Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 890579 - <=app-misc/pax-utils-1.3.7: scanmacho multiple crashes from fuzzing
Summary: <=app-misc/pax-utils-1.3.7: scanmacho multiple crashes from fuzzing
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Toolchain Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-12 07:33 UTC by Agostino Sarubbo
Modified: 2024-09-22 04:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
testcases+logs (scanmacho.zip,4.47 KB, application/zip)
2023-01-12 07:33 UTC, Agostino Sarubbo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2023-01-12 07:33:32 UTC
Created attachment 848305 [details]
testcases+logs

In addition to bug 890577 I found multiple crashes that are not considered security issues at all.

1) Infinite recursion (stack-overlflow)
 $ scanmacho -Aa 1.crashes.elf   
=================================================================
==44066==ERROR: AddressSanitizer: stack-overflow on address 0x7fffa6f0c0d8 (pc 0x555555640e7e bp 0x7fffffffda10 sp 0x7fffa6f0c0e0 T0)
    #0 0x555555640e7e in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:112:8
    #1 0x55555563d73a in scanmacho_archive /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:430:14
    #2 0x55555563d73a in scanmacho_file /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:476:3
    #3 0x55555563c811 in scanmacho_dir /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:500:10
    #4 0x55555563ba60 in parseargs /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:803:9
    #5 0x55555563ba60 in main /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:816:8
    #6 0x7ffff7d0e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7ffff7d0e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #8 0x555555578610 in _start (/usr/bin/scanmacho+0x24610)


2) heap-overflow in ar_next (maybe for the same cause of bug 890577)
 $ scanmacho -Aa 2.crashes.elf 
=================================================================
==51266==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000000d3 at pc 0x55555559b681 bp 0x7fffffffd010 sp 0x7fffffffc798
READ of size 1 at 0x6030000000d3 thread T0
    #0 0x55555559b680 in printf_common(void*, char const*, __va_list_tag*) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:553:9
    #1 0x55555559cfa0 in __interceptor_snprintf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1817:1
    #2 0x555555640d0d in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:126:2
    #3 0x55555563d73a in scanmacho_archive /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:430:14
    #4 0x55555563d73a in scanmacho_file /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:476:3
    #5 0x55555563c811 in scanmacho_dir /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:500:10
    #6 0x55555563ba60 in parseargs /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:803:9
    #7 0x55555563ba60 in main /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:816:8
    #8 0x7ffff7d0e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7ffff7d0e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #10 0x555555578610 in _start (/usr/bin/scanmacho+0x24610)

3) invalid memory read in ar_next (maybe for the same cause of bug 890577)
 $ scanmacho -Aa 5.crashes.elf 
=================================================================
==56456==ERROR: AddressSanitizer: SEGV on unknown address 0x6020595b63a6 (pc 0x5555556146a0 bp 0x7fffffffcf70 sp 0x7fffffffc6e8 T0)
==56456==The signal is caused by a READ memory access.
    #0 0x5555556146a0 in __sanitizer::internal_strlen(char const*) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp:167:10
    #1 0x55555559b550 in printf_common(void*, char const*, __va_list_tag*) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:551:18
    #2 0x55555559b888 in __interceptor_vsnprintf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1746:1
    #3 0x55555559cfa0 in __interceptor_snprintf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.6/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1817:1
    #4 0x555555640d0d in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:126:2
    #5 0x555555640f34 in ar_next /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/paxinc.c:101:10
    #6 0x55555563d623 in scanmacho_archive /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:430:14
    #7 0x55555563d623 in scanmacho_file /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:476:3
    #8 0x55555563c811 in scanmacho_dir /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:500:10
    #9 0x55555563ba60 in parseargs /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:803:9
    #10 0x55555563ba60 in main /var/tmp/portage/app-misc/pax-utils-1.3.6-r1/work/pax-utils-1.3.6-build/../pax-utils-1.3.6/scanmacho.c:816:8
    #11 0x7ffff7d0e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7ffff7d0e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r5/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #13 0x555555578610 in _start (/usr/bin/scanmacho+0x24610)


Complete logs and testcases attached as a zip
Comment 1 Larry the Git Cow gentoo-dev 2024-01-25 05:06:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=77bf161b55dbf340f4498ad26eef3fd7a0dfbcdc

commit 77bf161b55dbf340f4498ad26eef3fd7a0dfbcdc
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2024-01-25 05:02:51 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2024-01-25 05:02:51 +0000

    ar: switch from alloca to malloc
    
    If alloca allocates too much stack space, program behavior is undefined,
    and basically we segfault.  There is no way to check whether this will
    happen ahead of time, so our only choice is to switch to malloc.  If we
    try to allocate too much memory from the heap, we'll get a NULL pointer,
    and we can diagnose & exit ourselves.  Kind of sucks as alloca was a
    perfect fit here, but since the size is coming directly from user input,
    we can't trust it is always "reasonable".
    
    Bug: https://bugs.gentoo.org/890579
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>

 meson.build | 1 -
 paxinc.c    | 5 ++++-
 porting.h   | 3 ---
 3 files changed, 4 insertions(+), 5 deletions(-)

https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=f2af478770a5a4a3f69ab64f1b5e17c8f7a17050

commit f2af478770a5a4a3f69ab64f1b5e17c8f7a17050
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2024-01-25 04:58:06 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2024-01-25 04:58:06 +0000

    ar: handle invalid extended filename offsets
    
    Check the extended filename offset doesn't exceed the size of the
    extended filename section.
    
    Bug: https://bugs.gentoo.org/890579
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>

 paxinc.c | 10 ++++++++--
 paxinc.h |  1 +
 2 files changed, 9 insertions(+), 2 deletions(-)
Comment 2 SpanKY gentoo-dev 2024-01-25 05:06:39 UTC
some of the crashes were the same as bug 890577
Comment 3 Larry the Git Cow gentoo-dev 2024-09-22 04:40:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c

commit 9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-22 04:38:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-22 04:40:13 +0000

    app-misc/pax-utils: add 1.3.8
    
    Aliaksei Urbanski (1):
          Fix fuzz-dumpelf test
    
    Daniel Verkamp (1):
          lddtree: use readlink -f for absolute links
    
    David Riley (1):
          lddtree: Add --wrapper-preload
    
    Frederic Cambus (2):
          lddtree: allow lddtree.sh to find Xenocara libraries on OpenBSD.
          README: fix typo: s/peforming/performing.
    
    George Burgess IV (1):
          lddtree: add LD_ARGV0_REL
    
    Mathias Krause (4):
          seccomp: make socket() fail with -ENOSYS
          tests: add basic pspax test
          pspax: fix libcap memory leaks
          meson: avoid using replace() to not unnecessarily bump meson >= 0.58.0
    
    Mike Frysinger (45):
          Revert "paxinc: include <alloca.h> for alloca"
          lddtree: add docstring for all classes
          pylintrc: remove old entries
          github: update to checkout@v3
          lddtree: use f-string in warn message
          lddtree: fix argcomplete typing
          elf.h: pull from latest glibc
          update copyright headers
          dumpelf: use explicit 64-bit to display off_t
          github: disable fuzzing on macOS
          github: update to checkout@v4
          lddtree: use older Python typing style
          lddtree: disable pyelftools pylint import errors
          lddtree: disable mypy import errors
          lddtree: add some more typing info for mypy
          github: add python checkers
          lddtree: raise min version to Python 3.8
          pyproject.toml: add black & isort & mypy settings
          pylintrc: merge into pyproject.toml
          requirements: pin(ish) Python deps that we use to check things
          drop old __BOUNDS_CHECKING_ON support
          fix various typos found w/codespell
          github: add codespell checker
          build: use standard config.h naming
          build: use standard HAVE_xxx define style
          pspax: rework & document get_proc_name
          pspax: replace proc_fopen with fopenat_r
          pspax: fix buffer limiting in cmdline reading
          pspax: fix error handling when reading attr or ipaddr fail
          pspax: switch from fgets to getline
          unify usage() output across all the tools
          ar: handle invalid ascii numbers better
          ar: handle invalid extended filename offsets
          ar: switch from alloca to malloc
          scanelf: fix hashtable overflow checks
          README: update macOS name
          paxelf: reject ELFs with incomplete Ehdr structures
          dumpelf: free elf after fuzzing it to avoid leaking
          sanitizer: fix feature tests under clang
          dumpelf: check dyn pointer before DT_NULL check too
          dumpelf: improve note memory check
          dumpelf: limit note name display
          fuzz-ar: fuzzer for the archive parsing API
          fuzz-dumpelf: fix stats argument
          fuzzer: fix unused setting on argc & argv
    
    Mike Gilbert (1):
          make-seccomp-filters.sh: split cflags/ldflags for libseccomp
    
    Sam James (10):
          Make headers standalone (missing includes, prep for clang-tidy)
          *: IWYU fixes
          *: IWYU fixes deux
          .github: add Alpine CI
          Undo IWYU fixes
          paxinc: include <alloca.h> for alloca
          porting.h: include <stddef.h> for size_t, sort includes
          ci: make tests verbose
          meson.build: prepare for pax-utils-1.3.8
          CI: update muon URL
    
    Takuto Ikuta (1):
          lddtree: keep relativeness of invoked program in elf wrapper
    
    Zach van Rijn (1):
          paxelf: use correct format string
    
    Bug: https://bugs.gentoo.org/890028
    Bug: https://bugs.gentoo.org/890577
    Bug: https://bugs.gentoo.org/890579
    Bug: https://bugs.gentoo.org/922906
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/pax-utils/Manifest               |  1 +
 app-misc/pax-utils/pax-utils-1.3.8.ebuild | 77 +++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)