Bug 13112 - receive_xattr heap overread with non null terminated name
receive_xattr heap overread with non null terminated name
Status: RESOLVED FIXED
Product: rsync
Classification: Unclassified
Component: core
3.1.3
All All
: P5 normal
: ---
Assigned To: Wayne Davison
Rsync QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-31 04:03 UTC by jeriko.one
Modified: 2017-11-05 19:48 UTC (History)
0 users

See Also:


Attachments
Make room for trailing NULL and use read_sbuf (1.09 KB, patch)
2017-10-31 04:03 UTC, jeriko.one
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description jeriko.one 2017-10-31 04:03:13 UTC
Created attachment 13744 [details]
Make room for trailing NULL and use read_sbuf

$ ./rsync -v
rsync  version 3.1.3dev  protocol version 31

code snippets are from receive_xattr in xattrs.c

in receive_xattr a name is read from the sender. The sender sends the length of the name, and then sends the name. The name is read in via read_buf so it's not null terminated. 

 815         size_t name_len = read_varint(f);

 826         read_buf(f, name, name_len);


If the sender sent --filter that had an xattr filter then this name will be passed to name_is_excluded. 

 834         if (saw_xattr_filter) {
 835             if (name_is_excluded(name, NAME_IS_XATTR, ALL_FILTERS)) {

This can lead to a heap overread as name_is_excluded is expecting a NULL terminated string. 

These are the arguments I'm sending to the daemon when connecting
{"--server", "--filter", "+x jk", "-X", ".", ".", "\0"};

I provided a patch that will make room for a NULL byte in name, and use read_sbuf instead. 

ASan output: 
=================================================================
==3497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e831 at pc 0x7ffff6edc15b bp 0x7fffffff9990 sp 0x7fffffff9138
READ of size 2 at 0x60200000e831 thread T0
    #0 0x7ffff6edc15a in strlen (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x7015a)
    #1 0x4412dd in rule_matches /home/raj/rsync/rsync/exclude.c:696
    #2 0x441921 in check_filter /home/raj/rsync/rsync/exclude.c:772
    #3 0x441724 in name_is_excluded /home/raj/rsync/rsync/exclude.c:744
    #4 0x4a2d76 in receive_xattr /home/raj/rsync/rsync/xattrs.c:835
    #5 0x40beac in recv_file_entry /home/raj/rsync/rsync/flist.c:1108
    #6 0x415bee in recv_file_list /home/raj/rsync/rsync/flist.c:2476
    #7 0x454eaa in do_server_recv /home/raj/rsync/rsync/main.c:1036
    #8 0x4556f4 in start_server /home/raj/rsync/rsync/main.c:1115
    #9 0x4b20f2 in rsync_module /home/raj/rsync/rsync/clientserver.c:1007
    #10 0x4b2b11 in start_daemon /home/raj/rsync/rsync/clientserver.c:1135
    #11 0x48f636 in start_accept_loop /home/raj/rsync/rsync/socket.c:618
    #12 0x4b32d2 in daemon_main /home/raj/rsync/rsync/clientserver.c:1237
    #13 0x458318 in main /home/raj/rsync/rsync/main.c:1630
    #14 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f)
    #15 0x4047c8 in _start (/home/raj/rsync/asan/bin/rsync+0x4047c8)

0x60200000e831 is located 0 bytes to the right of 1-byte region [0x60200000e830,0x60200000e831)
allocated by thread T0 here:
    #0 0x7ffff6f04572 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x98572)
    #1 0x44e48b in _new_array /home/raj/rsync/rsync/util2.c:68
    #2 0x4a2c63 in receive_xattr /home/raj/rsync/rsync/xattrs.c:822
    #3 0x40beac in recv_file_entry /home/raj/rsync/rsync/flist.c:1108
    #4 0x415bee in recv_file_list /home/raj/rsync/rsync/flist.c:2476
    #5 0x454eaa in do_server_recv /home/raj/rsync/rsync/main.c:1036
    #6 0x4556f4 in start_server /home/raj/rsync/rsync/main.c:1115
    #7 0x4b20f2 in rsync_module /home/raj/rsync/rsync/clientserver.c:1007
    #8 0x4b2b11 in start_daemon /home/raj/rsync/rsync/clientserver.c:1135
    #9 0x48f636 in start_accept_loop /home/raj/rsync/rsync/socket.c:618
    #10 0x4b32d2 in daemon_main /home/raj/rsync/rsync/clientserver.c:1237
    #11 0x458318 in main /home/raj/rsync/rsync/main.c:1630
    #12 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strlen
Shadow bytes around the buggy address:
  0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d00: fa fa fa fa fa fa[01]fa fa fa 04 fa fa fa 00 07
  0x0c047fff9d10: fa fa fd fd fa fa 02 fa fa fa 02 fa fa fa 00 01
  0x0c047fff9d20: fa fa 03 fa fa fa 06 fa fa fa 00 01 fa fa 06 fa
  0x0c047fff9d30: fa fa 00 01 fa fa 06 fa fa fa fd fd fa fa fd fa
  0x0c047fff9d40: fa fa 00 01 fa fa fd fa fa fa fd fa fa fa 00 01
  0x0c047fff9d50: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==3497==ABORTING
Comment 1 jeriko.one 2017-10-31 18:46:33 UTC
This issue can also be reached in 3.1.2, but through a different path as the earlier version doesn't have an xattr filter. I believe the same fix for 3.1.3 would work for 3.1.2 (using read_sbuf) If I should open a separate bug for this please let me know. 

It requires the daemon to use:
fake super = yes 
so that am_root == -1

the sender needs to send at least 2 xattrs, at least one without the USER_PREFIX, and one that doesn't have a terminating NULL. 

same issue of name being read in with read_buf, so it's not guaranteed to be NULL terminated. 

 698         read_buf(f, name, name_len);

 705 #ifdef HAVE_LINUX_XATTRS
 706         /* Non-root can only save the user namespace. */
 707         if (am_root <= 0 && !HAS_PREFIX(name, USER_PREFIX)) {
 708             if (!am_root) {
 709                 free(ptr);
 710                 continue;
 711             }
 712             name -= RPRE_LEN;
 713             name_len += RPRE_LEN;
 714             memcpy(name, RSYNC_PREFIX, RPRE_LEN);
 715             need_sort = 1;
 716         }

After reading the xattrs it'll sort them if need be. need_sort is set in the previous code snippet. 

 747     if (need_sort && count > 1)
 748         qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);

 116 static int rsync_xal_compare_names(const void *x1, const void *x2)
 117 {
 118     const rsync_xa *xa1 = x1;
 119     const rsync_xa *xa2 = x2;
 120     return strcmp(xa1->name, xa2->name);
 121 }

rsync_xal_compare_names is expecting the names to be NULL terminated, but that isn't guaranteed. 

ASan output:
=================================================================
==29001==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eaa0 at pc 0x7ffff6eb3185 bp 0x7fffffff99d0 sp 0x7fffffff9178
READ of size 18 at 0x60200000eaa0 thread T0
    #0 0x7ffff6eb3184  (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x47184)
    #1 0x49b7e6 in rsync_xal_compare_names /home/raj/rsync/rsync-3.1.2/xattrs.c:120
    #2 0x7ffff64ecc9b  (/lib64/libc.so.6+0x34c9b)
    #3 0x7ffff64ecfe9 in qsort_r (/lib64/libc.so.6+0x34fe9)
    #4 0x49f443 in receive_xattr /home/raj/rsync/rsync-3.1.2/xattrs.c:748
    #5 0x40be5b in recv_file_entry /home/raj/rsync/rsync-3.1.2/flist.c:1126
    #6 0x415b95 in recv_file_list /home/raj/rsync/rsync-3.1.2/flist.c:2494
    #7 0x45478f in do_server_recv /home/raj/rsync/rsync-3.1.2/main.c:1025
    #8 0x454fd9 in start_server /home/raj/rsync/rsync-3.1.2/main.c:1104
    #9 0x4ae074 in rsync_module /home/raj/rsync/rsync-3.1.2/clientserver.c:1003
    #10 0x4ae68a in start_daemon /home/raj/rsync/rsync-3.1.2/clientserver.c:1094
    #11 0x48e271 in start_accept_loop /home/raj/rsync/rsync-3.1.2/socket.c:618
    #12 0x4aee41 in daemon_main /home/raj/rsync/rsync-3.1.2/clientserver.c:1196
    #13 0x457c02 in main /home/raj/rsync/rsync-3.1.2/main.c:1621
    #14 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f)
    #15 0x404778 in _start (/home/raj/rsync/release_asan/bin/rsync+0x404778)

0x60200000eaa0 is located 0 bytes to the right of 16-byte region [0x60200000ea90,0x60200000eaa0)
allocated by thread T0 here:
    #0 0x7ffff6f04572 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x98572)
    #1 0x44ddad in _new_array /home/raj/rsync/rsync-3.1.2/util2.c:70
    #2 0x49f012 in receive_xattr /home/raj/rsync/rsync-3.1.2/xattrs.c:694
    #3 0x40be5b in recv_file_entry /home/raj/rsync/rsync-3.1.2/flist.c:1126
    #4 0x415b95 in recv_file_list /home/raj/rsync/rsync-3.1.2/flist.c:2494
    #5 0x45478f in do_server_recv /home/raj/rsync/rsync-3.1.2/main.c:1025
    #6 0x454fd9 in start_server /home/raj/rsync/rsync-3.1.2/main.c:1104
    #7 0x4ae074 in rsync_module /home/raj/rsync/rsync-3.1.2/clientserver.c:1003
    #8 0x4ae68a in start_daemon /home/raj/rsync/rsync-3.1.2/clientserver.c:1094
    #9 0x48e271 in start_accept_loop /home/raj/rsync/rsync-3.1.2/socket.c:618
    #10 0x4aee41 in daemon_main /home/raj/rsync/rsync-3.1.2/clientserver.c:1196
    #11 0x457c02 in main /home/raj/rsync/rsync-3.1.2/main.c:1621
    #12 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c047fff9d50: fa fa 00 00[fa]fa 04 fa fa fa 00 07 fa fa fd fd
  0x0c047fff9d60: fa fa 02 fa fa fa 02 fa fa fa 00 01 fa fa 00 01
  0x0c047fff9d70: fa fa 06 fa fa fa fd fd fa fa fd fa fa fa 02 fa
  0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d90: fa fa 02 fa fa fa 03 fa fa fa 00 01 fa fa fd fd
  0x0c047fff9da0: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29001==ABORTING
Comment 2 Wayne Davison 2017-11-05 19:48:34 UTC
The name_len value is set to include the terminating null char, e.g.:
    name_len = strlen(name) + 1;

I tweaked the read code to validate that the read value is null-terminated, and die if it is not.