Description:
Portage-utils is small and fast portage helper tools written in C.
I discovered that a crafted file is able to cause a stack-based buffer overflow.
The complete ASan output:
~ # qfile -f qfile-OOB-crash.log
=================================================================
==12240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd067c1ac1 at pc 0x000000495bdc bp 0x7ffd067bd6f0 sp 0x7ffd067bceb0
READ of size 4095 at 0x7ffd067c1ac1 thread T0
#0 0x495bdb in strncpy /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:632:5
#1 0x4fb5b9 in prepare_qfile_args /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:297:3
#2 0x4fb5b9 in qfile_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:530
#3 0x4e7f22 in q_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./q.c:79:10
#4 0x4e7afe in main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/main.c:1405:9
#5 0x7f5ccc29e854 in __libc_start_main /tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
#6 0x4192f8 in _init (/usr/bin/q+0x4192f8)
Address 0x7ffd067c1ac1 is located in stack of thread T0 at offset 17345 in frame
#0 0x4f8b3f in qfile_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:394
This frame has 10 object(s):
[32, 4128) 'pkg.i'
[4256, 8353) 'rpath.i'
[8624, 8632) 'fullpath.i'
[8656, 8782) 'slot.i'
[8816, 8824) 'slot_hack.i'
[8848, 8856) 'slot_len.i'
[8880, 12977) 'tmppath.i'
[13248, 17345) 'abspath.i'
[17616, 17736) 'state' <== Memory access at offset 17345 partially underflows this variable
[17776, 17784) 'p' 0x100020cf0350: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2
0x100020cf0360: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x100020cf0370: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
0x100020cf0380: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 f3
0x100020cf0390: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100020cf03a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12240==ABORTING
Affected version:
All versions.
Fixed version:
0.61
Commit fix:
https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=070f64a84544f74ad633f08c9c07f99a06aea551
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-02-01: bug discovered
2016-02-01: bug reported to upstream
2016-02-04: upstream release a fix
2016-02-16: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
As the commit clearly state, the ability to read directly from a file was removed.
Permalink:
3 Responses to portage-utils: stack-based buffer overflow in qfile.c