portage-utils: stack-based buffer overflow in qfile.c

Description:
Portage-utils is small and fast portage helper tools written in C.

I discovered that a crafted file is able to cause a stack-based buffer overflow.

The complete ASan output:

~ # qfile -f qfile-OOB-crash.log                                                                                                                                                                                                                                          
=================================================================                                                                                                                                                                                                              
==12240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd067c1ac1 at pc 0x000000495bdc bp 0x7ffd067bd6f0 sp 0x7ffd067bceb0                                                                                                                                     
READ of size 4095 at 0x7ffd067c1ac1 thread T0                                                                                                                                                                                                                                  
    #0 0x495bdb in strncpy /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:632:5                                                                                                                                  
    #1 0x4fb5b9 in prepare_qfile_args /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:297:3                                                                                                                                                      
    #2 0x4fb5b9 in qfile_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:530                                                                                                                                                                
    #3 0x4e7f22 in q_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./q.c:79:10                                                                                                                                                                      
    #4 0x4e7afe in main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/main.c:1405:9                                                                                                                                                                      
    #5 0x7f5ccc29e854 in __libc_start_main /tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289                                                                                                                                                            
    #6 0x4192f8 in _init (/usr/bin/q+0x4192f8)                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                               
Address 0x7ffd067c1ac1 is located in stack of thread T0 at offset 17345 in frame                                                                                                                                                                                               
    #0 0x4f8b3f in qfile_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:394                                                                                                                                                                
                                                                                                                                                                                                                                                                               
  This frame has 10 object(s):                                                                                                                                                                                                                                                 
    [32, 4128) 'pkg.i'                                                                                                                                                                                                                                                         
    [4256, 8353) 'rpath.i'                                                                                                                                                                                                                                                     
    [8624, 8632) 'fullpath.i'                                                                                                                                                                                                                                                  
    [8656, 8782) 'slot.i'                                                                                                                                                                                                                                                      
    [8816, 8824) 'slot_hack.i'                                                                                                                                                                                                                                                 
    [8848, 8856) 'slot_len.i'                                                                                                                                                                                                                                                  
    [8880, 12977) 'tmppath.i'                                                                                                                                                                                                                                                  
    [13248, 17345) 'abspath.i'                                                                                                                                                                                                                                                 
    [17616, 17736) 'state' <== Memory access at offset 17345 partially underflows this variable                                                                                                                                                                                
    [17776, 17784) 'p' 0x100020cf0350: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2
  0x100020cf0360: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x100020cf0370: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x100020cf0380: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 f3
  0x100020cf0390: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020cf03a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12240==ABORTING

Affected version:
All versions.

Fixed version:
0.61

Commit fix:
https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=070f64a84544f74ad633f08c9c07f99a06aea551

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-02-01: bug discovered
2016-02-01: bug reported to upstream
2016-02-04: upstream release a fix
2016-02-16: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
As the commit clearly state, the ability to read directly from a file was removed.

Permalink:

portage-utils: stack-based buffer overflow in qfile.c

This entry was posted in advisories, gentoo, security. Bookmark the permalink.

3 Responses to portage-utils: stack-based buffer overflow in qfile.c

Leave a Reply to Derk te Bokkel Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.