https://bugzilla.samba.org/show_bug.cgi?id=7869
Summary: rsync segfault
Product: rsync
Version: 3.0.7
Platform: x64
OS/Version: Linux
Status: NEW
Severity: minor
Priority: P3
Component: core
AssignedTo: wayned at samba.org
ReportedBy: rafa.silva at gmail.com
QAContact: rsync-qa at samba.org
Hi,
In my analysis (fuzzing) i find a fancy bug in rsync.
Linux bengbeng 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC 2010
x86_64 GNU/Linux
The Bug:
$ rsync --backup-dir=`perl -e 'print "A"x22222;'`
Segmentation fault
$ rsync --backup-dir=`perl -e 'print "1"x22222;'`
Segmentation fault
Cheers.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #1 from paul at debian.org 2010-12-15 13:16 CST ------- Are you sure that the segmentation violation was in rsync, and not e.g. in the shell used to execute the backticks? Please provide a backtrace of the core dump. I can't reproduce it on my system, I just get the usage message due to incomplete arguments. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #2 from rafa.silva at gmail.com 2010-12-15 13:28 CST ------- Created an attachment (id=6132) --> (https://bugzilla.samba.org/attachment.cgi?id=6132&action=view) core dumped for rsync -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869
------- Comment #3 from matt at mattmccutchen.net 2010-12-15 13:32 CST -------
I see what is happening. options.c:1496:
backup_dir_remainder = sizeof backup_dir_buf - backup_dir_len;
if (backup_dir_remainder < 32) {
snprintf(err_buf, sizeof err_buf,
"the --backup-dir path is WAY too long.\n");
return 0;
}
But backup_dir_remainder is unsigned, so the subtraction overflows and the
error message does not trip.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869
------- Comment #4 from jr-sambabugzilla at quo.to 2010-12-15 14:01 CST -------
There's also potential for a one-off overflow here:
} else if (backup_dir_buf[backup_dir_len - 1] != '/') {
backup_dir_buf[backup_dir_len++] = '/';
backup_dir_buf[backup_dir_len] = '\0';
}
backup_dir_len is incremented, but there is no corresponding decrement of
backup_dir_remainder.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #5 from paul at debian.org 2010-12-15 15:14 CST ------- (In reply to comment #3)> I see what is happening. options.c:1496: > > backup_dir_remainder = sizeof backup_dir_buf - backup_dir_len; > if (backup_dir_remainder < 32) { > snprintf(err_buf, sizeof err_buf, > "the --backup-dir path is WAY too long.\n"); > return 0; > } > > But backup_dir_remainder is unsigned, so the subtraction overflows and the > error message does not trip.I would have expected strlcpy() to limit the return value to the bufsize passed as last argument, but at least the lib/compat.c version doesn't, and contradicts the comments there in doing so ("@return index of the terminating byte"). If it had done that, it would have limited the result of the subtraction to >= 0. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #6 from paul at debian.org 2010-12-15 15:17 CST ------- (In reply to comment #2)> Created an attachment (id=6132)--> (https://bugzilla.samba.org/attachment.cgi?id=6132&action=view) [details]> core dumped for rsyncA coredump from your system is pretty useless for anyone else. That's why I asked for the backtrace from that coredump. However Matt has spotted the problem already. Amusingly 'file core' says: core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from '111111111111111' Note how apparently argv[0] got overwritten as well. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869
wayned at samba.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Comment #7 from wayned at samba.org 2010-12-17 00:34 CST -------
Fix committed to git for both the crashing overflow and the off-by-one issue.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Apparently Analagous Threads
- wrong transfer of app packages using --backup
- [patch] fix for "refuse options" ignored due to popt
- [PATCH 1/2] virtio_net: fix error handling for mergeable buffers
- [PATCH 1/2] virtio_net: fix error handling for mergeable buffers
- How about a --min-size option, next to --max-size