[Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bound heap read in pgpPrtSig, rpmpgp.c:533 (#149)
Hanno Böck
notifications at github.com
Tue Feb 7 11:02:38 UTC 2017
The attached file triggers an out of bounds heap read in rmpkeys -K.
[rpmkeys-heap-oob-pgpPrtSig-rpmpgp-533.zip](https://github.com/rpm-software-management/rpm/files/757347/rpmkeys-heap-oob-pgpPrtSig-rpmpgp-533.zip)
asan error with current git (you get more meaningful ones with ASAN_OPTIONS="fast_unwind_on_malloc=0"):
```
==23681==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001a80 at pc 0x00000066c870 bp 0x7fff5c578470 sp 0x7fff5c578468
READ of size 1 at 0x602000001a80 thread T0
#0 0x66c86f in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:533:23
#1 0x66c86f in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:823
#2 0x66c86f in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:982
#3 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6
#4 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7
#5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
#6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
#7 0x7f9783a7378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)
0x602000001a80 is located 0 bytes to the right of 16-byte region [0x602000001a70,0x602000001a80)
allocated by thread T0 here:
#0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8)
#1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13
#2 0x5d0677 in copyTdEntry /f/rpm/rpm/lib/header.c:1096:12
#3 0x5cf8e4 in headerNext /f/rpm/rpm/lib/header.c:1712:7
#4 0x52d310 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:262:12
#5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
#6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
#7 0x7f9783a7378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/149
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170207/56697717/attachment.html>
More information about the Rpm-maint
mailing list