Bug#886776: genisoimage: Buffer Overflow found in isoinfo executable

[Bernhard Übelacker]

Hello,
I tried to reproduce the stack smashing.
But found that the current package in Debian amd64 testing
looks like it was not build with -fstack-protector-strong.
So could it be that your report was using a local rebuilt package?


Nevertheless it looks like the local variable testname has just a size of 
0x1001 bytes.

It gets initialized with the content of parameter rootname.
That has already a length of 0xfaa bytes.

Later another 0xd2 get appended from name_buf - too much for testname.


658     void
659     parse_dir(char *rootname, int extent, int len)
660     {
661             char            testname[PATH_MAX+1];
...
766                                     strcpy(testname, rootname);
767                                     strcat(testname, name_buf);


Kind regards,
Bernhard



root@debian:/home/benutzer# gdb -q --args isoinfo -i crash.iso 
Reading symbols from isoinfo...Reading symbols from 
/usr/lib/debug/.build-id/32/df58a272dc3f4c3f28d2b2d4e63b80c785c131.debug...done.
done.
(gdb) b parse_dir
Breakpoint 1 at 0xd020: file 
/build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c, line 660.
(gdb) ignore 1 109
Will ignore next 109 crossings of breakpoint 1.
(gdb) directory /home/benutzer/genisoimage/cdrkit-1.1.11/genisoimage/diag/
Source directories searched: 
/home/benutzer/genisoimage/cdrkit-1.1.11/genisoimage/diag:$cdir:$cwd
(gdb) run
Starting program: /usr/bin/isoinfo -i crash.iso
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, parse_dir (rootname=0x5555557ded80 "/", '\322' <repeats 198 
times>, <incomplete sequence \322>..., extent=23, len=2048) at 
/build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c:660
660     {
(gdb) print/x sizeof(testname)
$2 = 0x1001
(gdb) # break on all strcat/strcpy to testname in parse_dir
(gdb) b 766
Breakpoint 2 at 0x555555561072: file 
/build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c, line 766.
(gdb) b 767
Breakpoint 3 at 0x5555555613e8: file 
/build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c, line 767.
(gdb) b 775
Breakpoint 4 at 0x5555555612f8: file 
/build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c, line 775.
(gdb) b 776
Breakpoint 5 at 0x55555556130a: file 
/build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c, line 776.
(gdb) cont
Continuing.

Breakpoint 2, parse_dir (rootname=0x5555557ded80 "/", '\322' <repeats 198 
times>, <incomplete sequence \322>..., extent=23, len=<optimized out>)
    at /build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c:766
766                                     strcpy(testname, rootname);
(gdb) print (size_t (*)(const char *))__strlen_sse2(rootname)
$6 = (size_t (*)(const char *)) 0xfaa
(gdb) cont
Continuing.

Breakpoint 3, parse_dir (rootname=0x5555557ded80 "/", '\322' <repeats 198 
times>, <incomplete sequence \322>..., extent=24, len=<optimized out>)
    at /build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c:767
767                                     strcat(testname, name_buf);
(gdb) print (size_t (*)(const char *))__strlen_sse2(testname)
$7 = (size_t (*)(const char *)) 0xfaa
(gdb) print (size_t (*)(const char *))__strlen_sse2(name_buf)
$8 = (size_t (*)(const char *)) 0x2
(gdb) cont
Continuing.

Breakpoint 3, parse_dir (rootname=0x5555557ded80 "/", '\322' <repeats 198 
times>, <incomplete sequence \322>..., extent=24, len=<optimized out>)
    at /build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c:767
767                                     strcat(testname, name_buf);
(gdb) print (size_t (*)(const char *))__strlen_sse2(testname)
$9 = (size_t (*)(const char *)) 0xfaa
(gdb) print (size_t (*)(const char *))__strlen_sse2(name_buf)
$10 = (size_t (*)(const char *)) 0xd2
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00005555555614be in parse_dir (rootname=0x5555557ded80 "/", '\322' <repeats 
198 times>, <incomplete sequence \322>..., extent=<optimized out>, 
len=<optimized out>)
    at /build/cdrkit-nac9D5/cdrkit-1.1.11/genisoimage/diag/isoinfo.c:785
785     }