From owner-freebsd-security@FreeBSD.ORG Thu Jul 9 04:04:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68C881065673 for ; Thu, 9 Jul 2009 04:04:55 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id CCD488FC13 for ; Thu, 9 Jul 2009 04:04:54 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 1289E5C026 for ; Thu, 9 Jul 2009 08:07:06 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id D16DA55CD6E9; Thu, 9 Jul 2009 08:07:05 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id aceDcMmO10Hs; Thu, 9 Jul 2009 08:06:12 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 75D2155CD6F4; Thu, 9 Jul 2009 08:06:04 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type; b=nDkGoaExCGhzu9XcWQQUXG1GzkzKr8y5ulhvhT09jKrLMhFZxjxux+9BaJOcNTgBd mB8ie97e1AnNRhbSv6Yog== Message-ID: <4A553458.70005@delphij.net> Date: Wed, 08 Jul 2009 17:05:44 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: d@delphij.net References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> In-Reply-To: <4A553080.5060205@delphij.net> X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------010401030701030109000706" Cc: rrl , freebsd-security@freebsd.org, rea-fbsd@codelabs.ru Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2009 04:04:56 -0000 This is a multi-part message in MIME format. --------------010401030701030109000706 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Xin LI wrote: > Eygene Ryabinkin wrote: >> Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote: >>> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name >>> with the -S option. >>>> gzip -S `perl -e 'print "A"x1200'` dummy_file >>> Memory fault (core dumped) >>> >>> The offending code lays in the function file_compress: >>>> /* Add (usually) .gz to filename */ >>>> if ((size_t)snprintf(outfile, outsize, "%s%s", >>>> file, suffixes[0].zipped) >= outsize) >>>> memcpy(outfile - suffixes[0].ziplen - 1, >>>> suffixes[0].zipped, suffixes[0].ziplen + 1); >> The memcpy() call looks like a complete madness: it will write before >> the beginning of the 'outfile', so it will be buffer underflow in any >> case (unless I am terribly mistaken and missing some obvious point). > >> I'd change the above code to warn and return if snprintf will discard >> some trailing characters, the patch is attached. I have attached another possible fix, which catches the problem when parsing the command line. The point is that, I think we really want to catch bad input as early as possible. If there is no objections I would request for approval from re@. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEUEARECAAYFAkpVNFcACgkQi+vbBBjt66AkuQCfSm79QmZC2jPwE8kSEaz5NvH7 V+8Al0zsIfe40Tv0Yu/LrtMpnEK5cok= =OtC/ -----END PGP SIGNATURE----- --------------010401030701030109000706 Content-Type: text/plain; name="gzip.c-S-underflow.diff" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="gzip.c-S-underflow.diff" Index: gzip.c =================================================================== --- gzip.c (版本 195435) +++ gzip.c (工作副本) @@ -372,6 +372,8 @@ case 'S': len = strlen(optarg); if (len != 0) { + if (len >= PATH_MAX) + errx(1, "incorrect suffix: '%s'", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { --------------010401030701030109000706--