oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability

From: Valentin Metz <valentin.metz () tum de>
Date: Thu, 18 Jan 2024 09:40:50 +0100
Hi,
I have discovered a vulnerability in the GNU coreutils "split" program.
Specifically, it concerns a heap overflow with user-controlled data of multiple hundred bytes in length. It was introduced in 40bf1591bb4362fa91e501bcec7c2029c5f65a43 on 2023-03-04. | https://github.com/coreutils/coreutils/commit/40bf1591bb4362fa91e501bcec7c2029c5f65a43#diff-30bc328ab3afa0ab9f17c6e7cf1752d558ae37cf4200e95bbb04c405c2b59518L821 

Relevant diff:
@@ -816,15 +820,10 @@
           /* Update hold if needed.  */
           if ((eoc && split_rest) || (!eoc && n_left))
             {
-              size_t n_buf = eoc ? split_rest : n_left;
+              idx_t n_buf = eoc ? split_rest : n_left;
               if (hold_size - n_hold < n_buf)
-                {
-                  if (hold_size <= SIZE_MAX - bufsize)
-                    hold_size += bufsize;
-                  else
-                    xalloc_die ();
-                  hold = xrealloc (hold, hold_size);
-                }
+                hold = xpalloc (hold, &hold_size, n_buf - (hold_size - n_hold), 
+                                -1, sizeof *hold);
               memcpy (hold + n_hold, sob, n_buf);
               n_hold += n_buf;
               n_left -= n_buf;
This allowed the "hold" buffer to overflow in the memcpy() of line 827 (right below the marked diff).
The GNU coreutils maintainers have been informed, and a fix was deployed today with c4c5ed8f4e9cd55a12966d4f520e3a13101637d9. | https://github.com/coreutils/coreutils/commit/c4c5ed8f4e9cd55a12966d4f520e3a13101637d9
A proof-of-concept file to trigger the crash is available under https://github.com/Valentin-Metz/writeup_split/blob/main/split_me You can use it to trigger a segmentation fault (SIGABRT) in split, using "split -C 1024 ./split_me". A detailed writeup will follow once distro maintainers have had some time to distribute a fix. 
A CVE-ID is yet to be assigned.

With excellent regards,
Valentin Metz

Attachment: OpenPGP_0x1E1CC59A3E0AC2FF.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: