Page MenuHome GnuPG

heap buffer overflow in iobuf.c
Closed, ResolvedPublic

Description

Hi, I am working on a project in which I use the afl fuzzer and address sanitizer to find bugs in software. When fuzzing gpg I came across a heap buffer overread in common/iobuf.c on line 1275 when called as follows:
gpg --export --no-default-keyring --keyring <absolute path to file attached>
The bug is only visible when compiled with the address sanitizer.

Details

Version
at least 2.2.4 and 2.3.0-beta227

Event Timeline

werner triaged this task as Unbreak Now! priority.Feb 3 2018, 1:30 AM

Can't replicate this with gcc's address sanitizer. I found a bug in kbxutil, though.
Can you post a bit more info than just line 1275?

That's weird, I can reproduce it with a fresh pull from dev.gnupg.org (I can't clone it because it keeps giving me an error like "no rule to make target audit-events.h) by configuring with CFLAGS set to -fsantize=address -ldl and LDFLAGS set to -lasan. I added the -ldl because of a linking error with symbol dlsym (only when -fsantize=address is present). It more specifically complains about a READ access of size 1 and heap-buffer-overflow on address 0xb30037b0. It also mentions that this address is a wild pointer. The call tree looks as follows:
iobuf_temp_with_content
keybox_get_keyblock
keydb_get_keyblock
do_export_stream
do_export
export_pubkeys
main

I guess that you are running on 32-bit architecture where the function keybox_get_keyblock uses 32-bit signed size_t for image_off and image_len.

I think that we need some checks for the keybox blob header.

Does this patch help? My artificial test confirmed that this does the Right Thing.

This handles the problem, thanks.