Buffer overflow in zic

Wed, 05 Feb 2025 23:38:48 -0800 

Hello.
Ifyou compilezicwithASAN,you cangetthe following(notethiswill delete/etc/localtime): 
|$ sudo ./zic -l fff
=================================================================
==5528==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000053103f at pc 0x000000501ceb bp 0x7ffe9fbe6510 sp 0x7ffe9fbe6508 
READ of size 1 at 0x00000053103f thread T0
    #0 0x501cea in relname /artifacts/postgres/src/timezone/zic.c:978:36
    #1 0x50081b in dolink /artifacts/postgres/src/timezone/zic.c:1045:42
    #2 0x4fab14 in main /artifacts/postgres/src/timezone/zic.c:846:3
    #3 0x7ff25975fefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
    #4 0x41c459 in _start /usr/src/RPM/BUILD/glibc-2.32-alt5.p10.3/csu/../sysdeps/x86_64/start.S:120 
| |
0x00000053103f is located 33 bytes to the left of global variable '<string literal>' defined in 'zic.c:841:14' (0x531060) of size 13 
  '<string literal>' is ascii string 'link to link'
0x00000053103f is located 1 bytes to the left of global variable '<string literal>' defined in 'zic.c:806:15' (0x531040) of size 15 
  '<string literal>' is ascii string '/etc/localtime'
0x00000053103f is located 26 bytes to the right of global variable '<string literal>' defined in 'zic.c:804:15' (0x531020) of size 5 
  '<string literal>' is ascii string 'data'
SUMMARY: AddressSanitizer: global-buffer-overflow /artifacts/postgres/src/timezone/zic.c:978:36 in relname 
Shadow bytes around the buggy address:
  0x00008009e1b0: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008009e1c0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
  0x00008009e1d0: f9 f9 f9 f9 00 03 f9 f9 00 00 00 00 07 f9 f9 f9
  0x00008009e1e0: f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9
  0x00008009e1f0: 00 00 00 04 f9 f9 f9 f9 00 03 f9 f9 02 f9 f9 f9
=>0x00008009e200: 05 f9 f9 f9 05 f9 f9[f9]00 07 f9 f9 00 05 f9 f9
  0x00008009e210: 00 05 f9 f9 00 03 f9 f9 00 02 f9 f9 00 00 f9 f9
  0x00008009e220: 01 f9 f9 f9 02 f9 f9 f9 03 f9 f9 f9 00 00 00 00
  0x00008009e230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008009e240: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
  0x00008009e250: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 00 00 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5528==ABORTING|

Patch is included in the attachment.


Best regards,
Evgeniy Gorbanyov

diff --combined src/timezone/zic.c
index d605c721ec,d605c721ec..0000000000
--- a/src/timezone/zic.c
+++ b/src/timezone/zic.c
@@@ -975,7 -975,7 +975,7 @@@ relname(char const *target, char const 
  		if (f[i] == '/')
  			dir_len = i + 1;
  	for (; linkname[i]; i++)
--		dotdots += linkname[i] == '/' && linkname[i - 1] != '/';
++		dotdots += i > 0 && linkname[i] == '/' && linkname[i - 1] != '/';
  	taillen = strlen(f + dir_len);
  	dotdotetcsize = 3 * dotdots + taillen + 1;
  	if (dotdotetcsize <= linksize)

Reply via email to