Created attachment 848303 [details] testcase+log A crafted ELF file causes a memory WRITE issue: $ scanmacho -Aa 445.crashes.elf ==3090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000000f at pc 0x555555641071 bp 0x7fffffffd970 sp 0x7fffffffd968 WRITE of size 1 at 0x60200000000f thread T0 #0 0x555555641070 in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:96:20 #1 0x55555563d623 in scanmacho_archive /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:430:14 #2 0x55555563d623 in scanmacho_file /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:476:3 #3 0x55555563c811 in scanmacho_dir /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:500:10 #4 0x55555563ba60 in parseargs /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:803:9 #5 0x55555563ba60 in main /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:816:8 #6 0x7ffff7d0e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7ffff7d0e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../csu/libc-start.c:381:3 #8 0x555555578610 in _start (/usr/bin/scanmacho+0x24610) Testcase and complete log attached as a zip
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=5b5556d12b96dd2d420e0d66456f1935668b3984 commit 5b5556d12b96dd2d420e0d66456f1935668b3984 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2024-01-25 04:33:40 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2024-01-25 04:33:40 +0000 ar: handle invalid ascii numbers better The atoi helper handles signed 32-bit integers, and expects the input strings to be NUL terminated. Some of the fields are larger than what signed 32-bit can handle, and none of them are NUL terminated. The code currently works because it stops processing once it reaches text that is not numeric, and the content that follows each field is always non-numeric (e.g. a space). Add a helper function that leverages strtoll as all of the fields can fit into a signed 64-bit number. If the number is invalid, flag it as such, and normalize it to 0 so the rest of the code can continue on. Bug: https://bugs.gentoo.org/890577 Signed-off-by: Mike Frysinger <vapier@gentoo.org> paxinc.c | 53 +++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 8 deletions(-)
Are there any objections to requesting a CVE?
pax-utils enable decent seccomp filters on itself, and all the tools are almost entirely read-only tools (scanelf has a --fix option for a limited set of things), so the best you could hope for is a DoS. you aren't getting arbitrary codeexec here, and def not forking+execing other programs. which is to say, i could not care less about CVE's about any read-out-of-bounds crash. i won't stop you from requesting CVEs if you want some public credit for your resume or something. NB: i don't mean this disparagingly -- recognition of contributions is important, and this sort of thing can help in the professional world. i can update the docs to provide this info.
No fixed version in tree, dropping version from summary. Maintainers, please make a fixed release or backport the patch.
(In reply to SpanKY from comment #3) > pax-utils enable decent seccomp filters on itself, and all the tools are > almost entirely read-only tools (scanelf has a --fix option for a limited > set of things), so the best you could hope for is a DoS. you aren't getting > arbitrary codeexec here, and def not forking+execing other programs. > > which is to say, i could not care less about CVE's about any > read-out-of-bounds crash. i won't stop you from requesting CVEs if you want > some public credit for your resume or something. NB: i don't mean this > disparagingly -- recognition of contributions is important, and this sort of > thing can help in the professional world. > > i can update the docs to provide this info. I missed somehow that comment. pax-utils is widely used in other (release) distros, so get a CVE (when needed, obviously) assures that the issue will get more visibility, so people will decide if they want to backport this/those patches.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c commit 9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-22 04:38:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-22 04:40:13 +0000 app-misc/pax-utils: add 1.3.8 Aliaksei Urbanski (1): Fix fuzz-dumpelf test Daniel Verkamp (1): lddtree: use readlink -f for absolute links David Riley (1): lddtree: Add --wrapper-preload Frederic Cambus (2): lddtree: allow lddtree.sh to find Xenocara libraries on OpenBSD. README: fix typo: s/peforming/performing. George Burgess IV (1): lddtree: add LD_ARGV0_REL Mathias Krause (4): seccomp: make socket() fail with -ENOSYS tests: add basic pspax test pspax: fix libcap memory leaks meson: avoid using replace() to not unnecessarily bump meson >= 0.58.0 Mike Frysinger (45): Revert "paxinc: include <alloca.h> for alloca" lddtree: add docstring for all classes pylintrc: remove old entries github: update to checkout@v3 lddtree: use f-string in warn message lddtree: fix argcomplete typing elf.h: pull from latest glibc update copyright headers dumpelf: use explicit 64-bit to display off_t github: disable fuzzing on macOS github: update to checkout@v4 lddtree: use older Python typing style lddtree: disable pyelftools pylint import errors lddtree: disable mypy import errors lddtree: add some more typing info for mypy github: add python checkers lddtree: raise min version to Python 3.8 pyproject.toml: add black & isort & mypy settings pylintrc: merge into pyproject.toml requirements: pin(ish) Python deps that we use to check things drop old __BOUNDS_CHECKING_ON support fix various typos found w/codespell github: add codespell checker build: use standard config.h naming build: use standard HAVE_xxx define style pspax: rework & document get_proc_name pspax: replace proc_fopen with fopenat_r pspax: fix buffer limiting in cmdline reading pspax: fix error handling when reading attr or ipaddr fail pspax: switch from fgets to getline unify usage() output across all the tools ar: handle invalid ascii numbers better ar: handle invalid extended filename offsets ar: switch from alloca to malloc scanelf: fix hashtable overflow checks README: update macOS name paxelf: reject ELFs with incomplete Ehdr structures dumpelf: free elf after fuzzing it to avoid leaking sanitizer: fix feature tests under clang dumpelf: check dyn pointer before DT_NULL check too dumpelf: improve note memory check dumpelf: limit note name display fuzz-ar: fuzzer for the archive parsing API fuzz-dumpelf: fix stats argument fuzzer: fix unused setting on argc & argv Mike Gilbert (1): make-seccomp-filters.sh: split cflags/ldflags for libseccomp Sam James (10): Make headers standalone (missing includes, prep for clang-tidy) *: IWYU fixes *: IWYU fixes deux .github: add Alpine CI Undo IWYU fixes paxinc: include <alloca.h> for alloca porting.h: include <stddef.h> for size_t, sort includes ci: make tests verbose meson.build: prepare for pax-utils-1.3.8 CI: update muon URL Takuto Ikuta (1): lddtree: keep relativeness of invoked program in elf wrapper Zach van Rijn (1): paxelf: use correct format string Bug: https://bugs.gentoo.org/890028 Bug: https://bugs.gentoo.org/890577 Bug: https://bugs.gentoo.org/890579 Bug: https://bugs.gentoo.org/922906 Signed-off-by: Sam James <sam@gentoo.org> app-misc/pax-utils/Manifest | 1 + app-misc/pax-utils/pax-utils-1.3.8.ebuild | 77 +++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+)
