From owner-freebsd-security@FreeBSD.ORG Wed Jul 8 19:52:34 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA39E1065673 for ; Wed, 8 Jul 2009 19:52:34 +0000 (UTC) (envelope-from endian.sign@gmail.com) Received: from mail-ew0-f224.google.com (mail-ew0-f224.google.com [209.85.219.224]) by mx1.freebsd.org (Postfix) with ESMTP id 7C0328FC26 for ; Wed, 8 Jul 2009 19:52:34 +0000 (UTC) (envelope-from endian.sign@gmail.com) Received: by mail-ew0-f224.google.com with SMTP id 24so149648ewy.43 for ; Wed, 08 Jul 2009 12:52:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=XfPnb5C3reNsQGrguQWW8w6ezdpgqYYmotQ1aJq8OUg=; b=VBQA0v6pSnu2eNED9r52NN8xjwxBZugKmCRcYV3i1VNgUMpLJdZZ1Oq67n9SX07Z03 WNvYR+ctFNW4gvUGuW1tXgnes4rkYVbil6YjGFyMc7FksRlsA+HIEedN/FZRieJlObdA oRe0B1nxyY8UmEm6jE6TqSj6Ja6pSoatTsv5I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=m+RvMhAwVHDyx6EJvezeD5mQAApdw2gIatfS5+x0bZ6a2Trka4qOtVKj9qf5Ot9XIK 5T0JG1aDK6EagGk1mD2NmS6gkwAs82OXGtNPyLHjuWAh4krTF50+dGJswVdKYtdBDH70 dxmumZQTl6I7+sfYEjZCztw8hrVZ0DRIZtjww= Received: by 10.216.0.73 with SMTP id 51mr2067046wea.52.1247081530121; Wed, 08 Jul 2009 12:32:10 -0700 (PDT) Received: from minerva.freedsl.mg (freedsl-2.blueline.mg [41.204.101.83]) by mx.google.com with ESMTPS id m5sm25145719gve.18.2009.07.08.12.32.06 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 08 Jul 2009 12:32:09 -0700 (PDT) Date: Wed, 8 Jul 2009 22:33:39 +0300 From: rrl To: freebsd-security@freebsd.org Message-ID: <20090708193339.GA4836@minerva.freedsl.mg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.19 (2009-01-05) Subject: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 19:52:35 -0000 Hi all, > uname -a FreeBSD XXXXX 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Wed Jun 24 10:19:42 EAT 2009 XXXXXXXXX:/usr/obj/usr/src/sys/GENERIC i386 I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name with the -S option. > gzip -S `perl -e 'print "A"x1200'` dummy_file Memory fault (core dumped) The offending code lays in the function file_compress: > /* Add (usually) .gz to filename */ > if ((size_t)snprintf(outfile, outsize, "%s%s", > file, suffixes[0].zipped) >= outsize) > memcpy(outfile - suffixes[0].ziplen - 1, > suffixes[0].zipped, suffixes[0].ziplen + 1); The problem here is that outfile points to a local buffer from the function handle_file which calls file_compress. And given that we give a very long suffix, memcpy does in fact write to memory location out of outfile, overwriting the return address of file_compress. Here's a possible fix: --- /usr/src/usr.bin/gzip/gzip.c 2009-05-17 12:00:16.000000000 +0300 +++ gzip.c 2009-07-08 20:27:22.000000000 +0300 @@ -1219,10 +1219,15 @@ file_compress(char *file, char *outfile, /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", - file, suffixes[0].zipped) >= outsize) + file, suffixes[0].zipped) >= outsize && + (unsigned int)suffixes[0].ziplen < outsize) memcpy(outfile - suffixes[0].ziplen - 1, suffixes[0].zipped, suffixes[0].ziplen + 1); - + else { + maybe_warnx("filename too long %s%s", file, suffixes[0].zipped); + close(in); + return -1; + } #ifndef SMALL if (check_outfile(outfile) == 0) { close(in); Cheers,