Bug 100568

Summary: Read overflow in test/corrupt.c
Product: dbus Reporter: Yury Gribov <tetra2005>
Component: coreAssignee: D-Bus Maintainers <dbus>
Status: RESOLVED FIXED QA Contact: D-Bus Maintainers <dbus>
Severity: minor    
Priority: medium CC: bugzilla
Version: 1.10Keywords: patch
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard: review+
i915 platform: i915 features:
Attachments: test: Fix reading off the end of an array in test-corrupt
test: Fix a couple of memory leaks in test-corrupt

Description Yury Gribov 2017-04-04 20:11:41 UTC 
There's a harmless read overflow in test_byte_order in test/corrupt.c:

  const gchar *arg = not_a_dbus_message;
  const gchar * const *args = &arg;
  ...
  /* Append 0xFF bytes, so that the length of the body when byte-swapped
   * is 0xFF000000, which is invalid */
  mem = dbus_message_append_args (message,
      DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &args, 0xFF,
      DBUS_TYPE_INVALID);

reads 255 bytes from memory addressed by 'args', even though it's only valid to read 8 (== sizeof(arg)).

This has been found with Asan when building dbus via debian_pkg_test (https://github.com/yugr/debian_pkg_test). The bug was found in 1.10.6 but I see the offending code is the same in master.

Asan's report is

==17105==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe89540648 at pc 0x7fcfce851ab3 bp 0x7ffe89540020 sp 0x7ffe8953f7c8
READ of size 255 at 0x7ffe89540648 thread T0
    #0 0x7fcfce851ab2 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x64ab2)
    #1 0x7fcfce330c54 in copy ../../dbus/dbus-string.c:1219
    #2 0x7fcfce328080 in marshal_1_octets_array ../../dbus/dbus-marshal-basic.c:868
    #3 0x7fcfce328080 in _dbus_marshal_write_fixed_multi ../../dbus/dbus-marshal-basic.c:1041
    #4 0x7fcfce2d9dca in _dbus_type_writer_write_fixed_multi ../../dbus/dbus-marshal-recursive.c:2379
    #5 0x7fcfce2e594f in dbus_message_append_args_valist ../../dbus/dbus-message.c:1874
    #6 0x7fcfce2e6182 in dbus_message_append_args ../../dbus/dbus-message.c:1802
    #7 0x557893fb4ddf in test_byte_order ../../test/corrupt.c:285
    #8 0x7fcfcd9da7da  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f7da)
    #9 0x7fcfcd9da9a2  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f9a2)
    #10 0x7fcfcd9da9a2  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f9a2)
    #11 0x7fcfcd9dabad in g_test_run_suite (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6fbad)
    #12 0x7fcfcd9dabd0 in g_test_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6fbd0)
    #13 0x557893fb3cd7 in main ../../test/corrupt.c:395
    #14 0x7fcfcd5c282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x557893fb3dd8 in _start (/build/dbus-1.10.6/build-debug/test/.libs/lt-test-corrupt+0x7dd8)

Address 0x7ffe89540648 is located in stack of thread T0 at offset 296 in frame
    #0 0x557893fb4c8f in test_byte_order ../../test/corrupt.c:268
    
  This frame has 6 object(s):
    [32, 36) 'fd'
    [96, 100) 'blob_len'
    [160, 168) 'gerror'
    [224, 232) 'blob' 
    [288, 296) 'arg'
    [352, 360) 'args' <== Memory access at offset 296 partially underflows this variable
Comment 1 Philip Withnall 2017-04-05 10:36:41 UTC 
Created attachment 130686 [details] [review]
test: Fix reading off the end of an array in test-corrupt

One level of pointer indirection too many when passing the arguments to
dbus_message_append_args().

https://bugs.freedesktop.org/show_bug.cgi?id=100568

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Comment 2 Philip Withnall 2017-04-05 10:36:44 UTC 
Created attachment 130687 [details] [review]
test: Fix a couple of memory leaks in test-corrupt

Spotted while testing bug #100568.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Comment 3 Simon McVittie 2017-04-05 10:49:04 UTC 
Patches look good, thanks.
Comment 4 Simon McVittie 2017-04-07 10:29:50 UTC 
Fixed in 1.10.18, and in git master for 1.11.12.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.