GNU bug report logs -
#45026
Heap corruption buffer overflow in bsd_probe
Previous Next
Reported by: Rich Felker <dalias <at> libc.org>
Date: Thu, 3 Dec 2020 18:46:01 UTC
Severity: normal
Done: "Brian C. Lane" <bcl <at> redhat.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 45026 in the body.
You can then email your comments to 45026 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-parted <at> gnu.org
:
bug#45026
; Package
parted
.
(Thu, 03 Dec 2020 18:46:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Rich Felker <dalias <at> libc.org>
:
New bug report received and forwarded. Copy sent to
bug-parted <at> gnu.org
.
(Thu, 03 Dec 2020 18:46:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Commit a5f69f396713ab8ac1e57458cbb9af552d2c1659 rearranged bsd.c's
bsd_probe function in a way that changed the meaning of the local
variable label, but left alone the call to alpha_bootblock_checksum,
thereby causing the checksum to take place over the wrong range of
bytes and be written 56 bytes past the end of the allocated memory.
The checksum call should probably just be removed as the results don't
seem to be used.
This was discovered via a bug report against the Apline Linux package,
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12161. It
appears we just got really lucky catching this, as only one value well
beyond the end of the allocation is written. It turns out that 64+512
makes up exactly the size of musl/mallocng's next size class over 512,
576, and writing 8 bytes before that clobbers all the consistency
check at the end of the slot and the header of the next slot. However
valgrind also seems to catch the bug when running the test cases.
Information forwarded
to
bug-parted <at> gnu.org
:
bug#45026
; Package
parted
.
(Fri, 04 Dec 2020 12:00:01 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
On Thu, 3 Dec 2020 13:45:48 -0500
Rich Felker <dalias <at> libc.org> wrote:
> Commit a5f69f396713ab8ac1e57458cbb9af552d2c1659 rearranged bsd.c's
> bsd_probe function in a way that changed the meaning of the local
> variable label, but left alone the call to alpha_bootblock_checksum,
> thereby causing the checksum to take place over the wrong range of
> bytes and be written 56 bytes past the end of the allocated memory.
> The checksum call should probably just be removed as the results don't
> seem to be used.
>
> This was discovered via a bug report against the Apline Linux package,
> https://gitlab.alpinelinux.org/alpine/aports/-/issues/12161. It
> appears we just got really lucky catching this, as only one value well
> beyond the end of the allocation is written. It turns out that 64+512
> makes up exactly the size of musl/mallocng's next size class over 512,
> 576, and writing 8 bytes before that clobbers all the consistency
> check at the end of the slot and the header of the next slot. However
> valgrind also seems to catch the bug when running the test cases.
I had a look at this and I tried to dig up why the
alpha_bootblock_checksum is called from bsd_probe() at all. I cannot
see any reason why nor could git log give me any clues.
I think this should be a safe fix:
diff --git a/libparted/labels/bsd.c b/libparted/labels/bsd.c
index 8483641..0a2b891 100644
--- a/libparted/labels/bsd.c
+++ b/libparted/labels/bsd.c
@@ -164,8 +164,6 @@ bsd_probe (const PedDevice *dev)
label = &((BSDDiskData*) s0)->label;
- alpha_bootblock_checksum(label);
-
/* check magic */
bool found = PED_LE32_TO_CPU (label->d_magic) == BSD_DISKMAGIC;
free (s0);
-nc
Reply sent
to
"Brian C. Lane" <bcl <at> redhat.com>
:
You have taken responsibility.
(Sat, 05 Dec 2020 01:07:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Rich Felker <dalias <at> libc.org>
:
bug acknowledged by developer.
(Sat, 05 Dec 2020 01:07:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 45026-close <at> debbugs.gnu.org (full text, mbox):
How did you get valgrind to hit that? I'm not seeing it complain about
bsd.c on Fedora.
I've pushed this fix to master.
Brian
--
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 02 Jan 2021 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 112 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.