Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 Mar 2016 18:43:07 +0300
From: Solar Designer <>
Cc: La??l Cellier <>
Subject: Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished cve-2016-2324 and cve-2016-2315)

Thanks for bringing this to oss-security.

On Tue, Mar 15, 2016 at 03:55:37PM +0100, La??l Cellier wrote:
> Hello, original report describing the overflow is here 

Going forward, please post the actual content directly to oss-security,
not (only) via reference.  I've attached the contents of this pastebin
to this message, so that it's properly archived.

(No idea why you had "cve" obfuscated with Unicode, but I undid that.)


// In revision.c before
char *path_name(const struct name_path *path, const char *name) // by design, name_path->len is a 32 bits int, but this doesn't concern name
      const struct name_path *p;
      char *n, *m;
      int nlen = strlen(name); // the size is converted to a positive number (the correct size was allocated previously with an unsigned long). I got 705804100
      int len = nlen + 1;

      for (p = path; p; p = p->up) { //loop is skipped (except for the cve-2016-2324 case which is fixed since 2.7.1 in February 2016)
          if (p->elem_len)
              len += p->elem_len + 1;
      n = xmalloc(len); // if len is negative, it will also be converted to a negative 64 bits integer *(which explains it is normally trying to allocate serveral Pb of ram most of the time)* which will be read as positive after that. // but this isn't the run case that is interesting here.
      m = n + len - (nlen + 1); // the size of m is lower than name
      strcpy(m, name); // strcpy rely on the null terminating character. The result is written in an unallocated memory from heap. This is the definition of heap overflow enabling server side remote code execution if name[] contains assembly, and have the correct size. This open the way to defeat canaries aslr, and nx combined see
      for (p = path; p; p = p->up) {
          if (p->elem_len) {
              m -= p->elem_len + 1;
              memcpy(m, p->elem, p->elem_len);
              m[p->elem_len] = '/';
      return n;

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ