Discussion:
[PATCH] time_rz: fix heap buffer overflow vulnerability
(too old to reply)
Pádraig Brady
2017-04-27 03:35:44 UTC
Permalink
Raw Message
This issue has been assigned CVE-2017-7476 and was
detected with American Fuzzy Lop 2.41b run on the
coreutils date(1) program with ASAN enabled.

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x...
WRITE of size 8 at 0x60d00000cff8 thread T0
#1 0x443020 in extend_abbrs lib/time_rz.c:88
#2 0x443356 in save_abbr lib/time_rz.c:155
#3 0x44393f in localtime_rz lib/time_rz.c:290
#4 0x41e4fe in parse_datetime2 lib/parse-datetime.y:1798

A minimized reproducer is the following 120 byte TZ value,
which goes beyond the value of ABBR_SIZE_MIN (119) on x86_64.
Extend the aa...b portion to overwrite more of the heap.

date -d $(printf 'TZ="aaa%020daaaaaab%089d"')

localtime_rz and mktime_z were affected since commit 4bc76593.
parse_datetime was affected since commit 4e6e16b3f.

* lib/time_rz.c (save_abbr): Rearrange the calculation determining
whether there is enough buffer space available. The rearrangement
ensures we're only dealing with positive numbers, thus avoiding
the problematic promotion of signed to unsigned causing an invalid
comparison when zone_copy is more than ABBR_SIZE_MIN bytes beyond
the start of the buffer.
* tests/test-parse-datetime.c (main): Add a test case written by
Paul Eggert, which overwrites enough of the heap so that
standard glibc will fail with "free(): invalid pointer"
without the patch applied.
Reported and analyzed at https://bugzilla.redhat.com/1444774
---
ChangeLog | 15 +++++++++++++++
lib/time_rz.c | 15 +++++++++++++--
tests/test-parse-datetime.c | 16 ++++++++++++++++
3 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fd5ec89..314f7d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2017-04-26 Pádraig Brady <***@draigBrady.com>
+ and Paul Eggert <***@cs.ucla.edu>
+
+ time_rz: fix heap buffer overflow vulnerability
+ Reported and analyzed at https://bugzilla.redhat.com/CVE-2017-7476
+ * lib/time_rz.c (save_abbr): Rearrange the calculation determining
+ whether there is enough buffer space available, thus avoiding
+ the problematic promotion of signed to unsigned causing an invalid
+ comparison when zone_copy is more than ABBR_SIZE_MIN bytes beyond
+ the start of the buffer.
+ * tests/test-parse-datetime.c (main): Add a test case written by
+ Paul Eggert, which overwrites enough of the heap so that
+ standard glibc will fail with "free(): invalid pointer"
+ without the patch applied.
+
2017-04-26 Paul Eggert <***@cs.ucla.edu>

xalloc: add missing integer overflow check
diff --git a/lib/time_rz.c b/lib/time_rz.c
index 1b87870..82f3f3f 100644
--- a/lib/time_rz.c
+++ b/lib/time_rz.c
@@ -27,6 +27,7 @@
#include <time.h>

#include <errno.h>
+#include <limits.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdlib.h>
@@ -35,6 +36,10 @@
#include "flexmember.h"
#include "time-internal.h"

+#ifndef SIZE_MAX
+# define SIZE_MAX ((size_t) -1)
+#endif
+
#if !HAVE_TZSET
static void tzset (void) { }
#endif
@@ -43,7 +48,7 @@ static void tzset (void) { }
the largest "small" request for the GNU C library malloc. */
enum { DEFAULT_MXFAST = 64 * sizeof (size_t) / 4 };

-/* Minimum size of the ABBRS member of struct abbr. ABBRS is larger
+/* Minimum size of the ABBRS member of struct tm_zone. ABBRS is larger
only in the unlikely case where an abbreviation longer than this is
used. */
enum { ABBR_SIZE_MIN = DEFAULT_MXFAST - offsetof (struct tm_zone, abbrs) };
@@ -150,7 +155,13 @@ save_abbr (timezone_t tz, struct tm *tm)
if (! (*zone_copy || (zone_copy == tz->abbrs && tz->tz_is_set)))
{
size_t zone_size = strlen (zone) + 1;
- if (zone_size < tz->abbrs + ABBR_SIZE_MIN - zone_copy)
+ size_t zone_used = zone_copy - tz->abbrs;
+ if (SIZE_MAX - zone_used < zone_size)
+ {
+ errno = ENOMEM;
+ return false;
+ }
+ if (zone_used + zone_size < ABBR_SIZE_MIN)
extend_abbrs (zone_copy, zone, zone_size);
else
{
diff --git a/tests/test-parse-datetime.c b/tests/test-parse-datetime.c
index b42a51c..b6fe457 100644
--- a/tests/test-parse-datetime.c
+++ b/tests/test-parse-datetime.c
@@ -432,5 +432,21 @@ main (int argc _GL_UNUSED, char **argv)
ASSERT ( parse_datetime (&result, "TZ=\"\\\\\"", &now));
ASSERT ( parse_datetime (&result, "TZ=\"\\\"\"", &now));

+ /* Outlandishly-long time zone abbreviations should not cause problems. */
+ {
+ static char const bufprefix[] = "TZ=\"";
+ enum { tzname_len = 2000 };
+ static char const bufsuffix[] = "0\" 1970-01-01 01:02:03.123456789";
+ enum { bufsize = sizeof bufprefix - 1 + tzname_len + sizeof bufsuffix };
+ char buf[bufsize];
+ memcpy (buf, bufprefix, sizeof bufprefix - 1);
+ memset (buf + sizeof bufprefix - 1, 'X', tzname_len);
+ strcpy (buf + bufsize - sizeof bufsuffix, bufsuffix);
+ ASSERT (parse_datetime (&result, buf, &now));
+ LOG (buf, now, result);
+ ASSERT (result.tv_sec == 1 * 60 * 60 + 2 * 60 + 3
+ && result.tv_nsec == 123456789);
+ }
+
return 0;
}
--
2.9.3
Loading...