Red Hat Bugzilla – Bug 1300643
keyutils command line parsing error causes out of bounds memory read
Last modified: 2018-02-04 12:45:19 EST
Created attachment 1116893 [details] [patch] fix command line parsing I noticed an out of bounds read access in keyctl when compiling it with address sanitizer (add -fsanitize=address to cflags). I figured out it was the code for parsing the command line, here: for (cmd = commands; cmd->name; cmd++) { if (!cmd->action) continue; if (strlen(cmd->name) > n) continue; if (memcmp(cmd->name, *argv, n) != 0) continue; The strlen(cmd->name) > n comparison seems wrong, it must be <. Because when the cmd->name is shorter than argv there never can be a partial match, if it is larger then there can be. This error causes the memcmp command to read invalid memory. (I reported this a while back directly to the maintainer via email, but received no reply. The last release of keyutils was in 2014.)
I noted that a new release of keyutils was published recently, yet this bug is still in there. It's a pretty obvious bug and a straightforward fix, so I wonder: why?
Hi, this bug is for RHEL-7 and keyutils were not ever updated there. If you require fix in RHEL-7, you need to contact the regular Red Hat support channels to request it. What I would suggest is to pursue the fix in fedora/upstream first. Let me know if there is anything I can help you with.
Hi, I actually wanted to report this upstream. This tool is hosted on a redhat webpage [1], so my assumption is this is upstream. Who else should I report it? [1] https://people.redhat.com/dhowells/keyutils/