Bug#798324: dpkg-deb: Fix off-by-one write access on versionbuf variable

Mon, 07 Sep 2015 23:13:09 -0700 

Package: dpkg
Version: 1.18.2
Severity: normal
Tags: patch

The following was reported by Jacek Wielemborek:

----- Begin forwarded message -----

Dear Maintainer,

I built dpkg with afl-gcc and AFL_USE_ASAN=1. Here's the base64-encoded
 .deb file it generated:

ITxhcmNoPopkZWJpYW4tYmluYXJ5ICAgMTQ0MTIxMTQ1NiAgMCAgICAgMCAgICAgMTAwNjQ0ICA0
ICAgICAgICAgYAoyLjAKY29udHJvbC50YXIuZ3ogIDE0NDEyMTE0NTYgIDAgICAgIDAgICAgIDEw
MDY0NCAgNDc1ICAgICAgIGAKH4sIAAAAAAACA+3RS4vbMBAAYJ/1K+bWBBK/uo6paZcWUmgpC4GE
3rXWJBarSEaSN00P/e1V/Ng+oO0ppYX5sLEsyTNjTZxEV5cGZVH0z+DnZz/O8qLMVnme9fNlmRYR
FNFf0DnPLUBkjfG/2/en9f9UnNRGe2vUlfu/urn5Vf+ztMh/7H+WPU9XEaTU/6vb8PqBH7CC9uwb
o5f4iR9bhY5tTWfrb/MC97xT3rGPaJ00uoI8LuMXy4y9sXUjPda+s2E7V4rdcal9uNFWcMe9byR3
8EEZh/BSmAfzWuC95Do29nDL3uvQAKVQLLfycwiwYmtsUQs3pYbZ7asp2XwxTob3p1K/3/Blzrah
lL7AYSfbWGms9OcKTHtZ4Iq9M0ds+79uvG+rJDmdTvGw/VJUEkpwtZXtEOcpz95Y8A3CZqhLcX3o
QhSYjYcDj8PZzBm8Hb9ZwBqPxgHXAnbGqCHIECCGXYPhTLhF2MtLAqlr1QkUYcD6TF3rvEV+nFIK
Gd7lfXcpLGYQrl0jHbRDEyEMOYj++FDX52l+AadG1s244iAEWvcdeOZgLJ1NGcZfgFndWYvaqzM8
hrOdxywihBBCCCGEEEIIIYQQQgghhBBCCCH/oK+zNHmVACgAAAo=

And here's the crash:

root@1442a2c3a089:~/fuzz/dpkg/o/crashes# dpkg --info
id\:000000\,sig\:06\,src\:000000\,op\:flip1\,pos\:7
=================================================================
==11286==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffbdcdf338 at pc 0x00000040cf49 bp 0x7fffbdcdef70 sp 0x7fffbdcdef68
WRITE of size 1 at 0x7fffbdcdf338 thread T0
    #0 0x40cf48  (/usr/bin/dpkg-deb+0x40cf48)
    #1 0x410dfe  (/usr/bin/dpkg-deb+0x410dfe)
    #2 0x4056e2  (/usr/bin/dpkg-deb+0x4056e2)
    #3 0x7f38390b8b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #4 0x4074ca  (/usr/bin/dpkg-deb+0x4074ca)

Address 0x7fffbdcdf338 is located in stack of thread T0 at offset 872 in
frame
    #0 0x40b4bf  (/usr/bin/dpkg-deb+0x40b4bf)

  This frame has 13 object(s):
    [32, 33) 'nlc'
    [96, 100) 'dummy'
    [160, 168) 'version'
    [224, 232) 'ctrllennum'
    [288, 304) 'err'
    [352, 384) 'cmd'
    [416, 424) 'p1'
    [480, 488) 'p2'
    [544, 604) 'arh'
    [640, 784) 'stab'
    [832, 872) 'versionbuf' <== Memory access at offset 872 overflows
this variable
    [928, 968) 'ctrllenbuf'
    [1024, 1224) 'buf'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x100077b93e10: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e20: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 f4
  0x100077b93e30: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e40: 00 00 00 00 00 04 f2 f2 f2 f2 00 00 00 00 00 00
  0x100077b93e50: 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4 f2 f2
=>0x100077b93e60: f2 f2 00 00 00 00 00[f4]f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e70: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
  0x100077b93e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077b93e90: 00 00 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00
  0x100077b93ea0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
  0x100077b93eb0: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11286==ABORTING

To be on the safe side, I'm reporting it as a critical security vuln
because this is a memory error in the core component. Please contact me
on d33...@gmail.com.

----- End forwarded message -----

Quoting Guillem:

> The .deb is an ar archive w/o the '\n' trailer on the «!<arch>» magic
> value. The dpkg-deb/extract.c:extracthalf() function calls read_line()
> passing to it versionbuf with the off-by-one length, that one writes
> 41 bytes into it (with a trailing \0), stomping on whatever is next in
> the stack. But this should in principle have no visible effect because
> regardless of how the compiler has organized the local stack, any
> subsequently used local variable is first assigned so the trailing \0
> would not be in effect, and versionbuf is only ever used to compare
> against shorter constant strings, which should all fail, the first
> against "!<arch>\n", then against "0.93", and after that it just
> aborts the program.

Attached is the corresponding patch.

Regards,
Salvatore

>From ac3ee4c3db5ecca5d2c343415273823da4c107ae Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Sun, 6 Sep 2015 21:25:00 +0200
Subject: [PATCH] dpkg-deb: Fix off-by-one write access on versionbuf variable

Reported-by: Jacek Wielemborek <d33...@gmail.com>
---
 dpkg-deb/extract.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c
index d5ac05c..1d2a76a 100644
--- a/dpkg-deb/extract.c
+++ b/dpkg-deb/extract.c
@@ -131,7 +131,7 @@ extracthalf(const char *debar, const char *dir,
   if (fstat(arfd, &stab))
     ohshite(_("failed to fstat archive"));
 
-  r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf));
+  r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf) - 1);
   if (r < 0)
     read_fail(r, debar, _("archive magic version number"));
 
-- 
2.5.1

Reply via email to