Integer overflow when processing giant field values

Bug #1397340 reported by John-Mark Bell on 2014-11-28
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
whoopsie (Ubuntu)
Medium
Brian Murray

Bug Description

Ubuntu release: 12.04
Package version: 0.1.33

When parsing fields in a crash report file, whoopsie will reallocate the value buffer when appending continuation lines. The current length of the buffer is computed by pointer arithmetic and the result stored in a signed integer. If the field value length reaches 2GB, then this value will overflow, and become negative. This will then cause whoopsie itself to abort, as it tries to allocate a huge amount of memory.

I would expect whoopsie to cope with such large input (which may be generated as the result of a memory-hungry process crashing and creating a very large compressed+base64-encoded CoreDump).

By inspection, I see that this issue is still present in current development versions: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/whoopsie/vivid/view/head:/src/whoopsie.c#L402

I've attached a patch (created against the 0.1.33 sources, but should apply with minimal issues against later versions), that resolves the immediate issue. There's a more general question about the sanity of loading the entire crash file into memory, too (particularly as the CoreDump is never used unless the server requests it).

John-Mark Bell (jmb202) wrote :

The attachment "whoopsie.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Brian Murray (brian-murray) wrote :

A likely candidate for the crash corresponding to this report is the following:

https://errors.ubuntu.com/problem/2b929ca4aff09a8714851de0c45279b036386a10

tags: added: trusty utopic vivid
Changed in whoopsie (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Brian Murray (brian-murray)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.43

---------------
whoopsie (0.2.43) vivid; urgency=medium

  * Remove .crash file if we are unable to create a .uploaded file for it
    to prevent trying to upload the same crash file multiple times.
    (LP: #1392412)
  * Avoid buffer overflow when parsing reports. Thanks to John-Mark Bell for
    the patch. (LP: #1397340)
 -- Brian Murray <email address hidden> Wed, 17 Dec 2014 16:17:33 -0800

Changed in whoopsie (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers