There's a harmless read overflow in test_byte_order in test/corrupt.c: const gchar *arg = not_a_dbus_message; const gchar * const *args = &arg; ... /* Append 0xFF bytes, so that the length of the body when byte-swapped * is 0xFF000000, which is invalid */ mem = dbus_message_append_args (message, DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &args, 0xFF, DBUS_TYPE_INVALID); reads 255 bytes from memory addressed by 'args', even though it's only valid to read 8 (== sizeof(arg)). This has been found with Asan when building dbus via debian_pkg_test (https://github.com/yugr/debian_pkg_test). The bug was found in 1.10.6 but I see the offending code is the same in master. Asan's report is ==17105==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe89540648 at pc 0x7fcfce851ab3 bp 0x7ffe89540020 sp 0x7ffe8953f7c8 READ of size 255 at 0x7ffe89540648 thread T0 #0 0x7fcfce851ab2 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x64ab2) #1 0x7fcfce330c54 in copy ../../dbus/dbus-string.c:1219 #2 0x7fcfce328080 in marshal_1_octets_array ../../dbus/dbus-marshal-basic.c:868 #3 0x7fcfce328080 in _dbus_marshal_write_fixed_multi ../../dbus/dbus-marshal-basic.c:1041 #4 0x7fcfce2d9dca in _dbus_type_writer_write_fixed_multi ../../dbus/dbus-marshal-recursive.c:2379 #5 0x7fcfce2e594f in dbus_message_append_args_valist ../../dbus/dbus-message.c:1874 #6 0x7fcfce2e6182 in dbus_message_append_args ../../dbus/dbus-message.c:1802 #7 0x557893fb4ddf in test_byte_order ../../test/corrupt.c:285 #8 0x7fcfcd9da7da (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f7da) #9 0x7fcfcd9da9a2 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f9a2) #10 0x7fcfcd9da9a2 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f9a2) #11 0x7fcfcd9dabad in g_test_run_suite (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6fbad) #12 0x7fcfcd9dabd0 in g_test_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6fbd0) #13 0x557893fb3cd7 in main ../../test/corrupt.c:395 #14 0x7fcfcd5c282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x557893fb3dd8 in _start (/build/dbus-1.10.6/build-debug/test/.libs/lt-test-corrupt+0x7dd8) Address 0x7ffe89540648 is located in stack of thread T0 at offset 296 in frame #0 0x557893fb4c8f in test_byte_order ../../test/corrupt.c:268 This frame has 6 object(s): [32, 36) 'fd' [96, 100) 'blob_len' [160, 168) 'gerror' [224, 232) 'blob' [288, 296) 'arg' [352, 360) 'args' <== Memory access at offset 296 partially underflows this variable
Created attachment 130686 [details] [review] test: Fix reading off the end of an array in test-corrupt One level of pointer indirection too many when passing the arguments to dbus_message_append_args(). https://bugs.freedesktop.org/show_bug.cgi?id=100568 Signed-off-by: Philip Withnall <withnall@endlessm.com>
Created attachment 130687 [details] [review] test: Fix a couple of memory leaks in test-corrupt Spotted while testing bug #100568. Signed-off-by: Philip Withnall <withnall@endlessm.com>
Patches look good, thanks.
Fixed in 1.10.18, and in git master for 1.11.12.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.