Created attachment 848305 [details] testcases+logs In addition to bug 890577 I found multiple crashes that are not considered security issues at all. 1) Infinite recursion (stack-overlflow) $ scanmacho -Aa 1.crashes.elf ================================================================= ==44066==ERROR: AddressSanitizer: stack-overflow on address 0x7fffa6f0c0d8 (pc 0x555555640e7e bp 0x7fffffffda10 sp 0x7fffa6f0c0e0 T0) #0 0x555555640e7e in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:112:8 #1 0x55555563d73a in scanmacho_archive /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:430:14 #2 0x55555563d73a in scanmacho_file /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:476:3 #3 0x55555563c811 in scanmacho_dir /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:500:10 #4 0x55555563ba60 in parseargs /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:803:9 #5 0x55555563ba60 in main /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:816:8 #6 0x7ffff7d0e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7ffff7d0e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../csu/libc-start.c:381:3 #8 0x555555578610 in _start (/usr/bin/scanmacho+0x24610) 2) heap-overflow in ar_next (maybe for the same cause of bug 890577) $ scanmacho -Aa 2.crashes.elf ================================================================= ==51266==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000000d3 at pc 0x55555559b681 bp 0x7fffffffd010 sp 0x7fffffffc798 READ of size 1 at 0x6030000000d3 thread T0 #0 0x55555559b680 in printf_common(void*, char const*, __va_list_tag*) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:553:9 #1 0x55555559cfa0 in __interceptor_snprintf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1817:1 #2 0x555555640d0d in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:126:2 #3 0x55555563d73a in scanmacho_archive /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:430:14 #4 0x55555563d73a in scanmacho_file /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:476:3 #5 0x55555563c811 in scanmacho_dir /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:500:10 #6 0x55555563ba60 in parseargs /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:803:9 #7 0x55555563ba60 in main /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:816:8 #8 0x7ffff7d0e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #9 0x7ffff7d0e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../csu/libc-start.c:381:3 #10 0x555555578610 in _start (/usr/bin/scanmacho+0x24610) 3) invalid memory read in ar_next (maybe for the same cause of bug 890577) $ scanmacho -Aa 5.crashes.elf ================================================================= ==56456==ERROR: AddressSanitizer: SEGV on unknown address 0x6020595b63a6 (pc 0x5555556146a0 bp 0x7fffffffcf70 sp 0x7fffffffc6e8 T0) ==56456==The signal is caused by a READ memory access. #0 0x5555556146a0 in __sanitizer::internal_strlen(char const*) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp:167:10 #1 0x55555559b550 in printf_common(void*, char const*, __va_list_tag*) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:551:18 #2 0x55555559b888 in __interceptor_vsnprintf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1746:1 #3 0x55555559cfa0 in __interceptor_snprintf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1817:1 #4 0x555555640d0d in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:126:2 #5 0x555555640f34 in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:101:10 #6 0x55555563d623 in scanmacho_archive /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:430:14 #7 0x55555563d623 in scanmacho_file /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:476:3 #8 0x55555563c811 in scanmacho_dir /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:500:10 #9 0x55555563ba60 in parseargs /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:803:9 #10 0x55555563ba60 in main /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:816:8 #11 0x7ffff7d0e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #12 0x7ffff7d0e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../csu/libc-start.c:381:3 #13 0x555555578610 in _start (/usr/bin/scanmacho+0x24610) Complete logs and testcases attached as a zip
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=77bf161b55dbf340f4498ad26eef3fd7a0dfbcdc commit 77bf161b55dbf340f4498ad26eef3fd7a0dfbcdc Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2024-01-25 05:02:51 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2024-01-25 05:02:51 +0000 ar: switch from alloca to malloc If alloca allocates too much stack space, program behavior is undefined, and basically we segfault. There is no way to check whether this will happen ahead of time, so our only choice is to switch to malloc. If we try to allocate too much memory from the heap, we'll get a NULL pointer, and we can diagnose & exit ourselves. Kind of sucks as alloca was a perfect fit here, but since the size is coming directly from user input, we can't trust it is always "reasonable". Bug: https://bugs.gentoo.org/890579 Signed-off-by: Mike Frysinger <vapier@gentoo.org> meson.build | 1 - paxinc.c | 5 ++++- porting.h | 3 --- 3 files changed, 4 insertions(+), 5 deletions(-) https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=f2af478770a5a4a3f69ab64f1b5e17c8f7a17050 commit f2af478770a5a4a3f69ab64f1b5e17c8f7a17050 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2024-01-25 04:58:06 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2024-01-25 04:58:06 +0000 ar: handle invalid extended filename offsets Check the extended filename offset doesn't exceed the size of the extended filename section. Bug: https://bugs.gentoo.org/890579 Signed-off-by: Mike Frysinger <vapier@gentoo.org> paxinc.c | 10 ++++++++-- paxinc.h | 1 + 2 files changed, 9 insertions(+), 2 deletions(-)
some of the crashes were the same as bug 890577