ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-15 09:19:57 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
5625f5bc36
openwrt/package/system/uci/patches/001-file-uci_parse_package-fix-heap-use-after-free.patch
Hauke Mehrtens 5625f5bc36 uci: Backport security fixes 
This packports two security fixes from master.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit f9005d4f80)
2020-10-28 00:28:08 +01:00

52 lines
2.0 KiB
Diff
Raw Blame History

From a3e650911f5e6f67dcff09974df3775dfd615da6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
Date: Sat, 3 Oct 2020 01:29:21 +0200
Subject: [PATCH] file: uci_parse_package: fix heap use after free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes following issue which is caused by usage of pointer which pointed
to a reallocated address:
ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000087 at pc 0x000000509aa7 bp 0x7ffd6b9c3c40 sp 0x7ffd6b9c3400
READ of size 2 at 0x619000000087 thread T0
#0 0x509aa6 in strdup (test-fuzz+0x509aa6)
#1 0x7fc36d2a1636 in uci_strdup util.c:60:8
#2 0x7fc36d29e1ac in uci_alloc_generic list.c:55:13
#3 0x7fc36d29e241 in uci_alloc_package list.c:253:6
#4 0x7fc36d2a0ba3 in uci_switch_config file.c:375:18
#5 0x7fc36d2a09b8 in uci_parse_package file.c:397:2
#6 0x7fc36d2a09b8 in uci_parse_line file.c:513:6
#7 0x7fc36d2a09b8 in uci_import file.c:681:4
0x619000000087 is located 7 bytes inside of 1024-byte region [0x619000000080,0x619000000480)
freed by thread T0 here:
#0 0x51daa9 in realloc (test-fuzz+0x51daa9)
#1 0x7fc36d2a1612 in uci_realloc util.c:49:8
previously allocated by thread T0 here:
#0 0x51daa9 in realloc (test-fuzz+0x51daa9)
#1 0x7fc36d2a1612 in uci_realloc util.c:49:8
Reported-by: Jeremy Galindo <jgalindo@datto.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
file.c | 2 +-
...sig-06,src-000079,time-22005942,op-ext_AO,pos-8 | Bin 0 -> 56 bytes
2 files changed, 1 insertion(+), 1 deletion(-)
create mode 100644 tests/fuzz/corpus/id-000000,sig-06,src-000079,time-22005942,op-ext_AO,pos-8
--- a/file.c
+++ b/file.c
@@ -387,8 +387,8 @@ static void uci_parse_package(struct uci
pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
ofs_name = next_arg(ctx, true, true, true);
- name = pctx_str(pctx, ofs_name);
assert_eol(ctx);
+ name = pctx_str(pctx, ofs_name);
if (single)
return;
Reference in New Issue View Git Blame Copy Permalink