GNU bug report logs - #45026
Heap corruption buffer overflow in bsd_probe

Previous Next

Package: parted;

Reported by: Rich Felker <dalias <at> libc.org>

Date: Thu, 3 Dec 2020 18:46:01 UTC

Severity: normal

Done: "Brian C. Lane" <bcl <at> redhat.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Rich Felker <dalias <at> libc.org>
Subject: bug#45026: closed (Re: bug#45026: Heap corruption buffer overflow
 in bsd_probe)
Date: Sat, 05 Dec 2020 01:07:01 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#45026: Heap corruption buffer overflow in bsd_probe

which was filed against the parted package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 45026 <at> debbugs.gnu.org.

-- 
45026: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=45026
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: "Brian C. Lane" <bcl <at> redhat.com>
To: Natanael Copa <ncopa <at> alpinelinux.org>
Cc: Rich Felker <dalias <at> libc.org>, 45026-close <at> debbugs.gnu.org
Subject: Re: bug#45026: Heap corruption buffer overflow in bsd_probe
Date: Fri, 4 Dec 2020 17:05:51 -0800

How did you get valgrind to hit that? I'm not seeing it complain about
bsd.c on Fedora.

I've pushed this fix to master.

Brian

-- 
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart



[Message part 3 (message/rfc822, inline)]
From: Rich Felker <dalias <at> libc.org>
To: bug-parted <at> gnu.org
Cc: Natanael Copa <ncopa <at> alpinelinux.org>
Subject: Heap corruption buffer overflow in bsd_probe
Date: Thu, 3 Dec 2020 13:45:48 -0500

Commit a5f69f396713ab8ac1e57458cbb9af552d2c1659 rearranged bsd.c's
bsd_probe function in a way that changed the meaning of the local
variable label, but left alone the call to alpha_bootblock_checksum,
thereby causing the checksum to take place over the wrong range of
bytes and be written 56 bytes past the end of the allocated memory.
The checksum call should probably just be removed as the results don't
seem to be used.

This was discovered via a bug report against the Apline Linux package,
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12161. It
appears we just got really lucky catching this, as only one value well
beyond the end of the allocation is written. It turns out that 64+512
makes up exactly the size of musl/mallocng's next size class over 512,
576, and writing 8 bytes before that clobbers all the consistency
check at the end of the slot and the header of the next slot. However
valgrind also seems to catch the bug when running the test cases.
This bug report was last modified 4 years and 226 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.