Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 1 | From bd68ae1271598e8fdc72f2adb457e6882604582d Mon Sep 17 00:00:00 2001 |
| 2 | From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> |
| 3 | Date: Thu, 22 Feb 2018 16:39:43 +0100 |
| 4 | Subject: [PATCH] Fix a heap-buffer-overflow in find_archive() |
| 5 | MIME-Version: 1.0 |
| 6 | Content-Type: text/plain; charset=UTF-8 |
| 7 | Content-Transfer-Encoding: 8bit |
| 8 | |
| 9 | rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in |
| 10 | find_archive() reads up-to BUFSIZ bytes. |
| 11 | |
| 12 | On my system, BUFSIZ is 8192. rw_base_size is usually equaled to |
| 13 | a memory page size, 4096 on my system. Thus find_archive() can write |
| 14 | beyonded allocated memmory for rw_buffer array: |
| 15 | |
| 16 | $ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4 |
| 17 | ==30582== Memcheck, a memory error detector |
| 18 | ==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. |
| 19 | ==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info |
| 20 | ==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4 |
| 21 | ==30582== |
| 22 | ==30582== Invalid write of size 1 |
| 23 | ==30582== at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so) |
| 24 | ==30582== by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so) |
| 25 | ==30582== by 0x10BF60: fgets_unlocked (stdio2.h:320) |
| 26 | ==30582== by 0x10BF60: find_archive (unshar.c:243) |
| 27 | ==30582== by 0x10BF60: unshar_file (unshar.c:379) |
| 28 | ==30582== by 0x10BCCC: validate_fname (unshar-opts.c:604) |
| 29 | ==30582== by 0x10BCCC: main (unshar-opts.c:639) |
| 30 | ==30582== Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd |
| 31 | ==30582== at 0x4C2DBBB: malloc (vg_replace_malloc.c:299) |
| 32 | ==30582== by 0x10C670: init_unshar (unshar.c:450) |
| 33 | ==30582== by 0x10BC55: main (unshar-opts.c:630) |
| 34 | |
| 35 | This was reported in |
| 36 | <http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>. |
| 37 | |
| 38 | CVE: CVE-2018-1000097 |
Andrew Geissler | 6aa7eec | 2023-03-03 12:41:14 -0600 | [diff] [blame^] | 39 | Upstream-Status: Inappropriate [no upstream] |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 40 | Signed-off-by: Petr Písař <ppisar@redhat.com> |
| 41 | Signed-off-by: Sinan Kaya <okaya@kernel.org> |
| 42 | --- |
| 43 | src/unshar.c | 2 +- |
| 44 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 45 | |
| 46 | diff --git a/src/unshar.c b/src/unshar.c |
| 47 | index 80bc3a9..0fc3773 100644 |
| 48 | --- a/src/unshar.c |
| 49 | +++ b/src/unshar.c |
| 50 | @@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start) |
| 51 | off_t position = ftello (file); |
| 52 | |
| 53 | /* Read next line, fail if no more and no previous process. */ |
| 54 | - if (!fgets (rw_buffer, BUFSIZ, file)) |
| 55 | + if (!fgets (rw_buffer, rw_base_size, file)) |
| 56 | { |
| 57 | if (!start) |
| 58 | error (0, 0, _("Found no shell commands in %s"), name); |
| 59 | -- |
| 60 | 2.19.0 |
| 61 | |