GNOME Bugzilla – Bug 762417
Out of bounds read in function token_stream_prepare() triggered by test suite
Last modified: 2016-02-22 14:17:55 UTC
Created attachment 321796 [details] [review] proposed patch / fix Running "make check" with glib when compiled with Address Sanitizer shows an out of bounds error in the file gvariant-parser.c (line 240), function token_stream_prepare(). This is the code in question: for (end = stream->stream + 1; end != stream->end && *end != ',' && *end != ':' && *end != '>' && *end != ']' && !g_ascii_isspace (*end); end++) What happens is that stream->end is not really set to the end of the stream (it's zero, set in g_variant_new_parsed_va(), line 2461). Therefore the end of the string is not detected. I have attached a patch to fix this, but I propose someone more familiar with this code checks if this is a good way to fix it. I add an additional check for a terminating null byte in the for condition. Another way to fix this would be to make sure that stream->end is always set to a valid value (could be done in line 2461 by using "format + strlen(format)"), but as this function is called from various other functions I'm not sure this is wanted and it seems the code is written in a way that it expects that the stream end can be set to zero.
Created attachment 321797 [details] full address sanitizer error message / stack trace
This is a fairly serious issue. I'm treating this as a security bug, because there's this: desrt@humber:~$ dconf write /x '%i' Segmentation fault and we can imagine that any similar tool that parses GVariant from untrusted sources could have similar issues.
Okay. Pushed to master and backported to the last several stable branches as well. After discussion with the Ubuntu security team, I've decided that this issue isn't so serious: it doesn't allow code execution in any circumstances and there are no known places (and certainly no popular places) where this could even be exploited for a DoS. Thanks for the patch.