This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 1260248 - Possible memory error in a 2-byte file
Possible memory error in a 2-byte file
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
rawhide
Unspecified Linux
unspecified Severity urgent
: ---
: ---
Assigned To: packaging-team-maint
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-04 19:57 EDT by Jacek Wielemborek
Modified: 2015-10-23 10:47 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-23 10:47:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jacek Wielemborek 2015-09-04 19:57:58 EDT
Description of problem:

The file with the hex reperesentation of "25 21" behaves strangely when 4.12.0.1 is compiled with ASAN and afl-fuzz under Debian Sid.

Version-Release number of selected component (if applicable):

4.12.0.1

How reproducible:

In my case, 100% of the time.

Steps to Reproduce:
1. Build rpm with -fsanitize=address
2. echo '2521' | xxd -r -p > a.rpm
3. rpm -qlp a.rpm

Actual results:

root@1442a2c3a089:~/o/master/crashes# rpm -qlp id\:000000\,sig\:06\,src\:000093\,op\:havoc\,rep\:4
error: rpmdb: BDB0113 Thread/process 16758/139899090507648 failed: BDB1507 Thread died in Berkeley DB library
error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages index using db5 -  (-30973)
error: cannot open Packages database in /root/.rpmdb
=================================================================
==635==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000025f3 at pc 0x7fc5e406e9d1 bp 0x7ffca44a3270 sp 0x7ffca44a3268
READ of size 1 at 0x6020000025f3 thread T0
    #0 0x7fc5e406e9d0  (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x239d0)
    #1 0x7fc5e407d7dc in rpmExpand (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x327dc)
    #2 0x7fc5e446bb06  (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x166b06)
    #3 0x7fc5e441c111 in rpmcliArgIter (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x117111)
    #4 0x7fc5e441c434 in rpmcliQuery (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x117434)
    #5 0x402ee4  (/usr/bin/rpm+0x402ee4)
    #6 0x7fc5e3899b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x404513  (/usr/bin/rpm+0x404513)

0x6020000025f3 is located 0 bytes to the right of 3-byte region [0x6020000025f0,0x6020000025f3)
allocated by thread T0 here:
    #0 0x7fc5e47b537a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9437a)
    #1 0x7fc5e40925b0 in rmalloc (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x475b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[03]fa
  0x0c047fff84c0: fa fa 03 fa fa fa 00 00 fa fa 03 fa fa fa fd fd
  0x0c047fff84d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff84e0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff84f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff8500: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==635==ABORTING

Expected results:

ASAN not complaining

Additional info:

Please correct the tags if I got them wrong.
Comment 1 Jacek Wielemborek 2015-09-04 19:59:09 EDT
I meant "built with afl-gcc". You can easily reproduce this bug using github.com/d33tah/aflize docker image and building an aflized version of rpm.
Comment 3 Ľuboš Kardoš 2015-10-23 10:47:00 EDT
Fixed in rpm-4.13.0-0.rc1.7.fc24

Note You need to log in before you can comment on or make changes to this bug.