Hi,
We found a stack read out-of-bounds parsing object files using git 2.10.0. It
was tested on ArchLinux x86_64. To reproduce, first recompile git with ASAN
support and then execute:
$ git init ; mkdir -p .git/objects/b2 ; printf 'x' >
.git/objects/b2/93584ddd61af21260be75ee9f73e9d53f08cd0
Finally you can trigger the bug using several commands from git (other commands
that parses all objects will work too), for instance:
$ git fsck
The ASAN report is here:
==2763==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe16e4a690 at pc 0x0000006fe5dc bp 0x7ffe16e4a530 sp 0x7ffe16e4a520
READ of size 1 at 0x7ffe16e4a690 thread T0
#0 0x6fe5db in parse_sha1_header_extended
/home/g/Work/Code/git-2.10.0/sha1_file.c:1684
#1 0x702cd4 in sha1_loose_object_info
/home/g/Work/Code/git-2.10.0/sha1_file.c:2660
#2 0x70332c in sha1_object_info_extended
/home/g/Work/Code/git-2.10.0/sha1_file.c:2696
#3 0x7038e0 in sha1_object_info
/home/g/Work/Code/git-2.10.0/sha1_file.c:2745
#4 0x648498 in parse_object /home/g/Work/Code/git-2.10.0/object.c:260
#5 0x48d46d in fsck_sha1 builtin/fsck.c:367
#6 0x48da47 in fsck_loose builtin/fsck.c:493
#7 0x707514 in for_each_file_in_obj_subdir
/home/g/Work/Code/git-2.10.0/sha1_file.c:3477
#8 0x70775b in for_each_loose_file_in_objdir_buf
/home/g/Work/Code/git-2.10.0/sha1_file.c:3512
#9 0x707885 in for_each_loose_file_in_objdir
/home/g/Work/Code/git-2.10.0/sha1_file.c:3532
#10 0x48dc1d in fsck_object_dir builtin/fsck.c:521
#11 0x48e2e6 in cmd_fsck builtin/fsck.c:644
#12 0x407a8f in run_builtin /home/g/Work/Code/git-2.10.0/git.c:352
#13 0x407e35 in handle_builtin /home/g/Work/Code/git-2.10.0/git.c:539
#14 0x408175 in run_argv /home/g/Work/Code/git-2.10.0/git.c:593
#15 0x408458 in cmd_main /home/g/Work/Code/git-2.10.0/git.c:665
#16 0x53fc70 in main /home/g/Work/Code/git-2.10.0/common-main.c:40
#17 0x7f0f46d43290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#18 0x405209 in _start (/home/g/Work/Code/git-2.10.0/git+0x405209)
Address 0x7ffe16e4a690 is located in stack of thread T0 at offset 192 in frame
#0 0x702834 in sha1_loose_object_info
/home/g/Work/Code/git-2.10.0/sha1_file.c:2614
This frame has 5 object(s):
[32, 40) 'mapsize'
[96, 120) 'hdrbuf'
[160, 192) 'hdr' <== Memory access at offset 192 overflows this variable
[224, 368) 'st'
[416, 576) 'stream'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/g/Work/Code/git-2.10.0/sha1_file.c:1684 in parse_sha1_header_extended
Shadow bytes around the buggy address:
0x100042dc1480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100042dc1490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100042dc14a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100042dc14b0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4
0x100042dc14c0: f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00
=>0x100042dc14d0: 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00
0x100042dc14e0: 00 00 00 00 00 00 00 00 f4 f4 f2 f2 f2 f2 00 00
0x100042dc14f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100042dc1500: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
0x100042dc1510: 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2
0x100042dc1520: 00 00 00 00 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Regards,
Gustavo.
