Bug 1260248 - Possible memory error in a 2-byte file
Summary: Possible memory error in a 2-byte file
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Packaging Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-04 23:57 UTC by Jacek Wielemborek
Modified: 2015-10-23 14:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-23 14:47:00 UTC


Attachments (Terms of Use)

Description Jacek Wielemborek 2015-09-04 23:57:58 UTC
Description of problem:

The file with the hex reperesentation of "25 21" behaves strangely when 4.12.0.1 is compiled with ASAN and afl-fuzz under Debian Sid.

Version-Release number of selected component (if applicable):

4.12.0.1

How reproducible:

In my case, 100% of the time.

Steps to Reproduce:
1. Build rpm with -fsanitize=address
2. echo '2521' | xxd -r -p > a.rpm
3. rpm -qlp a.rpm

Actual results:

root@1442a2c3a089:~/o/master/crashes# rpm -qlp id\:000000\,sig\:06\,src\:000093\,op\:havoc\,rep\:4
error: rpmdb: BDB0113 Thread/process 16758/139899090507648 failed: BDB1507 Thread died in Berkeley DB library
error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages index using db5 -  (-30973)
error: cannot open Packages database in /root/.rpmdb
=================================================================
==635==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000025f3 at pc 0x7fc5e406e9d1 bp 0x7ffca44a3270 sp 0x7ffca44a3268
READ of size 1 at 0x6020000025f3 thread T0
    #0 0x7fc5e406e9d0  (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x239d0)
    #1 0x7fc5e407d7dc in rpmExpand (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x327dc)
    #2 0x7fc5e446bb06  (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x166b06)
    #3 0x7fc5e441c111 in rpmcliArgIter (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x117111)
    #4 0x7fc5e441c434 in rpmcliQuery (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x117434)
    #5 0x402ee4  (/usr/bin/rpm+0x402ee4)
    #6 0x7fc5e3899b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x404513  (/usr/bin/rpm+0x404513)

0x6020000025f3 is located 0 bytes to the right of 3-byte region [0x6020000025f0,0x6020000025f3)
allocated by thread T0 here:
    #0 0x7fc5e47b537a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9437a)
    #1 0x7fc5e40925b0 in rmalloc (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x475b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[03]fa
  0x0c047fff84c0: fa fa 03 fa fa fa 00 00 fa fa 03 fa fa fa fd fd
  0x0c047fff84d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff84e0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff84f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff8500: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==635==ABORTING

Expected results:

ASAN not complaining

Additional info:

Please correct the tags if I got them wrong.

Comment 1 Jacek Wielemborek 2015-09-04 23:59:09 UTC
I meant "built with afl-gcc". You can easily reproduce this bug using github.com/d33tah/aflize docker image and building an aflized version of rpm.

Comment 3 Ľuboš Kardoš 2015-10-23 14:47:00 UTC
Fixed in rpm-4.13.0-0.rc1.7.fc24


Note You need to log in before you can comment on or make changes to this bug.