[Bug 13113] New: receive_xattr heap overflow when prepending RSYNC_PREFIX

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Bug 13113] New: receive_xattr heap overflow when prepending RSYNC_PREFIX

Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=13113

            Bug ID: 13113
           Summary: receive_xattr heap overflow when prepending
                    RSYNC_PREFIX
           Product: rsync
           Version: 3.1.3
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: core
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]

Created attachment 13745
  --> https://bugzilla.samba.org/attachment.cgi?id=13745&action=edit
change MIGHT_NEED_RPRE to am_root <= 0

$ ./rsync -v
rsync  version 3.1.3dev  protocol version 31

I've built with HAVE_LINUX_XATTRS
I'm running rsyncd as a non root user.

the args I'm sending rsyncd when connecting are
 {"--server", "--filter", "+x jk", "-X", ".", ".", "\0"};
code snippets are from xattrs.c

in receive_xattr a name is read from the sender. The name might need to be
prefixed depending on am_root. To make room for this prefix extra_len is
possibly allocated.

 818         size_t extra_len = MIGHT_NEED_RPRE ? RPRE_LEN : 0;

 822         ptr = new_array(char, dget_len + extra_len + name_len); <-- the
length values are received from the sender. In this case I'm sending dget_len =
0

  61 #ifdef HAVE_LINUX_XATTRS
  62 #define MIGHT_NEED_RPRE (am_root < 0)

The issue is that am_root < 0 isn't the only time that a prefix might be
prepended to name. If we're running as a normal user (am_root == 0) and the
sender has sent a filter with an xattr filter then the prefix will also be
prepended.

 840 #ifdef HAVE_LINUX_XATTRS
 841         /* Non-root can only save the user namespace. */
 842         if (am_root <= 0 && !HAS_PREFIX(name, USER_PREFIX)) {
 843             if (!am_root && !saw_xattr_filter) {
 844                 free(ptr);
 845                 continue;
 846             }
 847             name -= RPRE_LEN;
 848             name_len += RPRE_LEN;
 849             memcpy(name, RSYNC_PREFIX, RPRE_LEN);
 850             need_sort = 1;
 851         }

Since there wasn't any extra_len allocated name -= RPRE_LEN can point before
the buffer causing a heap overwrite.

The patch I've attached changes MIGHT_NEED_RPRE (am_root <= 0) since the only
time we might add a prefix is when we're not root.

ASan output:
=================================================================
==12012==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000e825 at pc 0x7ffff6ef8864 bp 0x7fffffff9b50 sp 0x7fffffff92f8
WRITE of size 11 at 0x60200000e825 thread T0
    #0 0x7ffff6ef8863 in __asan_memcpy
(/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x8c863)
    #1 0x4a2eef in receive_xattr /home/raj/rsync/rsync/xattrs.c:849
    #2 0x40beac in recv_file_entry /home/raj/rsync/rsync/flist.c:1108
    #3 0x415bee in recv_file_list /home/raj/rsync/rsync/flist.c:2476
    #4 0x454eaa in do_server_recv /home/raj/rsync/rsync/main.c:1036
    #5 0x4556f4 in start_server /home/raj/rsync/rsync/main.c:1115
    #6 0x4b20f9 in rsync_module /home/raj/rsync/rsync/clientserver.c:1007
    #7 0x4b2b18 in start_daemon /home/raj/rsync/rsync/clientserver.c:1135
    #8 0x48f636 in start_accept_loop /home/raj/rsync/rsync/socket.c:618
    #9 0x4b32d9 in daemon_main /home/raj/rsync/rsync/clientserver.c:1237
    #10 0x458318 in main /home/raj/rsync/rsync/main.c:1630
    #11 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f)
    #12 0x4047c8 in _start (/home/raj/rsync/asan/bin/rsync+0x4047c8)

0x60200000e825 is located 11 bytes to the left of 3-byte region
[0x60200000e830,0x60200000e833)
allocated by thread T0 here:
    #0 0x7ffff6f04572 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x98572)
    #1 0x44e48b in _new_array /home/raj/rsync/rsync/util2.c:68
    #2 0x4a2c66 in receive_xattr /home/raj/rsync/rsync/xattrs.c:822
    #3 0x40beac in recv_file_entry /home/raj/rsync/rsync/flist.c:1108
    #4 0x415bee in recv_file_list /home/raj/rsync/rsync/flist.c:2476
    #5 0x454eaa in do_server_recv /home/raj/rsync/rsync/main.c:1036
    #6 0x4556f4 in start_server /home/raj/rsync/rsync/main.c:1115
    #7 0x4b20f9 in rsync_module /home/raj/rsync/rsync/clientserver.c:1007
    #8 0x4b2b18 in start_daemon /home/raj/rsync/rsync/clientserver.c:1135
    #9 0x48f636 in start_accept_loop /home/raj/rsync/rsync/socket.c:618
    #10 0x4b32d9 in daemon_main /home/raj/rsync/rsync/clientserver.c:1237
    #11 0x458318 in main /home/raj/rsync/rsync/main.c:1630
    #12 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d00: fa fa fa fa[fa]fa 03 fa fa fa 04 fa fa fa 00 07
  0x0c047fff9d10: fa fa fd fd fa fa 02 fa fa fa 02 fa fa fa 00 01
  0x0c047fff9d20: fa fa 03 fa fa fa 06 fa fa fa 00 01 fa fa 06 fa
  0x0c047fff9d30: fa fa 00 01 fa fa 06 fa fa fa fd fd fa fa fd fa
  0x0c047fff9d40: fa fa 00 01 fa fa fd fa fa fa fd fa fa fa 00 01
  0x0c047fff9d50: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==12012==ABORTING

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html