Hi, I am working on a project in which I use the afl fuzzer and address sanitizer to find bugs in software. When fuzzing gpg I came across a heap buffer overread in common/iobuf.c on line 1275 when called as follows:
gpg --export --no-default-keyring --keyring <absolute path to file attached>
The bug is only visible when compiled with the address sanitizer.
Description
Description
Details
Details
- Version
- at least 2.2.4 and 2.3.0-beta227
Revisions and Commits
Revisions and Commits
Event Timeline
Comment Actions
Can't replicate this with gcc's address sanitizer. I found a bug in kbxutil, though.
Can you post a bit more info than just line 1275?
Comment Actions
That's weird, I can reproduce it with a fresh pull from dev.gnupg.org (I can't clone it because it keeps giving me an error like "no rule to make target audit-events.h) by configuring with CFLAGS set to -fsantize=address -ldl and LDFLAGS set to -lasan. I added the -ldl because of a linking error with symbol dlsym (only when -fsantize=address is present). It more specifically complains about a READ access of size 1 and heap-buffer-overflow on address 0xb30037b0. It also mentions that this address is a wild pointer. The call tree looks as follows:
iobuf_temp_with_content
keybox_get_keyblock
keydb_get_keyblock
do_export_stream
do_export
export_pubkeys
main
Comment Actions
I guess that you are running on 32-bit architecture where the function keybox_get_keyblock uses 32-bit signed size_t for image_off and image_len.
I think that we need some checks for the keybox blob header.