From unknown Sat Aug 16 19:19:22 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45026: Heap corruption buffer overflow in bsd_probe Resent-From: Rich Felker Original-Sender: "Debbugs-submit" Resent-CC: bug-parted@gnu.org Resent-Date: Thu, 03 Dec 2020 18:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 45026 X-GNU-PR-Package: parted X-GNU-PR-Keywords: To: 45026@debbugs.gnu.org Cc: Natanael Copa X-Debbugs-Original-To: bug-parted@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.160702115712522 (code B ref -1); Thu, 03 Dec 2020 18:46:01 +0000 Received: (at submit) by debbugs.gnu.org; 3 Dec 2020 18:45:57 +0000 Received: from localhost ([127.0.0.1]:41784 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kktc4-0003Fu-VF for submit@debbugs.gnu.org; Thu, 03 Dec 2020 13:45:57 -0500 Received: from lists.gnu.org ([209.51.188.17]:58902) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kktc3-0003Fn-ID for submit@debbugs.gnu.org; Thu, 03 Dec 2020 13:45:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47624) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kktc2-0007ag-Kk for bug-parted@gnu.org; Thu, 03 Dec 2020 13:45:55 -0500 Received: from brightrain.aerifal.cx ([216.12.86.13]:43954) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1kktby-0005ku-VL for bug-parted@gnu.org; Thu, 03 Dec 2020 13:45:53 -0500 Date: Thu, 3 Dec 2020 13:45:48 -0500 From: Rich Felker Message-ID: <20201203184544.GA6355@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Received-SPF: none client-ip=216.12.86.13; envelope-from=dalias@libc.org; helo=brightrain.aerifal.cx X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Commit a5f69f396713ab8ac1e57458cbb9af552d2c1659 rearranged bsd.c's bsd_probe function in a way that changed the meaning of the local variable label, but left alone the call to alpha_bootblock_checksum, thereby causing the checksum to take place over the wrong range of bytes and be written 56 bytes past the end of the allocated memory. The checksum call should probably just be removed as the results don't seem to be used. This was discovered via a bug report against the Apline Linux package, https://gitlab.alpinelinux.org/alpine/aports/-/issues/12161. It appears we just got really lucky catching this, as only one value well beyond the end of the allocation is written. It turns out that 64+512 makes up exactly the size of musl/mallocng's next size class over 512, 576, and writing 8 bytes before that clobbers all the consistency check at the end of the slot and the header of the next slot. However valgrind also seems to catch the bug when running the test cases. From unknown Sat Aug 16 19:19:22 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45026: Heap corruption buffer overflow in bsd_probe Resent-From: Natanael Copa Original-Sender: "Debbugs-submit" Resent-CC: bug-parted@gnu.org Resent-Date: Fri, 04 Dec 2020 12:00:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45026 X-GNU-PR-Package: parted X-GNU-PR-Keywords: To: Rich Felker Cc: 45026@debbugs.gnu.org X-Debbugs-Original-Cc: bug-parted@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.160708315022099 (code B ref -1); Fri, 04 Dec 2020 12:00:01 +0000 Received: (at submit) by debbugs.gnu.org; 4 Dec 2020 11:59:10 +0000 Received: from localhost ([127.0.0.1]:43224 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kl9jy-0005kH-GL for submit@debbugs.gnu.org; Fri, 04 Dec 2020 06:59:10 -0500 Received: from lists.gnu.org ([209.51.188.17]:45766) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kl9jt-0005k0-SP for submit@debbugs.gnu.org; Fri, 04 Dec 2020 06:59:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48842) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kl9jt-0003FH-I8 for bug-parted@gnu.org; Fri, 04 Dec 2020 06:59:05 -0500 Received: from mx1.tetrasec.net ([66.245.176.36]:52370) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kl9jr-0004SH-Pj for bug-parted@gnu.org; Fri, 04 Dec 2020 06:59:05 -0500 Received: from mx1.tetrasec.net (mail.local [127.0.0.1]) by mx1.tetrasec.net (Postfix) with ESMTP id 1B1F81571ED; Fri, 4 Dec 2020 11:59:01 +0000 (UTC) Received: from ncopa-desktop.lan (67.63.200.37.customer.cdi.no [37.200.63.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: alpine@tanael.org) by mx1.tetrasec.net (Postfix) with ESMTPSA id 51CE41571EC; Fri, 4 Dec 2020 11:59:00 +0000 (UTC) Date: Fri, 4 Dec 2020 12:58:54 +0100 From: Natanael Copa Message-ID: <20201204125854.0d4c8a23@ncopa-desktop.lan> In-Reply-To: <20201203184544.GA6355@brightrain.aerifal.cx> References: <20201203184544.GA6355@brightrain.aerifal.cx> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-alpine-linux-musl) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: softfail client-ip=66.245.176.36; envelope-from=ncopa@alpinelinux.org; helo=mx1.tetrasec.net X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) On Thu, 3 Dec 2020 13:45:48 -0500 Rich Felker wrote: > Commit a5f69f396713ab8ac1e57458cbb9af552d2c1659 rearranged bsd.c's > bsd_probe function in a way that changed the meaning of the local > variable label, but left alone the call to alpha_bootblock_checksum, > thereby causing the checksum to take place over the wrong range of > bytes and be written 56 bytes past the end of the allocated memory. > The checksum call should probably just be removed as the results don't > seem to be used. > > This was discovered via a bug report against the Apline Linux package, > https://gitlab.alpinelinux.org/alpine/aports/-/issues/12161. It > appears we just got really lucky catching this, as only one value well > beyond the end of the allocation is written. It turns out that 64+512 > makes up exactly the size of musl/mallocng's next size class over 512, > 576, and writing 8 bytes before that clobbers all the consistency > check at the end of the slot and the header of the next slot. However > valgrind also seems to catch the bug when running the test cases. I had a look at this and I tried to dig up why the alpha_bootblock_checksum is called from bsd_probe() at all. I cannot see any reason why nor could git log give me any clues. I think this should be a safe fix: diff --git a/libparted/labels/bsd.c b/libparted/labels/bsd.c index 8483641..0a2b891 100644 --- a/libparted/labels/bsd.c +++ b/libparted/labels/bsd.c @@ -164,8 +164,6 @@ bsd_probe (const PedDevice *dev) label = &((BSDDiskData*) s0)->label; - alpha_bootblock_checksum(label); - /* check magic */ bool found = PED_LE32_TO_CPU (label->d_magic) == BSD_DISKMAGIC; free (s0); -nc From unknown Sat Aug 16 19:19:22 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Rich Felker Subject: bug#45026: closed (Re: bug#45026: Heap corruption buffer overflow in bsd_probe) Message-ID: References: <20201205010551.GK91492@ohop.brianlane.com> <20201203184544.GA6355@brightrain.aerifal.cx> X-Gnu-PR-Message: they-closed 45026 X-Gnu-PR-Package: parted Reply-To: 45026@debbugs.gnu.org Date: Sat, 05 Dec 2020 01:07:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1607130421-8763-1" This is a multi-part message in MIME format... ------------=_1607130421-8763-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #45026: Heap corruption buffer overflow in bsd_probe which was filed against the parted package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 45026@debbugs.gnu.org. --=20 45026: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D45026 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1607130421-8763-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 45026-close) by debbugs.gnu.org; 5 Dec 2020 01:06:02 +0000 Received: from localhost ([127.0.0.1]:46210 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klM1S-0002Fv-Bf for submit@debbugs.gnu.org; Fri, 04 Dec 2020 20:06:02 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:34910) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klM1P-0002FU-61 for 45026-close@debbugs.gnu.org; Fri, 04 Dec 2020 20:06:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607130358; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=0ficyA03CI11Al+n8MI4DVlaIqPWdwl4lvIGU/wjtjs=; b=OjbDnbXkDwqXjNG7p9hoeDH1oJym0gQinN8bND6Pr6CfTTX7y6ExK9yS2iLKjt1oNmZR26 F9bs8Xmjlqexgt/CScQ3/hqJMwMdp0/i/IY6b5uzLqwCoRabdrtE8xxfwVZ9M4Wza6BMln 2PqZfofpeGrK5lEm2fN4dE7IcSehtFs= Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com [209.85.214.200]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-583-zymxhHmuOpCi8krX2R4P8Q-1; Fri, 04 Dec 2020 20:05:56 -0500 X-MC-Unique: zymxhHmuOpCi8krX2R4P8Q-1 Received: by mail-pl1-f200.google.com with SMTP id q13so701272pll.10 for <45026-close@debbugs.gnu.org>; Fri, 04 Dec 2020 17:05:56 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=0ficyA03CI11Al+n8MI4DVlaIqPWdwl4lvIGU/wjtjs=; b=a+qiB6caUrKxWST2f11z2VDw4eUDXl3Mv7lH8kOizSBnmADOTczL1xKYBsfKwA1AYx LnqYLIV6IaopUekwmYITrZBSBGEgAaeztP/XG0ewM3sukxpKQvzbdmDKHsoeK3pN8k/s JIejlTolYKpAxH/MXXdPJ+wXVfrpqtcr79KdfxxBcVbP0iM9BbnsR6/NKsfO0QCmjOdT +09Kt/Sqh4Rep6yu/Xqyn9XdOVThbPBO8cMhuglLo7B+3FwVZZp3QAaA36Hug7eDOfdh SIU28Mk6f4FaZM9IjGT4J0lod3YLGgvdlCH1//TiNMBxNW705g+t1ynZAKmLhsY8sKSx WZuQ== X-Gm-Message-State: AOAM531fxM9YIlvrb5OPZPd4SzYihClTDK3UM6/XJf2j49v7JYk9YdlG QySt4jbA58POZI6SJ/eq2MPR+2IiEzTyPBg2uUDrJkx5XhS6Uo5BGR//WBdMo7QyT/ly4huuJWv Dw3xwc2pOiy8DLPS0/qYHeVc= X-Received: by 2002:aa7:8003:0:b029:197:eb02:d711 with SMTP id j3-20020aa780030000b0290197eb02d711mr6254602pfi.72.1607130355122; Fri, 04 Dec 2020 17:05:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJzVB2ZV1/EGhhL+nR+TxDD4P1edvWORGYwub/Pk1zOrZLbB/6tiQrGWZpWPRBEPXJnp7DwzZw== X-Received: by 2002:aa7:8003:0:b029:197:eb02:d711 with SMTP id j3-20020aa780030000b0290197eb02d711mr6254579pfi.72.1607130354816; Fri, 04 Dec 2020 17:05:54 -0800 (PST) Received: from ohop.brianlane.com (c-73-157-81-114.hsd1.wa.comcast.net. [73.157.81.114]) by smtp.gmail.com with ESMTPSA id 5sm719468pfw.12.2020.12.04.17.05.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Dec 2020 17:05:54 -0800 (PST) Date: Fri, 4 Dec 2020 17:05:51 -0800 From: "Brian C. Lane" To: Natanael Copa Subject: Re: bug#45026: Heap corruption buffer overflow in bsd_probe Message-ID: <20201205010551.GK91492@ohop.brianlane.com> References: <20201203184544.GA6355@brightrain.aerifal.cx> <20201204125854.0d4c8a23@ncopa-desktop.lan> MIME-Version: 1.0 In-Reply-To: <20201204125854.0d4c8a23@ncopa-desktop.lan> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=bcl@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 45026-close Cc: Rich Felker , 45026-close@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) How did you get valgrind to hit that? I'm not seeing it complain about bsd.c on Fedora. I've pushed this fix to master. Brian -- Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart ------------=_1607130421-8763-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 3 Dec 2020 18:45:57 +0000 Received: from localhost ([127.0.0.1]:41784 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kktc4-0003Fu-VF for submit@debbugs.gnu.org; Thu, 03 Dec 2020 13:45:57 -0500 Received: from lists.gnu.org ([209.51.188.17]:58902) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kktc3-0003Fn-ID for submit@debbugs.gnu.org; Thu, 03 Dec 2020 13:45:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47624) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kktc2-0007ag-Kk for bug-parted@gnu.org; Thu, 03 Dec 2020 13:45:55 -0500 Received: from brightrain.aerifal.cx ([216.12.86.13]:43954) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1kktby-0005ku-VL for bug-parted@gnu.org; Thu, 03 Dec 2020 13:45:53 -0500 Date: Thu, 3 Dec 2020 13:45:48 -0500 From: Rich Felker To: bug-parted@gnu.org Subject: Heap corruption buffer overflow in bsd_probe Message-ID: <20201203184544.GA6355@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Received-SPF: none client-ip=216.12.86.13; envelope-from=dalias@libc.org; helo=brightrain.aerifal.cx X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: Natanael Copa X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Commit a5f69f396713ab8ac1e57458cbb9af552d2c1659 rearranged bsd.c's bsd_probe function in a way that changed the meaning of the local variable label, but left alone the call to alpha_bootblock_checksum, thereby causing the checksum to take place over the wrong range of bytes and be written 56 bytes past the end of the allocated memory. The checksum call should probably just be removed as the results don't seem to be used. This was discovered via a bug report against the Apline Linux package, https://gitlab.alpinelinux.org/alpine/aports/-/issues/12161. It appears we just got really lucky catching this, as only one value well beyond the end of the allocation is written. It turns out that 64+512 makes up exactly the size of musl/mallocng's next size class over 512, 576, and writing 8 bytes before that clobbers all the consistency check at the end of the slot and the header of the next slot. However valgrind also seems to catch the bug when running the test cases. ------------=_1607130421-8763-1--