Bug 13896 - rpm: validate input files
Summary: rpm: validate input files
Status: NEW
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.33.x
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-01 13:59 UTC by Tobias Stoeckmann
Modified: 2021-07-01 14:00 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
rpm.patch (3.63 KB, patch)
2021-07-01 13:59 UTC, Tobias Stoeckmann 		Details
proof of concept (crash on 32 and 64 bit) (176 bytes, application/x-rpm)
2021-07-01 14:00 UTC, Tobias Stoeckmann 		Details
proof of concept (crash on 32 bit) (112 bytes, application/x-rpm)
2021-07-01 14:00 UTC, Tobias Stoeckmann 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Stoeckmann 2021-07-01 13:59:21 UTC 
Created attachment 9031 [details]
rpm.patch

Offsets and tag entry count in input files are not validated before
used. This can lead to heap overflows and out ouf boundary accesses.

Stop processing files if invalid entries are encountered.

Entries are invalid if:
- Offsets into data area exceed limits
- Strings in data area are not nul terminated
- Offsets point into data without enough bytes for data type
- Too many entries specified

The limit of INT_MAX guarantees proper operations even on 32 bit systems
with 32 bit off_t data type, i.e. no large file system support.

2 GB is already a very large limit for RPM tags.
Comment 1 Tobias Stoeckmann 2021-07-01 14:00:22 UTC 
Created attachment 9036 [details]
proof of concept (crash on 32 and 64 bit)
Comment 2 Tobias Stoeckmann 2021-07-01 14:00:58 UTC 
Created attachment 9041 [details]
proof of concept (crash on 32 bit)