From owner-freebsd-security@FreeBSD.ORG Thu Jul 9 04:04:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38AA3106567C for ; Thu, 9 Jul 2009 04:04:55 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id CCD718FC14 for ; Thu, 9 Jul 2009 04:04:54 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 1B1005C024 for ; Thu, 9 Jul 2009 07:50:49 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id CF11C55CD6F8; Thu, 9 Jul 2009 07:50:48 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id R8y1aAjir3RV; Thu, 9 Jul 2009 07:49:50 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 982A655CD6F4; Thu, 9 Jul 2009 07:49:38 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=RKBh5Dofgloiv0+cUL2RZFScQZKJad00MQtjdJ1azxuy2B4IVkvMnzdkV0j0mJ1ac 0ErL3OVQY2pEoabXRsGZw== Message-ID: <4A553080.5060205@delphij.net> Date: Wed, 08 Jul 2009 16:49:20 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: rea-fbsd@codelabs.ru References: <20090708193339.GA4836@minerva.freedsl.mg> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: rrl , freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2009 04:04:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eygene Ryabinkin wrote: > Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote: >> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name >> with the -S option. >>> gzip -S `perl -e 'print "A"x1200'` dummy_file >> Memory fault (core dumped) >> >> The offending code lays in the function file_compress: >>> /* Add (usually) .gz to filename */ >>> if ((size_t)snprintf(outfile, outsize, "%s%s", >>> file, suffixes[0].zipped) >= outsize) >>> memcpy(outfile - suffixes[0].ziplen - 1, >>> suffixes[0].zipped, suffixes[0].ziplen + 1); > > The memcpy() call looks like a complete madness: it will write before > the beginning of the 'outfile', so it will be buffer underflow in any > case (unless I am terribly mistaken and missing some obvious point). > > I'd change the above code to warn and return if snprintf will discard > some trailing characters, the patch is attached. Nice catch! I'll take a look at this as soon as possible. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpVMIAACgkQi+vbBBjt66BkrgCePlsfN2Y8+yXkJiI39A2tEmRS CKcAnipqLptYZx2BeuM+7piL0vBF1yzz =9kvD -----END PGP SIGNATURE-----