Participants
Tom Lane
Tom Lane
Evgeniy Gorbanyov
Evgeniy Gorbanyov
Евгений Горбанев
Евгений Горбанев
Attachments
Thread Outline
#1Evgeniy GorbanyovEvgeniy Gorbanyov
Feb 06, 2025
#2Tom LaneTom Laneto Evgeniy Gorbanyov (#1)
Feb 06, 2025
#3Евгений ГорбаневЕвгений Горбаневto Tom Lane (#2)
Mar 28, 2025
#4Tom LaneTom Laneto Евгений Горбанев (#3)
Mar 28, 2025

Buffer overflow in zic

Started by Evgeniy Gorbanyov11 months ago4 messages
#1Evgeniy Gorbanyov
Evgeniy Gorbanyov
gorbanyoves@basealt.ru
1 attachment(s)

Hello.

Ifyou compilezicwithASAN,you cangetthe following(notethiswill
delete/etc/localtime):
|$ sudo ./zic -l fff
=================================================================
==5528==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000053103f at pc 0x000000501ceb bp 0x7ffe9fbe6510 sp 0x7ffe9fbe6508
READ of size 1 at 0x00000053103f thread T0
    #0 0x501cea in relname /artifacts/postgres/src/timezone/zic.c:978:36
    #1 0x50081b in dolink /artifacts/postgres/src/timezone/zic.c:1045:42
    #2 0x4fab14 in main /artifacts/postgres/src/timezone/zic.c:846:3
    #3 0x7ff25975fefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
    #4 0x41c459 in _start
/usr/src/RPM/BUILD/glibc-2.32-alt5.p10.3/csu/../sysdeps/x86_64/start.S:120
| |
0x00000053103f is located 33 bytes to the left of global variable
'<string literal>' defined in 'zic.c:841:14' (0x531060) of size 13
  '<string literal>' is ascii string 'link to link'
0x00000053103f is located 1 bytes to the left of global variable
'<string literal>' defined in 'zic.c:806:15' (0x531040) of size 15
  '<string literal>' is ascii string '/etc/localtime'
0x00000053103f is located 26 bytes to the right of global variable
'<string literal>' defined in 'zic.c:804:15' (0x531020) of size 5
  '<string literal>' is ascii string 'data'
SUMMARY: AddressSanitizer: global-buffer-overflow
/artifacts/postgres/src/timezone/zic.c:978:36 in relname
Shadow bytes around the buggy address:
  0x00008009e1b0: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008009e1c0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
  0x00008009e1d0: f9 f9 f9 f9 00 03 f9 f9 00 00 00 00 07 f9 f9 f9
  0x00008009e1e0: f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9
  0x00008009e1f0: 00 00 00 04 f9 f9 f9 f9 00 03 f9 f9 02 f9 f9 f9
=>0x00008009e200: 05 f9 f9 f9 05 f9 f9[f9]00 07 f9 f9 00 05 f9 f9
  0x00008009e210: 00 05 f9 f9 00 03 f9 f9 00 02 f9 f9 00 00 f9 f9
  0x00008009e220: 01 f9 f9 f9 02 f9 f9 f9 03 f9 f9 f9 00 00 00 00
  0x00008009e230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008009e240: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
  0x00008009e250: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 00 00 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5528==ABORTING|

Patch is included in the attachment.

Best regards,
Evgeniy Gorbanyov

Attachments:

buffer-overflow-in-zic.patchtext/x-patch; charset=UTF-8; name=buffer-overflow-in-zic.patchDownload
diff --combined src/timezone/zic.c
index d605c721ec,d605c721ec..0000000000
--- a/src/timezone/zic.c
+++ b/src/timezone/zic.c
@@@ -975,7 -975,7 +975,7 @@@ relname(char const *target, char const 
  		if (f[i] == '/')
  			dir_len = i + 1;
  	for (; linkname[i]; i++)
--		dotdots += linkname[i] == '/' && linkname[i - 1] != '/';
++		dotdots += i > 0 && linkname[i] == '/' && linkname[i - 1] != '/';
  	taillen = strlen(f + dir_len);
  	dotdotetcsize = 3 * dotdots + taillen + 1;
  	if (dotdotetcsize <= linksize)
#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Evgeniy Gorbanyov (#1)
Re: Buffer overflow in zic

Evgeniy Gorbanyov <gorbanyoves@basealt.ru> writes:

Ifyou compilezicwithASAN,you cangetthe following(notethiswill
delete/etc/localtime):
|$ sudo ./zic -l fff

zic is not our code. Please take this up with the upstream IANA
list tz@iana.org. (They might want to see a reproducer against
their current code ... we're a bit behind on syncing that.)

https://www.iana.org/time-zones

regards, tom lane

#3Евгений Горбанев
Евгений Горбанев
gorbanyoves@basealt.ru
In reply to: Tom Lane (#2)
Re: Buffer overflow in zic

Bug fixed in 2025b:
https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/6JVHNHLB6I2WAYTQ75L6KEPEQHFXAJK3/

Mailing list:
https://lists.iana.org/hyperkitty/list/tz@iana.org/thread/7MKA4UXVUUGXXMDCTPQ5VOLD4KKN3LQR/

06.02.2025 21:00, Tom Lane пишет:

Show quoted text

Evgeniy Gorbanyov <gorbanyoves@basealt.ru> writes:

Ifyou compilezicwithASAN,you cangetthe following(notethiswill
delete/etc/localtime):
|$ sudo ./zic -l fff

zic is not our code. Please take this up with the upstream IANA
list tz@iana.org. (They might want to see a reproducer against
their current code ... we're a bit behind on syncing that.)

https://www.iana.org/time-zones

regards, tom lane

#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Евгений Горбанев (#3)
Re: Buffer overflow in zic

=?UTF-8?B?0JXQstCz0LXQvdC40Lkg0JPQvtGA0LHQsNC90LXQsg==?= <gorbanyoves@basealt.ru> writes:

Bug fixed in 2025b:
https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/6JVHNHLB6I2WAYTQ75L6KEPEQHFXAJK3/

We'll get around to syncing to tzcode 2025b or later at some point.
This particular issue does not strike me as a reason for urgency,
though. We do not install our version of zic, nor invoke it with -l,
so the bug is really irrelevant to us.

regards, tom lane

← Back to Topics