https://bugzilla.samba.org/show_bug.cgi?id=13112
Bug ID: 13112 Summary: receive_xattr heap overread with non null terminated name and xattr filter Product: rsync Version: 3.1.3 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: core Assignee: way...@samba.org Reporter: jeriko....@gmx.us QA Contact: rsync...@samba.org Created attachment 13744 --> https://bugzilla.samba.org/attachment.cgi?id=13744&action=edit Make room for trailing NULL and use read_sbuf $ ./rsync -v rsync version 3.1.3dev protocol version 31 code snippets are from receive_xattr in xattrs.c in receive_xattr a name is read from the sender. The sender sends the length of the name, and then sends the name. The name is read in via read_buf so it's not null terminated. 815 size_t name_len = read_varint(f); 826 read_buf(f, name, name_len); If the sender sent --filter that had an xattr filter then this name will be passed to name_is_excluded. 834 if (saw_xattr_filter) { 835 if (name_is_excluded(name, NAME_IS_XATTR, ALL_FILTERS)) { This can lead to a heap overread as name_is_excluded is expecting a NULL terminated string. These are the arguments I'm sending to the daemon when connecting {"--server", "--filter", "+x jk", "-X", ".", ".", "\0"}; I provided a patch that will make room for a NULL byte in name, and use read_sbuf instead. ASan output: ================================================================= ==3497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e831 at pc 0x7ffff6edc15b bp 0x7fffffff9990 sp 0x7fffffff9138 READ of size 2 at 0x60200000e831 thread T0 #0 0x7ffff6edc15a in strlen (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x7015a) #1 0x4412dd in rule_matches /home/raj/rsync/rsync/exclude.c:696 #2 0x441921 in check_filter /home/raj/rsync/rsync/exclude.c:772 #3 0x441724 in name_is_excluded /home/raj/rsync/rsync/exclude.c:744 #4 0x4a2d76 in receive_xattr /home/raj/rsync/rsync/xattrs.c:835 #5 0x40beac in recv_file_entry /home/raj/rsync/rsync/flist.c:1108 #6 0x415bee in recv_file_list /home/raj/rsync/rsync/flist.c:2476 #7 0x454eaa in do_server_recv /home/raj/rsync/rsync/main.c:1036 #8 0x4556f4 in start_server /home/raj/rsync/rsync/main.c:1115 #9 0x4b20f2 in rsync_module /home/raj/rsync/rsync/clientserver.c:1007 #10 0x4b2b11 in start_daemon /home/raj/rsync/rsync/clientserver.c:1135 #11 0x48f636 in start_accept_loop /home/raj/rsync/rsync/socket.c:618 #12 0x4b32d2 in daemon_main /home/raj/rsync/rsync/clientserver.c:1237 #13 0x458318 in main /home/raj/rsync/rsync/main.c:1630 #14 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f) #15 0x4047c8 in _start (/home/raj/rsync/asan/bin/rsync+0x4047c8) 0x60200000e831 is located 0 bytes to the right of 1-byte region [0x60200000e830,0x60200000e831) allocated by thread T0 here: #0 0x7ffff6f04572 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x98572) #1 0x44e48b in _new_array /home/raj/rsync/rsync/util2.c:68 #2 0x4a2c63 in receive_xattr /home/raj/rsync/rsync/xattrs.c:822 #3 0x40beac in recv_file_entry /home/raj/rsync/rsync/flist.c:1108 #4 0x415bee in recv_file_list /home/raj/rsync/rsync/flist.c:2476 #5 0x454eaa in do_server_recv /home/raj/rsync/rsync/main.c:1036 #6 0x4556f4 in start_server /home/raj/rsync/rsync/main.c:1115 #7 0x4b20f2 in rsync_module /home/raj/rsync/rsync/clientserver.c:1007 #8 0x4b2b11 in start_daemon /home/raj/rsync/rsync/clientserver.c:1135 #9 0x48f636 in start_accept_loop /home/raj/rsync/rsync/socket.c:618 #10 0x4b32d2 in daemon_main /home/raj/rsync/rsync/clientserver.c:1237 #11 0x458318 in main /home/raj/rsync/rsync/main.c:1630 #12 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strlen Shadow bytes around the buggy address: 0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9d00: fa fa fa fa fa fa[01]fa fa fa 04 fa fa fa 00 07 0x0c047fff9d10: fa fa fd fd fa fa 02 fa fa fa 02 fa fa fa 00 01 0x0c047fff9d20: fa fa 03 fa fa fa 06 fa fa fa 00 01 fa fa 06 fa 0x0c047fff9d30: fa fa 00 01 fa fa 06 fa fa fa fd fd fa fa fd fa 0x0c047fff9d40: fa fa 00 01 fa fa fd fa fa fa fd fa fa fa 00 01 0x0c047fff9d50: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==3497==ABORTING -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html