Description:
Portage-utils is small and fast portage helper tools written in C.
I discovered that a crafted file is able to cause a stack-based buffer overflow.
The complete ASan output:
~ # qfile -f qfile-OOB-crash.log ================================================================= ==12240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd067c1ac1 at pc 0x000000495bdc bp 0x7ffd067bd6f0 sp 0x7ffd067bceb0 READ of size 4095 at 0x7ffd067c1ac1 thread T0 #0 0x495bdb in strncpy /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:632:5 #1 0x4fb5b9 in prepare_qfile_args /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:297:3 #2 0x4fb5b9 in qfile_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:530 #3 0x4e7f22 in q_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./q.c:79:10 #4 0x4e7afe in main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/main.c:1405:9 #5 0x7f5ccc29e854 in __libc_start_main /tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289 #6 0x4192f8 in _init (/usr/bin/q+0x4192f8) Address 0x7ffd067c1ac1 is located in stack of thread T0 at offset 17345 in frame #0 0x4f8b3f in qfile_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:394 This frame has 10 object(s): [32, 4128) 'pkg.i' [4256, 8353) 'rpath.i' [8624, 8632) 'fullpath.i' [8656, 8782) 'slot.i' [8816, 8824) 'slot_hack.i' [8848, 8856) 'slot_len.i' [8880, 12977) 'tmppath.i' [13248, 17345) 'abspath.i' [17616, 17736) 'state' <== Memory access at offset 17345 partially underflows this variable [17776, 17784) 'p' 0x100020cf0350: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2 0x100020cf0360: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x100020cf0370: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 0x100020cf0380: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 f3 0x100020cf0390: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100020cf03a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==12240==ABORTING
Affected version:
All versions.
Fixed version:
0.61
Commit fix:
https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=070f64a84544f74ad633f08c9c07f99a06aea551
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-02-01: bug discovered
2016-02-01: bug reported to upstream
2016-02-04: upstream release a fix
2016-02-16: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
As the commit clearly state, the ability to read directly from a file was removed.
Permalink:
3 Responses to portage-utils: stack-based buffer overflow in qfile.c