Bug 1300643 - keyutils command line parsing error causes out of bounds memory read
keyutils command line parsing error causes out of bounds memory read
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: keyutils (Show other bugs)
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: David Howells
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2016-01-21 05:49 EST by hanno
Modified: 2018-02-04 12:45 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
[patch] fix command line parsing (404 bytes, text/plain)
2016-01-21 05:49 EST, hanno
no flags Details

  None (edit)
Description hanno 2016-01-21 05:49:23 EST
Created attachment 1116893 [details]
[patch] fix command line parsing

I noticed an out of bounds read access in keyctl when compiling it with
address sanitizer (add -fsanitize=address to cflags).

I figured out it was the code for parsing the command line, here:
        for (cmd = commands; cmd->name; cmd++) {
                if (!cmd->action)
                if (strlen(cmd->name) > n)
                if (memcmp(cmd->name, *argv, n) != 0)

The strlen(cmd->name) > n comparison seems wrong, it must be <. Because
when the cmd->name is shorter than argv there never can be a partial
match, if it is larger then there can be. This error causes the memcmp
command to read invalid memory.

(I reported this a while back directly to the maintainer via email, but received no reply. The last release of keyutils was in 2014.)
Comment 2 hanno 2017-05-27 15:02:31 EDT
I noted that a new release of keyutils was published recently, yet this bug is still in there.
It's a pretty obvious bug and a straightforward fix, so I wonder: why?
Comment 3 Stanislav Zidek 2017-05-31 06:12:20 EDT

this bug is for RHEL-7 and keyutils were not ever updated there. If you require fix in RHEL-7, you need to contact the regular Red Hat support channels to request it.

What I would suggest is to pursue the fix in fedora/upstream first. Let me know if there is anything I can help you with.
Comment 4 hanno 2018-02-04 12:45:19 EST
Hi, I actually wanted to report this upstream. This tool is hosted on a redhat webpage [1], so my assumption is this is upstream. Who else should I report it?

[1] https://people.redhat.com/dhowells/keyutils/

Note You need to log in before you can comment on or make changes to this bug.