86 lines
3.4 KiB
Diff
86 lines
3.4 KiB
Diff
From 115d138ba599328005c5321c0ef9f00355838ca9 Mon Sep 17 00:00:00 2001
|
|
From: Werner Koch <wk@gnupg.org>
|
|
Date: Thu, 23 Oct 2025 11:36:04 +0200
|
|
Subject: [PATCH] gpg: Fix possible memory corruption in the armor parser.
|
|
|
|
* g10/armor.c (armor_filter): Fix faulty double increment.
|
|
|
|
* common/iobuf.c (underflow_target): Assert that the filter
|
|
implementations behave well.
|
|
--
|
|
|
|
This fixes a bug in a code path which can only be reached with special
|
|
crafted input data and would then error out at an upper layer due to
|
|
corrupt input (every second byte in the buffer is unitialized
|
|
garbage). No fuzzing has yet hit this case and we don't have a test
|
|
case for this code path. However memory corruption can never be
|
|
tolerated as it always has the protential for remode code execution.
|
|
|
|
Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
|
|
Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
|
|
which fixed
|
|
Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f
|
|
|
|
The bug was introduced on 1999-01-07 by me:
|
|
* armor.c: Rewrote large parts.
|
|
which I fixed on 1999-03-02 but missed to fix the other case:
|
|
* armor.c (armor_filter): Fixed armor bypassing.
|
|
|
|
Below is base64+gzipped test data which can be used with valgrind to
|
|
show access to uninitalized memory in write(2) in the unpatched code.
|
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze
|
|
a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA
|
|
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
|
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
|
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
|
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
|
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
|
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
|
gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA==
|
|
--8<---------------cut here---------------end--------------->8---
|
|
---
|
|
common/iobuf.c | 6 ++++++
|
|
g10/armor.c | 4 ++--
|
|
2 files changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/common/iobuf.c b/common/iobuf.c
|
|
index 8a128b3f6..769df958d 100644
|
|
--- a/common/iobuf.c
|
|
+++ b/common/iobuf.c
|
|
@@ -1939,8 +1939,12 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
|
|
A->FILTER. */
|
|
rc = 0;
|
|
else
|
|
+ {
|
|
+ size_t tmplen = len; /* Used to check for bugs in the filter. */
|
|
rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
|
|
&a->d.buf[a->d.len], &len);
|
|
+ log_assert (len <= tmplen);
|
|
+ }
|
|
a->d.len += len;
|
|
|
|
if (DBG_IOBUF)
|
|
diff --git a/g10/armor.c b/g10/armor.c
|
|
index 036b72772..59a6202aa 100644
|
|
--- a/g10/armor.c
|
|
+++ b/g10/armor.c
|
|
@@ -1312,8 +1312,8 @@ armor_filter( void *opaque, int control,
|
|
n = 0;
|
|
if( afx->buffer_len ) {
|
|
/* Copy the data from AFX->BUFFER to BUF. */
|
|
- for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
|
|
- buf[n++] = afx->buffer[afx->buffer_pos++];
|
|
+ for(; n < size && afx->buffer_pos < afx->buffer_len;)
|
|
+ buf[n++] = afx->buffer[afx->buffer_pos++];
|
|
if( afx->buffer_pos >= afx->buffer_len )
|
|
afx->buffer_len = 0;
|
|
}
|
|
|