lvmteam/lvm2

Possible heap-buffer-overflow in config file parsing

Closed this issue · 1 comments

mrc0mmand commented

While debugging one of our storage-related systemd-udev tests I came across an ASan error in the config file parsing routines, which I can also reproduce with the latest lvm2 main (819a35c ATTOW)

$ ASAN_OPTIONS=detect_leaks=0 ./configure CFLAGS="-fsanitize=address -g -O0" --enable-debug
$ ASAN_OPTIONS=detect_leaks=0 make -j8
$ export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1
$ tools/lvm --help
=================================================================
==2133626==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000019dbb at pc 0x7fe54e1c45dd bp 0x7ffcfb20b1e0 sp 0x7ffcfb20a990
READ of size 102352 at 0x633000019dbb thread T0
    #0 0x7fe54e1c45dc in StrtolFixAndCheck(void*, char const*, char**, char*, int) (/lib64/libasan.so.6+0x6b5dc)
    #1 0x7fe54e1c49b5 in strtoll (/lib64/libasan.so.6+0x6b9b5)
    #2 0x563977caea0a in _type device_mapper/libdm-config.c:686
    #3 0x563977cae7ce in _value device_mapper/libdm-config.c:665
    #4 0x563977cae0ab in _section device_mapper/libdm-config.c:621
    #5 0x563977cadd66 in _section device_mapper/libdm-config.c:614
    #6 0x563977cace1e in _file device_mapper/libdm-config.c:500
    #7 0x563977caa42a in _do_dm_config_parse device_mapper/libdm-config.c:192
    #8 0x563977caa547 in dm_config_parse device_mapper/libdm-config.c:202
    #9 0x563977aa8a10 in config_file_read_fd config/config.c:593
    #10 0x563977aa8f1c in config_file_read config/config.c:634
    #11 0x563977aa71ac in config_file_open_and_read config/config.c:284
    #12 0x563977a9f6f3 in _load_config_file commands/toolcontext.c:900
    #13 0x563977a9f993 in _init_lvm_conf commands/toolcontext.c:929
    #14 0x563977aa3d6b in create_toolcontext commands/toolcontext.c:1756
    #15 0x5639779fe8d0 in init_lvm /home/fsumsal/repos/lvm2/tools/lvmcmdline.c:3591
    #16 0x5639779ff8aa in lvm2_main /home/fsumsal/repos/lvm2/tools/lvmcmdline.c:3744
    #17 0x563977a79dc6 in main /home/fsumsal/repos/lvm2/tools/lvm.c:23
    #18 0x7fe54dcc955f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #19 0x7fe54dcc960b in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2d60b)
    #20 0x563977998e04 in _start (/home/fsumsal/repos/lvm2/tools/lvm+0x112e04)

0x633000019dbb is located 0 bytes to the right of 103867-byte region [0x633000000800,0x633000019dbb)
allocated by thread T0 here:
    #0 0x7fe54e207af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
    #1 0x563977aa5b46 in zalloc ../base/memory/zalloc.h:22
    #2 0x563977aa834f in config_file_read_fd config/config.c:525
    #3 0x563977aa8f1c in config_file_read config/config.c:634
    #4 0x563977aa71ac in config_file_open_and_read config/config.c:284
    #5 0x563977a9f6f3 in _load_config_file commands/toolcontext.c:900
    #6 0x563977a9f993 in _init_lvm_conf commands/toolcontext.c:929
    #7 0x563977aa3d6b in create_toolcontext commands/toolcontext.c:1756
    #8 0x5639779fe8d0 in init_lvm /home/fsumsal/repos/lvm2/tools/lvmcmdline.c:3591
    #9 0x5639779ff8aa in lvm2_main /home/fsumsal/repos/lvm2/tools/lvmcmdline.c:3744
    #10 0x563977a79dc6 in main /home/fsumsal/repos/lvm2/tools/lvm.c:23
    #11 0x7fe54dcc955f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.6+0x6b5dc) in StrtolFixAndCheck(void*, char const*, char**, char*, int)
Shadow bytes around the buggy address:
  0x0c667fffb360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb3a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb3b0: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa
  0x0c667fffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2133626==ABORTING