Read out-of-bounds in git_oid_nfmt · Issue #3936 · libgit2/libgit2 · GitHub
Skip to content

Read out-of-bounds in git_oid_nfmt #3936

Description

@gaa-cifasis

Hi,

We found a read-out-of-bounds parsing a malformed object file using the last version of libgit2. To reproduce, first compile libgit2 and its examples with AddressSanitizer support. Then:

$ git init ; mkdir -p .git/objects/32 ; printf 'eJwrKUpNVTBmMFRgAAAREQJV' | base64 -d > .git/objects/32/7b2768749122dbe850988d6fc544054d55a2ae 

Finally, you can trigger the bug using cat-file:

$ ASAN_OPTIONS='detect_leaks=0' cat-file -p 327b2768749122dbe850988d6fc544054d55a2ae

The AddressSanitizer report is here:

=9796==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000342b4 at pc 0x7f36f24005cf bp 0x7ffd9bc2cb60 sp 0x7ffd9bc2cb50
READ of size 1 at 0x6020000342b4 thread T0
    #0 0x7f36f24005ce in git_oid_nfmt /home/g/Work/Code/libgit2-master/src/oid.c:82
    #1 0x7f36f2400901 in git_oid_tostr /home/g/Work/Code/libgit2-master/src/oid.c:127
    #2 0x402f22 in show_tree /home/g/Work/Code/libgit2-master/examples/cat-file.c:58
    #3 0x403735 in main /home/g/Work/Code/libgit2-master/examples/cat-file.c:178
    #4 0x7f36f1d03290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #5 0x401919 in _start (/home/g/Work/Code/libgit2-master/examples/cat-file+0x401919)

0x6020000342b4 is located 0 bytes to the right of 4-byte region [0x6020000342b0,0x6020000342b4)
allocated by thread T0 here:
    #0 0x7f36f2868e60 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x7f36f23f4af7 in git__malloc /home/g/Work/Code/libgit2-master/src/util.h:162
    #2 0x7f36f23f5d1e in inflate_tail /home/g/Work/Code/libgit2-master/src/odb_loose.c:275
    #3 0x7f36f23f64a4 in inflate_disk_obj /home/g/Work/Code/libgit2-master/src/odb_loose.c:377
    #4 0x7f36f23f687f in read_loose /home/g/Work/Code/libgit2-master/src/odb_loose.c:417
    #5 0x7f36f23f7b2e in loose_backend__read /home/g/Work/Code/libgit2-master/src/odb_loose.c:642
    #6 0x7f36f23f26f1 in odb_read_1 /home/g/Work/Code/libgit2-master/src/odb.c:996
    #7 0x7f36f23f293b in git_odb_read /home/g/Work/Code/libgit2-master/src/odb.c:1028
    #8 0x7f36f23ec5ca in git_object_lookup_prefix /home/g/Work/Code/libgit2-master/src/object.c:167
    #9 0x7f36f24708f9 in maybe_sha_or_abbrev /home/g/Work/Code/libgit2-master/src/revparse.c:24
    #10 0x7f36f2470994 in maybe_sha /home/g/Work/Code/libgit2-master/src/revparse.c:34
    #11 0x7f36f2470cf6 in revparse_lookup_object /home/g/Work/Code/libgit2-master/src/revparse.c:96
    #12 0x7f36f2473b1c in ensure_base_rev_loaded /home/g/Work/Code/libgit2-master/src/revparse.c:625
    #13 0x7f36f24744f6 in revparse__ext /home/g/Work/Code/libgit2-master/src/revparse.c:802
    #14 0x7f36f2474854 in git_revparse_ext /home/g/Work/Code/libgit2-master/src/revparse.c:840
    #15 0x7f36f2474a8b in git_revparse_single /home/g/Work/Code/libgit2-master/src/revparse.c:863
    #16 0x40356c in main /home/g/Work/Code/libgit2-master/examples/cat-file.c:136
    #17 0x7f36f1d03290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

This issues was found using QuickFuzz.

Regards,

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions