[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Stack overflow in checksum.c

From: Stefan Fuhrmann <stefan.fuhrmann_at_wandisco.com>
Date: Tue, 27 Jan 2015 08:01:38 +0100

On Tue, Jan 27, 2015 at 5:07 AM, Hyrum K Wright <hyrum_at_hyrumwright.org>
wrote:

> There's a stack overflow bug in subversion/libsubr/checksum.c.
>

Well, a segfault.

>
> The functions svn_checksum__from_digest_fnv1a_32x4() and
> svn_checksum__from_digest_fnv1a_32() both look something like this:
>
> svn_checksum_t *
> svn_checksum__from_digest_fnv1a_32x4(const unsigned char *digest,
> apr_pool_t *result_pool)
> {
> return checksum_create(svn_checksum_fnv1a_32x4, sizeof(digest), digest,
> result_pool);
> }
>
> The problem is that checksum_create() expects the length of the string
> pointed to by digest, but sizeof(digest) returns the number of bytes that a
> variable of type 'const unsigned char *' requires. These methods are
> currently only called with unint32_t cast to an unsigned char, but on
> platforms which have 8-byte pointers, this leads to a buffer overflow in
> checksum_create() when it tries to read more than the provided 4 bytes.
>

It is a remnant of the original implementation that passed in a uint32
and a later change to char*.

> I *think* the correct fix is to add a digest_size argument
> to svn_checksum__from_digest_fnv1a_32x4() and
> svn_checksum__from_digest_fnv1a_32(), but I'm not sure if there's a better
> way which somebody more familiar with this code would know about.
>

The digest size is known just like in the functions for sha1 and md5.
Moreover, it is redundant with the checksum kind already given.
r1654981 fixes the problem.

> By all accounts, this code hasn't been released yet, so it's not a yet
> security issue (hence the post to dev@ and not private@), but I thought
> somebody would like to be aware of it. :)
>

Thanks for the review! Because the current callers would probably
never have triggered the segfault, this bug might have lingered in
there for years ...

- Stefan^2.
Received on 2015-01-27 08:02:07 CET

This is an archived mail posted to the Subversion Dev mailing list.