GNU bug report logs - #45026
Heap corruption buffer overflow in bsd_probe

Previous Next

Package: parted;

Reported by: Rich Felker <dalias <at> libc.org>

Date: Thu, 3 Dec 2020 18:46:01 UTC

Severity: normal

Done: "Brian C. Lane" <bcl <at> redhat.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: "Brian C. Lane" <bcl <at> redhat.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#45026: closed (Heap corruption buffer overflow in bsd_probe)
Date: Sat, 05 Dec 2020 01:07:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Fri, 4 Dec 2020 17:05:51 -0800
with message-id <20201205010551.GK91492 <at> ohop.brianlane.com>
and subject line Re: bug#45026: Heap corruption buffer overflow in bsd_probe
has caused the debbugs.gnu.org bug report #45026,
regarding Heap corruption buffer overflow in bsd_probe
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
45026: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=45026
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Rich Felker <dalias <at> libc.org>
To: bug-parted <at> gnu.org
Cc: Natanael Copa <ncopa <at> alpinelinux.org>
Subject: Heap corruption buffer overflow in bsd_probe
Date: Thu, 3 Dec 2020 13:45:48 -0500

Commit a5f69f396713ab8ac1e57458cbb9af552d2c1659 rearranged bsd.c's
bsd_probe function in a way that changed the meaning of the local
variable label, but left alone the call to alpha_bootblock_checksum,
thereby causing the checksum to take place over the wrong range of
bytes and be written 56 bytes past the end of the allocated memory.
The checksum call should probably just be removed as the results don't
seem to be used.

This was discovered via a bug report against the Apline Linux package,
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12161. It
appears we just got really lucky catching this, as only one value well
beyond the end of the allocation is written. It turns out that 64+512
makes up exactly the size of musl/mallocng's next size class over 512,
576, and writing 8 bytes before that clobbers all the consistency
check at the end of the slot and the header of the next slot. However
valgrind also seems to catch the bug when running the test cases.



[Message part 3 (message/rfc822, inline)]
From: "Brian C. Lane" <bcl <at> redhat.com>
To: Natanael Copa <ncopa <at> alpinelinux.org>
Cc: Rich Felker <dalias <at> libc.org>, 45026-close <at> debbugs.gnu.org
Subject: Re: bug#45026: Heap corruption buffer overflow in bsd_probe
Date: Fri, 4 Dec 2020 17:05:51 -0800

How did you get valgrind to hit that? I'm not seeing it complain about
bsd.c on Fedora.

I've pushed this fix to master.

Brian

-- 
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
This bug report was last modified 4 years and 226 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.