[Rpm-maint] [rpm-software-management/rpm] Invalid free / double free in readFile() / rpmkeys pre signature check (#147)

[Hanno Böck]

The attached files will cause an invalid free or double free. As they're both in the same code line I assume it's the same bug in different variations.

This only affects the git code, not the latest release (otherwise I wouldn't have reported it to a public bug tracker). This is obviously a very serious security issue.

```
==27173==ERROR: AddressSanitizer: attempting double-free on 0x61a000012080 in thread T0:
    #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500)
    #1 0x52db63 in readFile /f/rpm/rpm/lib/rpmchecksig.c:157:5
    #2 0x52db63 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277
    #3 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13
    #4 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #5 0x7fca86edb78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

0x61a000012080 is located 0 bytes inside of 1153-byte region [0x61a000012080,0x61a000012501)
freed by thread T0 here:
    #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500)
    #1 0x5c8bac in hdrblobRead /f/rpm/rpm/lib/header.c:1897:2
    #2 0x52dab4 in readFile /f/rpm/rpm/lib/rpmchecksig.c:135:9
    #3 0x52dab4 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277
    #4 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13

previously allocated by thread T0 here:
    #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8)
    #1 0x664504 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13
    #2 0x52dab4 in readFile /f/rpm/rpm/lib/rpmchecksig.c:135:9
    #3 0x52dab4 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277
    #4 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13

SUMMARY: AddressSanitizer: double-free (/r/rpm/rpmkeys+0x4cc500) in __interceptor_cfree.localalias.1
```

```
==28859==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7ffde9ad6100 in thread T0
    #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500)
    #1 0x52db63 in readFile /f/rpm/rpm/lib/rpmchecksig.c:157:5
    #2 0x52db63 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277
    #3 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13
    #4 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #5 0x7fee8e92378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free (/r/rpm/rpmkeys+0x4cc500) in __interceptor_cfree.localalias.1
==28859==ABORTING
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/147
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170202/61974eef/attachment-0001.html>