heap buffer overflow and stack buffer overflow in test suite
asarubbo opened this issue · 3 comments
asarubbo commented
Our Gentoo tinderbox reported at bug 913966 a test failure.
Looking at the log attached to the downstream report, we can see:
==25==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000651b8 at pc 0x56273fab2a32 bp 0x7fffedf00ee0 sp 0x7fffedf00688
READ of size 65 at 0x6060000651b8 thread T0
#0 0x56273fab2a31 in __interceptor_strlen.part.0 (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_compression_wrapper+0x63a31)
#1 0x56273fb7cf0a in test_cr_get_zchunk_with_index /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_compression_wrapper.c:903
#2 0x7fd72023e8ad (/usr/lib64/libglib-2.0.so.0+0x838ad)
#3 0x7fd72023e6a2 (/usr/lib64/libglib-2.0.so.0+0x836a2)
#4 0x7fd72023edc1 in g_test_run_suite (/usr/lib64/libglib-2.0.so.0+0x83dc1)
#5 0x7fd72023ee47 in g_test_run (/usr/lib64/libglib-2.0.so.0+0x83e47)
#6 0x56273fa71687 in main /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_compression_wrapper.c:953
#7 0x7fd71fe23c89 (/lib64/libc.so.6+0x23c89)
#8 0x7fd71fe23d44 in __libc_start_main (/lib64/libc.so.6+0x23d44)
#9 0x56273fa71750 in _start (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_compression_wrapper+0x22750)
0x6060000651b8 is located 0 bytes after 56-byte region [0x606000065180,0x6060000651b8)
allocated by thread T0 here:
#0 0x56273fb2859f in malloc (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_compression_wrapper+0xd959f)
#1 0x7fd72021b02d in g_malloc (/usr/lib64/libglib-2.0.so.0+0x6002d)
#2 0x56273fb7ce75 in test_cr_get_zchunk_with_index /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_compression_wrapper.c:902
#3 0x7fd72023e8ad (/usr/lib64/libglib-2.0.so.0+0x838ad)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_compression_wrapper+0x63a31) in __interceptor_strlen.part.0
and
==29==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f2f5bb0025e at pc 0x55bfc3f3fd42 bp 0x7ffd86c788e0 sp 0x7ffd86c78088
READ of size 31 at 0x7f2f5bb0025e thread T0
#0 0x55bfc3f3fd41 in __interceptor_strlen.part.0 (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_misc+0x67d41)
#1 0x7f2f5ee019ce in g_strrstr (/usr/lib64/libglib-2.0.so.0+0x7c9ce)
#2 0x55bfc4015da2 in compressfile_test_text_file /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_misc.c:560
#3 0x7f2f5ee088ad (/usr/lib64/libglib-2.0.so.0+0x838ad)
#4 0x7f2f5ee086a2 (/usr/lib64/libglib-2.0.so.0+0x836a2)
#5 0x7f2f5ee08dc1 in g_test_run_suite (/usr/lib64/libglib-2.0.so.0+0x83dc1)
#6 0x7f2f5ee08e47 in g_test_run (/usr/lib64/libglib-2.0.so.0+0x83e47)
#7 0x55bfc3efe9a4 in main /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_misc.c:1377
#8 0x7f2f5ea23c89 (/lib64/libc.so.6+0x23c89)
#9 0x7f2f5ea23d44 in __libc_start_main (/lib64/libc.so.6+0x23d44)
#10 0x55bfc3efea60 in _start (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_misc+0x26a60)
Address 0x7f2f5bb0025e is located in stack of thread T0 at offset 94 in frame
#0 0x55bfc4015bff in compressfile_test_text_file /var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0/tests/test_misc.c:545
This frame has 2 object(s):
[32, 40) 'tmp_err' (line 547)
[64, 94) 'buf' (line 558) <== Memory access at offset 94 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/var/tmp/portage/app-arch/createrepo_c-1.0.0/work/createrepo_c-1.0.0_build/tests/test_misc+0x67d41) in __interceptor_strlen.part.0
I didn't look deeply if the failures are in the test-suite itself or in the libraries involved in the tests (and then possible security implications)
If I can help further please let me know.
dralley commented
@kontura I'm also seeing segfaults when using this version from Pulp. I don't have a coredump for you at the moment but there may be something broken in the Python bindings.
kontura commented
Thank you for the reports!
The overflows reported here are problems just in the test suite but running with the sanitizers I did find some more serious problems connected to the handling of duplicate packages. I think those could cause a crash easily.
I am working on it.