samba-bugs at samba.org
2017-Oct-31 04:40 UTC
[Bug 13113] New: receive_xattr heap overflow when prepending RSYNC_PREFIX
https://bugzilla.samba.org/show_bug.cgi?id=13113 Bug ID: 13113 Summary: receive_xattr heap overflow when prepending RSYNC_PREFIX Product: rsync Version: 3.1.3 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: core Assignee: wayned at samba.org Reporter: jeriko.one at gmx.us QA Contact: rsync-qa at samba.org Created attachment 13745 --> https://bugzilla.samba.org/attachment.cgi?id=13745&action=edit change MIGHT_NEED_RPRE to am_root <= 0 $ ./rsync -v rsync version 3.1.3dev protocol version 31 I've built with HAVE_LINUX_XATTRS I'm running rsyncd as a non root user. the args I'm sending rsyncd when connecting are {"--server", "--filter", "+x jk", "-X", ".", ".", "\0"}; code snippets are from xattrs.c in receive_xattr a name is read from the sender. The name might need to be prefixed depending on am_root. To make room for this prefix extra_len is possibly allocated. 818 size_t extra_len = MIGHT_NEED_RPRE ? RPRE_LEN : 0; 822 ptr = new_array(char, dget_len + extra_len + name_len); <-- the length values are received from the sender. In this case I'm sending dget_len 0 61 #ifdef HAVE_LINUX_XATTRS 62 #define MIGHT_NEED_RPRE (am_root < 0) The issue is that am_root < 0 isn't the only time that a prefix might be prepended to name. If we're running as a normal user (am_root == 0) and the sender has sent a filter with an xattr filter then the prefix will also be prepended. 840 #ifdef HAVE_LINUX_XATTRS 841 /* Non-root can only save the user namespace. */ 842 if (am_root <= 0 && !HAS_PREFIX(name, USER_PREFIX)) { 843 if (!am_root && !saw_xattr_filter) { 844 free(ptr); 845 continue; 846 } 847 name -= RPRE_LEN; 848 name_len += RPRE_LEN; 849 memcpy(name, RSYNC_PREFIX, RPRE_LEN); 850 need_sort = 1; 851 } Since there wasn't any extra_len allocated name -= RPRE_LEN can point before the buffer causing a heap overwrite. The patch I've attached changes MIGHT_NEED_RPRE (am_root <= 0) since the only time we might add a prefix is when we're not root. ASan output: ==================================================================12012==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e825 at pc 0x7ffff6ef8864 bp 0x7fffffff9b50 sp 0x7fffffff92f8 WRITE of size 11 at 0x60200000e825 thread T0 #0 0x7ffff6ef8863 in __asan_memcpy (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x8c863) #1 0x4a2eef in receive_xattr /home/raj/rsync/rsync/xattrs.c:849 #2 0x40beac in recv_file_entry /home/raj/rsync/rsync/flist.c:1108 #3 0x415bee in recv_file_list /home/raj/rsync/rsync/flist.c:2476 #4 0x454eaa in do_server_recv /home/raj/rsync/rsync/main.c:1036 #5 0x4556f4 in start_server /home/raj/rsync/rsync/main.c:1115 #6 0x4b20f9 in rsync_module /home/raj/rsync/rsync/clientserver.c:1007 #7 0x4b2b18 in start_daemon /home/raj/rsync/rsync/clientserver.c:1135 #8 0x48f636 in start_accept_loop /home/raj/rsync/rsync/socket.c:618 #9 0x4b32d9 in daemon_main /home/raj/rsync/rsync/clientserver.c:1237 #10 0x458318 in main /home/raj/rsync/rsync/main.c:1630 #11 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f) #12 0x4047c8 in _start (/home/raj/rsync/asan/bin/rsync+0x4047c8) 0x60200000e825 is located 11 bytes to the left of 3-byte region [0x60200000e830,0x60200000e833) allocated by thread T0 here: #0 0x7ffff6f04572 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x98572) #1 0x44e48b in _new_array /home/raj/rsync/rsync/util2.c:68 #2 0x4a2c66 in receive_xattr /home/raj/rsync/rsync/xattrs.c:822 #3 0x40beac in recv_file_entry /home/raj/rsync/rsync/flist.c:1108 #4 0x415bee in recv_file_list /home/raj/rsync/rsync/flist.c:2476 #5 0x454eaa in do_server_recv /home/raj/rsync/rsync/main.c:1036 #6 0x4556f4 in start_server /home/raj/rsync/rsync/main.c:1115 #7 0x4b20f9 in rsync_module /home/raj/rsync/rsync/clientserver.c:1007 #8 0x4b2b18 in start_daemon /home/raj/rsync/rsync/clientserver.c:1135 #9 0x48f636 in start_accept_loop /home/raj/rsync/rsync/socket.c:618 #10 0x4b32d9 in daemon_main /home/raj/rsync/rsync/clientserver.c:1237 #11 0x458318 in main /home/raj/rsync/rsync/main.c:1630 #12 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy Shadow bytes around the buggy address: 0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9d00: fa fa fa fa[fa]fa 03 fa fa fa 04 fa fa fa 00 07 0x0c047fff9d10: fa fa fd fd fa fa 02 fa fa fa 02 fa fa fa 00 01 0x0c047fff9d20: fa fa 03 fa fa fa 06 fa fa fa 00 01 fa fa 06 fa 0x0c047fff9d30: fa fa 00 01 fa fa 06 fa fa fa fd fd fa fa fd fa 0x0c047fff9d40: fa fa 00 01 fa fa fd fa fa fa fd fa fa fa 00 01 0x0c047fff9d50: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==12012==ABORTING -- You are receiving this mail because: You are the QA Contact for the bug.
Reasonably Related Threads
- [Bug 13112] New: receive_xattr heap overread with non null terminated name and xattr filter
- [Bug 12568] New: Integer overflow still affects xattrs.c
- [PATCH v2 1/2] xattrs: Skip security.evm extended attribute
- [PATCH] --omit-dir-changes, qsort<>mergesort issues
- [Bug 12806] Deleting in a row of hardlinked snapshots resets file permissions.