Re: [Rpm-maint] [rpm-software-management/rpm] stack buffer overflow in glob/rpmGlob - rpm 4.13.0.1 (#156)
What do you mean? I've attached the reproducer, shows up if I run "./rpm -i rpm-stackoverflow-glob.rpm". As said, not with the latest git code, but with the latest release. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/156#issuecomment-280629988___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] invalid memory read in rstreqn / rpmdsNewPool (#137)
Update: Still unfixed in 4.13.0.1. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/137#issuecomment-280618289___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] stack buffer overflow in glob/rpmGlob - rpm 4.13.0.1 (#156)
This does not affect the current git head code, but it affects the release 4.13.0.1. It's been reported before to the red hat security team and publicly here: https://blog.fuzzing-project.org/52-Multiple-vulnerabilities-in-RPM-and-a-rant.html [rpm-stackoverflow-glob.zip](https://github.com/rpm-software-management/rpm/files/782965/rpm-stackoverflow-glob.zip) ASAN stack trace: ``` ==16566==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe01660342 at pc 0x7fe28839a527 bp 0x7ffe01660310 sp 0x7ffe01660308 WRITE of size 1 at 0x7ffe01660342 thread T0 #0 0x7fe28839a526 in glob /mnt/ram/rpm-rpm-4.13.0.1-release/rpmio/rpmglob.c:342:7 #1 0x7fe288393eec in rpmGlob /mnt/ram/rpm-rpm-4.13.0.1-release/rpmio/rpmglob.c:875:7 #2 0x7fe2886bfe4a in rpmReadPackageManifest /mnt/ram/rpm-rpm-4.13.0.1-release/lib/manifest.c:117:14 #3 0x7fe2887275e8 in tryReadManifest /mnt/ram/rpm-rpm-4.13.0.1-release/lib/rpminstall.c:319:10 #4 0x7fe2887275e8 in rpmInstall /mnt/ram/rpm-rpm-4.13.0.1-release/lib/rpminstall.c:537 #5 0x50b446 in main /mnt/ram/rpm-rpm-4.13.0.1-release/rpmqv.c:294:12 #6 0x7fe2860db1e0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r1/work/glibc-2.24/csu/../csu/libc-start.c:289 #7 0x41a429 in _start (/mnt/ram/rpm-rpm-4.13.0.1-release/.libs/rpm+0x41a429) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/156___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds read in pgpPrtSig, rpmpgp.c:633 (#151)
The attached file causes an out of bounds read in pgpPrtSig. This is a different bug from #149, although it's in the same function. [oob-heap-pgpPrtSig-rpmpgp-633.zip](https://github.com/rpm-software-management/rpm/files/762089/oob-heap-pgpPrtSig-rpmpgp-633.zip) Here's the asan output: ``` ==10690==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60201a9f at pc 0x0066c892 bp 0x7ffda160f2f0 sp 0x7ffda160f2e8 READ of size 2 at 0x60201a9f thread T0 #0 0x66c891 in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:633:6 #1 0x66c891 in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:842 #2 0x66c891 in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:1003 #3 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6 #4 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7 #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13 #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7 #7 0x7fd009f7878f in __libc_start_main (/lib64/libc.so.6+0x2078f) #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558) 0x60201a9f is located 0 bytes to the right of 15-byte region [0x60201a90,0x60201a9f) allocated by thread T0 here: #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8) #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13 #2 0x5d0677 in copyTdEntry /f/rpm/rpm/lib/header.c:1096:12 #3 0x5cf8e4 in headerNext /f/rpm/rpm/lib/header.c:1712:7 #4 0x52d310 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:262:12 #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13 #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7 #7 0x7fd009f7878f in __libc_start_main (/lib64/libc.so.6+0x2078f) #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/151___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bound heap read in pgpPrtSig, rpmpgp.c:533 (#149)
The attached file triggers an out of bounds heap read in rmpkeys -K. [rpmkeys-heap-oob-pgpPrtSig-rpmpgp-533.zip](https://github.com/rpm-software-management/rpm/files/757347/rpmkeys-heap-oob-pgpPrtSig-rpmpgp-533.zip) asan error with current git (you get more meaningful ones with ASAN_OPTIONS="fast_unwind_on_malloc=0"): ``` ==23681==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60201a80 at pc 0x0066c870 bp 0x7fff5c578470 sp 0x7fff5c578468 READ of size 1 at 0x60201a80 thread T0 #0 0x66c86f in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:533:23 #1 0x66c86f in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:823 #2 0x66c86f in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:982 #3 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6 #4 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7 #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13 #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7 #7 0x7f9783a7378f in __libc_start_main (/lib64/libc.so.6+0x2078f) #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558) 0x60201a80 is located 0 bytes to the right of 16-byte region [0x60201a70,0x60201a80) allocated by thread T0 here: #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8) #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13 #2 0x5d0677 in copyTdEntry /f/rpm/rpm/lib/header.c:1096:12 #3 0x5cf8e4 in headerNext /f/rpm/rpm/lib/header.c:1712:7 #4 0x52d310 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:262:12 #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13 #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7 #7 0x7f9783a7378f in __libc_start_main (/lib64/libc.so.6+0x2078f) #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/149___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds heap read in pgpPrtSubType, rpmpgp.c line 444 (#148)
Just for completeness: Here's a different file triggering an out of bounds a few lines earlier. It seems it is fixed by the same commit (sidenote: I think it'd be a good idea to have regression tests with all the fuzzed files that triggered bugs). [rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip](https://github.com/rpm-software-management/rpm/files/757334/rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip) asan message (from a 4.13.0 compile): ``` ==27208==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602019bd at pc 0x00677a6a bp 0x7ffe5597dc70 sp 0x7ffe5597dc68 READ of size 4 at 0x602019bd thread T0 #0 0x677a69 in pgpPrtSubType /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:427:3 #1 0x66a45d in pgpPrtSig /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:594:6 #2 0x66a45d in pgpPrtPkt /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:819 #3 0x66a45d in pgpPrtParams /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:978 #4 0x592c67 in rpmSigInfoParse /f/rpm/rpm-4.13.0/lib/signature.c:90:6 #5 0x52d789 in rpmpkgVerifySigs /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:270:7 #6 0x52f19a in rpmcliVerifySignatures /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:388:13 #7 0x50415d in main /f/rpm/rpm-4.13.0/rpmkeys.c:70:7 #8 0x7f36453fb78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #9 0x41c4a8 in _start (/f/rpm/rpm-4.13.0/rpmkeys+0x41c4a8) 0x602019bd is located 0 bytes to the right of 13-byte region [0x602019b0,0x602019bd) allocated by thread T0 here: #0 0x4cc608 in malloc (/f/rpm/rpm-4.13.0/rpmkeys+0x4cc608) #1 0x664d64 in rmalloc /f/rpm/rpm-4.13.0/rpmio/rpmmalloc.c:44:13 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/148#issuecomment-277964994___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds heap read in pgpPrtSubType, rpmpgp.c line 444 (#148)
The attached file will cause an oud of bounds heap read in "rpmkeys -K". [rpmkeys-pgpPrtSubType-rpmpgp-444.zip](https://github.com/rpm-software-management/rpm/files/755884/rpmkeys-pgpPrtSubType-rpmpgp-444.zip) Here's the address sanitizer output: ``` ==15315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60201a81 at pc 0x00677361 bp 0x7fff631cdeb0 sp 0x7fff631cdea8 READ of size 8 at 0x60201a81 thread T0 #0 0x677360 in pgpPrtSubType /f/rpm/rpm/rpmio/rpmpgp.c:444:3 #1 0x669d1d in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:594:6 #2 0x669d1d in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:819 #3 0x669d1d in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:978 #4 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6 #5 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7 #6 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13 #7 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7 #8 0x7ff690a0078f in __libc_start_main (/lib64/libc.so.6+0x2078f) #9 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558) 0x60201a81 is located 1 bytes to the right of 16-byte region [0x60201a70,0x60201a80) allocated by thread T0 here: #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8) #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/148___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Invalid free / double free in readFile() / rpmkeys pre signature check (#147)
Sorry, I simply forgot attaching the files, here they are. [pocfiles.zip](https://github.com/rpm-software-management/rpm/files/750137/pocfiles.zip) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/147#issuecomment-277213184___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Invalid free / double free in readFile() / rpmkeys pre signature check (#147)
The attached files will cause an invalid free or double free. As they're both in the same code line I assume it's the same bug in different variations. This only affects the git code, not the latest release (otherwise I wouldn't have reported it to a public bug tracker). This is obviously a very serious security issue. ``` ==27173==ERROR: AddressSanitizer: attempting double-free on 0x61a12080 in thread T0: #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500) #1 0x52db63 in readFile /f/rpm/rpm/lib/rpmchecksig.c:157:5 #2 0x52db63 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277 #3 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13 #4 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7 #5 0x7fca86edb78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #6 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558) 0x61a12080 is located 0 bytes inside of 1153-byte region [0x61a12080,0x61a12501) freed by thread T0 here: #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500) #1 0x5c8bac in hdrblobRead /f/rpm/rpm/lib/header.c:1897:2 #2 0x52dab4 in readFile /f/rpm/rpm/lib/rpmchecksig.c:135:9 #3 0x52dab4 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277 #4 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13 previously allocated by thread T0 here: #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8) #1 0x664504 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13 #2 0x52dab4 in readFile /f/rpm/rpm/lib/rpmchecksig.c:135:9 #3 0x52dab4 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277 #4 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13 SUMMARY: AddressSanitizer: double-free (/r/rpm/rpmkeys+0x4cc500) in __interceptor_cfree.localalias.1 ``` ``` ==28859==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7ffde9ad6100 in thread T0 #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500) #1 0x52db63 in readFile /f/rpm/rpm/lib/rpmchecksig.c:157:5 #2 0x52db63 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277 #3 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13 #4 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7 #5 0x7fee8e92378f in __libc_start_main (/lib64/libc.so.6+0x2078f) #6 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free (/r/rpm/rpmkeys+0x4cc500) in __interceptor_cfree.localalias.1 ==28859==ABORTING ``` -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/147___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] heap out of bounds read in copyTdEntry() (#133)
> Also it's perhaps worth pointing out that none of the packages in the series > crash nor pass through 'rpm -K' verification. Maybe a bit offtopic here, but I noted that the "-K" parameter no longer works in the current git code. Is this intentional? (and if yes: why?) Because I specifically wanted to test this and look for pre-signature-verification-bugs, but I couldn't. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/133#issuecomment-276938778___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] heap out of bounds read in rpmfilesFDepends() (#139)
The attached file causes an out of bounds heap read. [rpm-heap-oob-rpmfilesFDepends.zip](https://github.com/rpm-software-management/rpm/files/736812/rpm-heap-oob-rpmfilesFDepends.zip) asan error: ``` ==27195==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602011d0 at pc 0x0056a3e5 bp 0x7fff75d8fb10 sp 0x7fff75d8fb08 READ of size 4 at 0x602011d0 thread T0 #0 0x56a3e4 in rpmfilesFDepends /f/rpm/rpm/lib/rpmfi.c:676:16 #1 0x56a3e4 in rpmfiFDepends /f/rpm/rpm/lib/rpmfi.c:1809 #2 0x5940b8 in rpmteColorDS /f/rpm/rpm/lib/rpmte.c:488:8 #3 0x58f783 in addTE /f/rpm/rpm/lib/rpmte.c:188:5 #4 0x58f783 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241 #5 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9 #6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12 #7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11 #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 #9 0x7efce4abc78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #10 0x41c648 in _start (/r/rpm/rpm+0x41c648) 0x602011d2 is located 0 bytes to the right of 2-byte region [0x602011d0,0x602011d2) allocated by thread T0 here: #0 0x4cc7a8 in malloc (/r/rpm/rpm+0x4cc7a8) #1 0x67546e in rstrdup /f/rpm/rpm/rpmio/rpmmalloc.c:74:29 #2 0x5dd0f4 in copyTdEntry /f/rpm/rpm/lib/header.c:1095:28 #3 0x5d82af in intGetTdEntry /f/rpm/rpm/lib/header.c:1294:7 #4 0x5d71b1 in headerGet /f/rpm/rpm/lib/header.c:1317:10 #5 0x55f0bf in rpmfilesPopulate /f/rpm/rpm/lib/rpmfi.c:1448:2 #6 0x55f0bf in rpmfilesNew /f/rpm/rpm/lib/rpmfi.c:1576 #7 0x593a8c in getFiles /f/rpm/rpm/lib/rpmte.c:110:12 #8 0x58f5db in addTE /f/rpm/rpm/lib/rpmte.c:173:16 #9 0x58f5db in rpmteNew /f/rpm/rpm/lib/rpmte.c:241 #10 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9 #11 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12 #12 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11 #13 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 #14 0x7efce4abc78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #15 0x41c648 in _start (/r/rpm/rpm+0x41c648) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/139___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] invalid read in dataLength / grabData (header.c) (#138)
The attached file causes an invalid memory read access. [rpm-invalidread-dataLength-grabData.zip](https://github.com/rpm-software-management/rpm/files/736811/rpm-invalidread-dataLength-grabData.zip) asan error: ``` ==16740==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x7fd8bbe403c6 bp 0x7fff586b2130 sp 0x7fff586b18b8 T0) ==16740==The signal is caused by a READ memory access. ==16740==Hint: address points to the zero page. #0 0x7fd8bbe403c5 in strlen (/lib64/libc.so.6+0x7e3c5) #1 0x43b8bc in __interceptor_strlen.part.25 (/r/rpm/rpm+0x43b8bc) #2 0x5dbdd8 in dataLength /f/rpm/rpm/lib/header.c:432:13 #3 0x5dbdd8 in grabData /f/rpm/rpm/lib/header.c:1364 #4 0x5d95bc in intAddEntry /f/rpm/rpm/lib/header.c:1390:12 #5 0x5d8a50 in headerPut /f/rpm/rpm/lib/header.c:1463:7 #6 0x5b5c55 in addPrefixes /f/rpm/rpm/lib/relocation.c:64:3 #7 0x5b5c55 in rpmRelocateFileList /f/rpm/rpm/lib/relocation.c:135 #8 0x593a2f in getFiles /f/rpm/rpm/lib/rpmte.c:106:3 #9 0x58f5db in addTE /f/rpm/rpm/lib/rpmte.c:173:16 #10 0x58f5db in rpmteNew /f/rpm/rpm/lib/rpmte.c:241 #11 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9 #12 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12 #13 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11 #14 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 #15 0x7fd8bbde278f in __libc_start_main (/lib64/libc.so.6+0x2078f) #16 0x41c648 in _start (/r/rpm/rpm+0x41c648) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/138___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] invalid memory read in rstreqn / rpmdsNewPool (#137)
The attached file causes an invalid memory read access with rpm -i --test. [rpm-invalidread-rpmdsNewPool-rstreqn.zip](https://github.com/rpm-software-management/rpm/files/736808/rpm-invalidread-rpmdsNewPool-rstreqn.zip) asan error: ``` ==5681==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x00442d96 bp 0x7ffccc0307b0 sp 0x7ffccc02ff10 T0) ==5681==The signal is caused by a READ memory access. ==5681==Hint: address points to the zero page. #0 0x442d95 in __interceptor_strncmp.part.68 (/r/rpm/rpm+0x442d95) #1 0x534748 in rstreqn /f/rpm/rpm/lib/../include/rpm/rpmstring.h:127:13 #2 0x534748 in rpmdsNewPool /f/rpm/rpm/lib/rpmds.c:349 #3 0x58f49b in addTE /f/rpm/rpm/lib/rpmte.c:163:19 #4 0x58f49b in rpmteNew /f/rpm/rpm/lib/rpmte.c:241 #5 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9 #6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12 #7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11 #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 #9 0x7f6ad35aa78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #10 0x41c648 in _start (/r/rpm/rpm+0x41c648) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/137___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] invalid memory read in function providePackageNVR / doFind (#136)
This file causes a read access to an invalid memory area. [rpm-invalid-read-doFind-providePackageNVR.zip](https://github.com/rpm-software-management/rpm/files/736804/rpm-invalid-read-doFind-providePackageNVR.zip) asan error: ``` ==10120==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x00444fe0 bp 0x7ffc6b5de6d0 sp 0x7ffc6b5dde40 T0) ==10120==The signal is caused by a READ memory access. ==10120==Hint: address points to the zero page. #0 0x444fdf in __interceptor_strcmp.part.26 (/r/rpm/rpm+0x444fdf) #1 0x53d4d4 in doFind /f/rpm/rpm/lib/rpmds.c:830:15 #2 0x5cbc79 in providePackageNVR /f/rpm/rpm/lib/headerutil.c:362:9 #3 0x5cbc79 in legacyRetrofit /f/rpm/rpm/lib/headerutil.c:391 #4 0x5cbc79 in headerConvert /f/rpm/rpm/lib/headerutil.c:410 #5 0x6378a7 in rpmpkgRead /f/rpm/rpm/lib/package.c:403:6 #6 0x6378a7 in rpmReadPackageFile /f/rpm/rpm/lib/package.c:432 #7 0x579658 in tryReadHeader /f/rpm/rpm/lib/rpminstall.c:353:17 #8 0x579658 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:537 #9 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 #10 0x7fc1d8fc478f in __libc_start_main (/lib64/libc.so.6+0x2078f) #11 0x41c648 in _start (/r/rpm/rpm+0x41c648) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/136___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] out of bounds heap read in rpmstrPoolId / rstrlenhash (#135)
I'm attaching another file, this creates a use after free, but it's in the same line of code, so I assume it's a variation of the same bug. [rpm-useafterfree-rstrlenhash-rpmstrPoolId.zip](https://github.com/rpm-software-management/rpm/files/736803/rpm-useafterfree-rstrlenhash-rpmstrPoolId.zip) ``` ==26753==ERROR: AddressSanitizer: heap-use-after-free on address 0x60201531 at pc 0x006a0e05 bp 0x7ffc05f97c30 sp 0x7ffc05f97c28 READ of size 1 at 0x60201531 thread T0 #0 0x6a0e04 in rstrlenhash /f/rpm/rpm/rpmio/rpmstrpool.c:52:12 #1 0x6a0e04 in rpmstrPoolId /f/rpm/rpm/rpmio/rpmstrpool.c:390 #2 0x536103 in singleDS /f/rpm/rpm/lib/rpmds.c:460:15 #3 0x536103 in rpmdsSinglePool /f/rpm/rpm/lib/rpmds.c:486 #4 0x512720 in findPos /f/rpm/rpm/lib/depends.c:328:20 #5 0x512720 in addPackage /f/rpm/rpm/lib/depends.c:446 #6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12 #7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11 #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 #9 0x7f4f83a7678f in __libc_start_main (/lib64/libc.so.6+0x2078f) #10 0x41c648 in _start (/r/rpm/rpm+0x41c648) 0x60201531 is located 1 bytes inside of 6-byte region [0x60201530,0x60201536) freed by thread T0 here: #0 0x4cc5f0 in __interceptor_cfree.localalias.1 (/r/rpm/rpm+0x4cc5f0) #1 0x60ff7f in rpmtdFreeData /f/rpm/rpm/lib/rpmtd.c:48:2 #2 0x58f207 in addTE /f/rpm/rpm/lib/rpmte.c:145:15 #3 0x58f207 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241 #4 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9 previously allocated by thread T0 here: #0 0x4ccbc0 in realloc (/r/rpm/rpm+0x4ccbc0) #1 0x6752ea in rrealloc /f/rpm/rpm/rpmio/rpmmalloc.c:65:13 #2 0x629bb4 in getNEVRA /f/rpm/rpm/lib/tagexts.c:772:11 #3 0x625026 in nevrTag /f/rpm/rpm/lib/tagexts.c:805:12 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/135#issuecomment-275837735___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] out of bounds heap read in rpmstrPoolId / rstrlenhash (#135)
The attached file will cause an out of bounds memory read in rpm (tested with rpm -i --test [input]). [rpm-oob-heap-read-rstrlenhash-rpmstrPoolId.zip](https://github.com/rpm-software-management/rpm/files/736801/rpm-oob-heap-read-rstrlenhash-rpmstrPoolId.zip) Found with american fuzzy lop and address sanitizer. Here's a stack trace from asan: ``` ==29668==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020151b at pc 0x006a0e05 bp 0x7ffe13842070 sp 0x7ffe13842068 READ of size 1 at 0x6020151b thread T0 #0 0x6a0e04 in rstrlenhash /f/rpm/rpm/rpmio/rpmstrpool.c:52:12 #1 0x6a0e04 in rpmstrPoolId /f/rpm/rpm/rpmio/rpmstrpool.c:390 #2 0x536103 in singleDS /f/rpm/rpm/lib/rpmds.c:460:15 #3 0x536103 in rpmdsSinglePool /f/rpm/rpm/lib/rpmds.c:486 #4 0x512720 in findPos /f/rpm/rpm/lib/depends.c:328:20 #5 0x512720 in addPackage /f/rpm/rpm/lib/depends.c:446 #6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12 #7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11 #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 #9 0x7f09b5fdc78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #10 0x41c648 in _start (/r/rpm/rpm+0x41c648) 0x6020151b is located 5 bytes to the right of 6-byte region [0x60201510,0x60201516) allocated by thread T0 here: #0 0x4cc7a8 in malloc (/r/rpm/rpm+0x4cc7a8) #1 0x67546e in rstrdup /f/rpm/rpm/rpmio/rpmmalloc.c:74:29 #2 0x62018f in rpmHeaderFormatCall /f/rpm/rpm/lib/formats.c:541:8 #3 0x612486 in rpmtdFormat /f/rpm/rpm/lib/rpmtd.c:261:8 #4 0x58f207 in addTE /f/rpm/rpm/lib/rpmte.c:145:15 #5 0x58f207 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241 #6 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/135___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] heap out of bounds read in copyTdEntry() (#133)
The attached file will cause an out of bounds heap read access when passed to rpm (tested with rpm -i --test [input]). Found with american fuzzy lop and address sanitizer. [oob-heap-copyTdEntry.zip](https://github.com/rpm-software-management/rpm/files/729923/oob-heap-copyTdEntry.zip) Stack trace from asan: ``` ==25558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a12501 at pc 0x004b56e5 bp 0x7ffe1fa11e90 sp 0x7ffe1fa11640 READ of size 592 at 0x61a12501 thread T0 #0 0x4b56e4 in __asan_memcpy (/r/rpm/rpm+0x4b56e4) #1 0x5dd92e in copyTdEntry /f/rpm/rpm/lib/header.c:1074:23 #2 0x5d82af in intGetTdEntry /f/rpm/rpm/lib/header.c:1294:7 #3 0x5d71b1 in headerGet /f/rpm/rpm/lib/header.c:1317:10 #4 0x6373a9 in rpmpkgRead /f/rpm/rpm/lib/package.c:365:6 #5 0x6373a9 in rpmReadPackageFile /f/rpm/rpm/lib/package.c:432 #6 0x579658 in tryReadHeader /f/rpm/rpm/lib/rpminstall.c:353:17 #7 0x579658 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:537 #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 #9 0x7f9d10ee078f in __libc_start_main (/lib64/libc.so.6+0x2078f) #10 0x41c648 in _start (/r/rpm/rpm+0x41c648) 0x61a12501 is located 0 bytes to the right of 1153-byte region [0x61a12080,0x61a12501) allocated by thread T0 here: #0 0x4cc7a8 in malloc (/r/rpm/rpm+0x4cc7a8) #1 0x674ff4 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13 #2 0x636804 in rpmpkgReadHeader /f/rpm/rpm/lib/package.c:262:9 #3 0x6371da in rpmpkgRead /f/rpm/rpm/lib/package.c:340:10 #4 0x6371da in rpmReadPackageFile /f/rpm/rpm/lib/package.c:432 #5 0x579658 in tryReadHeader /f/rpm/rpm/lib/rpminstall.c:353:17 #6 0x579658 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:537 #7 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12 SUMMARY: AddressSanitizer: heap-buffer-overflow (/r/rpm/rpm+0x4b56e4) in __asan_memcpy -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/133___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint