From owner-freebsd-security@FreeBSD.ORG Wed Jul 8 20:25:20 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A83B91065670 for ; Wed, 8 Jul 2009 20:25:20 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5C9F98FC17 for ; Wed, 8 Jul 2009 20:25:20 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=OG3UVJk4wLMJsIlTsPtDL7XH3xNUsq41jvG03m/LiIMelnAP3SmWY40dNVcza8MDIzPipAKq3o3VnK9+WM4C8VMQNHrg/ECsUpliWyE6UaUskyG0shOAHVN/hsWkDrGVOFC/9Lk8spdBSG6ftEyBs3lqk4WLIP5wIrm997VZgrg=; Received: from phoenix.codelabs.ru (ppp91-77-10-253.pppoe.mtu-net.ru [91.77.10.253]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MOdhe-0007ky-1m; Thu, 09 Jul 2009 00:25:18 +0400 Date: Thu, 9 Jul 2009 00:25:15 +0400 From: Eygene Ryabinkin To: rrl Message-ID: References: <20090708193339.GA4836@minerva.freedsl.mg> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="4ZLFUWh1odzi/v6L" Content-Disposition: inline In-Reply-To: <20090708193339.GA4836@minerva.freedsl.mg> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 20:25:20 -0000 --4ZLFUWh1odzi/v6L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote: > I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name > with the -S option. > > gzip -S `perl -e 'print "A"x1200'` dummy_file > Memory fault (core dumped) > > The offending code lays in the function file_compress: > > /* Add (usually) .gz to filename */ > > if ((size_t)snprintf(outfile, outsize, "%s%s", > > file, suffixes[0].zipped) >= outsize) > > memcpy(outfile - suffixes[0].ziplen - 1, > > suffixes[0].zipped, suffixes[0].ziplen + 1); The memcpy() call looks like a complete madness: it will write before the beginning of the 'outfile', so it will be buffer underflow in any case (unless I am terribly mistaken and missing some obvious point). I'd change the above code to warn and return if snprintf will discard some trailing characters, the patch is attached. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # --4ZLFUWh1odzi/v6L Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="gzip.c-fix-buffer-underflow.diff" --- usr.bin/gzip/gzip.c.orig 2009-07-09 00:03:03.000000000 +0400 +++ usr.bin/gzip/gzip.c 2009-07-09 00:21:40.000000000 +0400 @@ -1235,9 +1235,12 @@ /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", - file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, - suffixes[0].zipped, suffixes[0].ziplen + 1); + file, suffixes[0].zipped) >= outsize) { + warnx("Output file name '%s%s' is too long, exiting", + file, suffixes[0].zipped); + close(in); + return -1; + } #ifndef SMALL if (check_outfile(outfile) == 0) { --4ZLFUWh1odzi/v6L--