simple: add a +1 to the malloc in line 575 of basedir.c.

This as it uses the +1 on line 577 when limiting the amount of data that is to be copied.

Attached are:
 * a full test case
 * full result of valgrind before patching the library
 * the patch for the library
 * full result of valgrind after patching the library

I'm in doubt whether this is really this critical or not; I could imagine ways that, under certain circumstances, it is possible to crash users of this library. Especially when this allocation happens at the end of a page, and the next page isn't valid. Then writing the last byte/character could trigger a segmentation fault. Furthermore, the last byte could corrupt the memory management pointers at the begin of allocations causing malloc and/or free to crash, as well as malloc/free overwriting the last byte and the string then becoming longer due to the missing '\0' termination causing applications to crash when e.g. strdup allocates the memory based on strlen before allocation, then allocates and corrupts the string, and finally memcpy-ing but not '\0' terminating the duplicated string. These are all hypothetical though.

Regards,
Remko Bijker

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libxdg-basedir1 depends on:
ii  libc6  2.17-96

libxdg-basedir1 recommends no packages.

libxdg-basedir1 suggests no packages.

-- no debconf information

==14838== Memcheck, a memory error detector
==14838== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==14838== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==14838== Command: ./a.out
==14838== 
/home/rubidium/.local/share
==14838== 
==14838== HEAP SUMMARY:
==14838==     in use at exit: 0 bytes in 0 blocks
==14838==   total heap usage: 1 allocs, 1 frees, 28 bytes allocated
==14838== 
==14838== All heap blocks were freed -- no leaks are possible
==14838== 
==14838== For counts of detected and suppressed errors, rerun with: -v
==14838== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)

==14808== Memcheck, a memory error detector
==14808== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==14808== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==14808== Command: ./a.out
==14808== 
==14808== Invalid write of size 1
==14808==    at 0x4C2D97A: memcpy@GLIBC_2.2.5 (mc_replace_strmem.c:881)
==14808==    by 0x4E352A0: xdgGetRelativeHome (basedir.c:577)
==14808==    by 0x4006A5: main (in /tmp/a.out)
==14808==  Address 0x53e305b is 0 bytes after a block of size 27 alloc'd
==14808==    at 0x4C294A0: malloc (vg_replace_malloc.c:291)
==14808==    by 0x4E35278: xdgGetRelativeHome (basedir.c:575)
==14808==    by 0x4006A5: main (in /tmp/a.out)
==14808== 
==14808== Invalid read of size 1
==14808==    at 0x4C2C954: __GI_strlen (mc_replace_strmem.c:405)
==14808==    by 0x50A42DB: puts (ioputs.c:36)
==14808==    by 0x4006B5: main (in /tmp/a.out)
==14808==  Address 0x53e305b is 0 bytes after a block of size 27 alloc'd
==14808==    at 0x4C294A0: malloc (vg_replace_malloc.c:291)
==14808==    by 0x4E35278: xdgGetRelativeHome (basedir.c:575)
==14808==    by 0x4006A5: main (in /tmp/a.out)
==14808== 
/home/rubidium/.local/share
==14808== 
==14808== HEAP SUMMARY:
==14808==     in use at exit: 0 bytes in 0 blocks
==14808==   total heap usage: 1 allocs, 1 frees, 27 bytes allocated
==14808== 
==14808== All heap blocks were freed -- no leaks are possible
==14808== 
==14808== For counts of detected and suppressed errors, rerun with: -v
==14808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 2 from 2)

diff -Nupr libxdg-basedir-1.1.1.orig/src/basedir.c libxdg-basedir-1.1.1/src/basedir.c
--- libxdg-basedir-1.1.1.orig/src/basedir.c	2013-11-25 16:07:09.864380760 +0100
+++ libxdg-basedir-1.1.1/src/basedir.c	2013-11-25 16:09:07.452378162 +0100
@@ -572,7 +572,7 @@ static char * xdgGetRelativeHome(const c
 		unsigned int homelen;
 		if (!(home = xdgGetEnv("HOME")))
 			return NULL;
-		if (!(relhome = (char*)malloc((homelen = strlen(home))+fallbacklength))) return NULL;
+		if (!(relhome = (char*)malloc((homelen = strlen(home))+fallbacklength+1))) return NULL;
 		memcpy(relhome, home, homelen);
 		memcpy(relhome+homelen, relativefallback, fallbacklength+1);
 	}

#include <stdlib.h>
#include <stdio.h>
#include <basedir.h>

int main(int argc, char *argv[]) 
{
	const char *xdg_data_home = xdgDataHome(NULL);
	printf("%s\n", xdg_data_home);
	free((void*)xdg_data_home);

	return 0;
}

--- End Message ---

--- Begin Message ---

Source: libxdg-basedir
Source-Version: 1.2.0-1

We believe that the bug you reported is fixed in the latest version of
libxdg-basedir, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 730...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miriam Ruiz <mir...@debian.org> (supplier of updated libxdg-basedir package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 11 Feb 2014 19:39:53 +0100
Source: libxdg-basedir
Binary: libxdg-basedir-dev libxdg-basedir1 libxdg-basedir1-dbg
Architecture: source amd64
Version: 1.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Mark Nevill <mark.nev...@gmail.com>
Changed-By: Miriam Ruiz <mir...@debian.org>
Description: 
 libxdg-basedir-dev - Implementation of the XDG Base Directory Specifications 
(developm
 libxdg-basedir1 - Implementation of the XDG Base Directory Specifications
 libxdg-basedir1-dbg - Implementation of the XDG Base Directory Specifications 
(debuggin
Closes: 720576 730487 734558
Changes: 
 libxdg-basedir (1.2.0-1) unstable; urgency=medium
 .
   * New upstream release
     - Added support for Basedir 0.7's XDG_RUNTIME_DIRECTORY.
   * Upgraded Standards-Version to 3.9.5
   * Migrated debian/copyright to machine-readable format
   * Changed homepage to http://nevill.ch/libxdg-basedir .  Closes: #720576
   * Changed my email address to mir...@debian.org
   * Fixes: Writing beyond allocated buffer. Closes: #730487
   * Use dh-autoreconf instead of autotools-dev to fix FTBFS. Closes: #734558
Checksums-Sha1: 
 dcf191c450e3a75254ef6b518c4c40e71e2d7e70 1312 libxdg-basedir_1.2.0-1.dsc
 b924afe4e29c52358ad67476887e9ca0dcf90f7c 335790 
libxdg-basedir_1.2.0.orig.tar.gz
 a5554e89ecf5ae615b7093c33745637f11b9d106 18932 
libxdg-basedir_1.2.0-1.debian.tar.xz
 04fb39be342c60c6a71344431281ce08e7aed543 38780 
libxdg-basedir-dev_1.2.0-1_amd64.deb
 72288cccca15397b94a28b0311c49dfc72c10a62 10952 
libxdg-basedir1_1.2.0-1_amd64.deb
 528cbeca0814c49c1571488969acb1086776537d 14738 
libxdg-basedir1-dbg_1.2.0-1_amd64.deb
Checksums-Sha256: 
 4ea3f273148cb5bb0d4bc5856e14b687d3fb72550b4761dd5b140ab52b4cef95 1312 
libxdg-basedir_1.2.0-1.dsc
 2757a949618742d80ac59ee2f0d946adc6e71576406cdf798e6ced507708cdf4 335790 
libxdg-basedir_1.2.0.orig.tar.gz
 50f3050bc577e1c401eac82bd1dec5b58e2de88bb6313238707ae2b38d350f6f 18932 
libxdg-basedir_1.2.0-1.debian.tar.xz
 9874f63ae89b97bb7058a0353685617eda5f8db0c1be8697416aa619261565c9 38780 
libxdg-basedir-dev_1.2.0-1_amd64.deb
 f4f226b110f5ec3ddc0c6d192d21e98b7e32a6c6a56a320381510d2755f7582f 10952 
libxdg-basedir1_1.2.0-1_amd64.deb
 573d09e706955a2d941d89c1e8413deb6e7462066d54cdced93616a47d172128 14738 
libxdg-basedir1-dbg_1.2.0-1_amd64.deb
Files: 
 b99c8a028971f8a3bdde027978661474 1312 libs optional libxdg-basedir_1.2.0-1.dsc
 5a9eaaba2ec7f62253ecaed032af313b 335790 libs optional 
libxdg-basedir_1.2.0.orig.tar.gz
 f76241c6490b3089aef5112bade4c6e5 18932 libs optional 
libxdg-basedir_1.2.0-1.debian.tar.xz
 5a59e9a7ad1f5cccf387cdec49425494 38780 libdevel optional 
libxdg-basedir-dev_1.2.0-1_amd64.deb
 32435ae056233baff96feafb0ddaefb3 10952 libs optional 
libxdg-basedir1_1.2.0-1_amd64.deb
 1dc62c53aa95467e57474e8d860e39cd 14738 debug extra 
libxdg-basedir1-dbg_1.2.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlL6eNgACgkQfbltLjbuCGHbGgCfS8ghI8ILzbnvcpQHi1CtSJOw
+HsAn29JAz8eivT/con+cQfH2M9qAA9X
=rh70
-----END PGP SIGNATURE-----

--- End Message ---