>From 7462d18379c3e83e943cb8cf542161025aea0d2c Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Tue, 26 Jan 2016 23:17:54 +0100 Subject: [PATCH] CVE-2016-2037 - 1 byte out-of-bounds write Ensure that cpio_safer_name_suffix always works with dynamically allocated buffer, and that it has size of at least 32 bytes. Then, any call to cpio_safer_name_suffix is safe (it requires at least 2 bytes in the buffer). Also ensure that c_namesize is always correctly initialized (by cpio_set_c_name) to avoid undefined behavior when reading file_hdr.c_namesize (previously happened for tar archives). References: http://www.mail-archive.com/address@hidden/msg00545.html * src/copyin.c (query_rename): Drop the hack, as we now work with dynamically allocated buffer. Use cpio_set_c_name. (create_defered_links_to_skipped): Use cpio_set_c_name rather than manual assignment. (read_name_from_file): New function to avoid C&P. (read_in_old_ascii, read_in_new_ascii, read_in_binary): Use read_name_from_file. (process_copy_in): Initialize file_hdr.c_namesize. * src/copyout.c (process_copy_out): Use cpio_set_c_name. * src/cpiohdr.h (cpio_set_c_name): New prototype. * src/tar.c (read_in_tar_header): Use cpio_set_c_name. * src/util.c (cpio_set_c_name): New function to set file_hdr->c_name and c_namesize from arbitrary string. (cpio_safer_name_suffix): Some docs fixes. * tests/inout.at: Also test copy-in, and try various formats. --- src/copyin.c | 68 +++++++++++++++++++--------------------------------------- src/copyout.c | 13 +++++------ src/cpiohdr.h | 1 + src/tar.c | 10 +++++---- src/util.c | 32 ++++++++++++++++++++++++++- tests/inout.at | 19 ++++++++++++++-- 6 files changed, 82 insertions(+), 61 deletions(-) diff --git a/src/copyin.c b/src/copyin.c index 6a306ee..ba887ae 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, return -1; } else - /* Debian hack: file_hrd.c_name is sometimes set to - point to static memory by code in tar.c. This - causes a segfault. This has been fixed and an - additional check to ensure that the file name - is not too long has been added. (Reported by - Horst Knobloch.) This bug has been reported to - "address@hidden". (99/1/6) -BEM */ - { - if (archive_format != arf_tar && archive_format != arf_ustar) - { - free (file_hdr->c_name); - file_hdr->c_name = xstrdup (new_name.ds_string); - } - else - { - if (is_tar_filename_too_long (new_name.ds_string)) - error (0, 0, _("%s: file name too long"), - new_name.ds_string); - else - strcpy (file_hdr->c_name, new_name.ds_string); - } - } + cpio_set_c_name (file_hdr, new_name.ds_string); return 0; } @@ -342,8 +321,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr, d_prev->next = d->next; else deferments = d->next; - free (file_hdr->c_name); - file_hdr->c_name = xstrdup(d->header.c_name); + cpio_set_c_name (file_hdr, d->header.c_name); free_deferment (d); copyin_regular_file(file_hdr, in_file_des); return 0; @@ -1012,6 +990,22 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) } } +static void +read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len) +{ + static char *tmp_filename; + static size_t buflen; + + if (buflen < len) + { + buflen = len; + tmp_filename = xrealloc (tmp_filename, buflen); + } + + tape_buffered_read (tmp_filename, fd, len); + cpio_set_c_name (file_hdr, tmp_filename); +} + /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from file descriptor IN_DES, except for the magic number, which is already filled in. */ @@ -1038,14 +1032,8 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des) file_hdr->c_rdev_min = minor (dev); file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime); - file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize); file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize); - - /* Read file name from input. */ - if (file_hdr->c_name != NULL) - free (file_hdr->c_name); - file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1); - tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); + read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize)); /* HP/UX cpio creates archives that look just like ordinary archives, but for devices it sets major = 0, minor = 1, and puts the @@ -1100,14 +1088,8 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des) file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min); file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj); file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min); - file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize); file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum); - - /* Read file name from input. */ - if (file_hdr->c_name != NULL) - free (file_hdr->c_name); - file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize); - tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); + read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize)); /* In SVR4 ASCII format, the amount of space allocated for the header is rounded up to the next long-word, so we might need to drop @@ -1155,16 +1137,9 @@ read_in_binary (struct cpio_file_stat *file_hdr, file_hdr->c_rdev_min = minor (short_hdr->c_rdev); file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16 | short_hdr->c_mtimes[1]; - - file_hdr->c_namesize = short_hdr->c_namesize; file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16 | short_hdr->c_filesizes[1]; - - /* Read file name from input. */ - if (file_hdr->c_name != NULL) - free (file_hdr->c_name); - file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize); - tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); + read_name_from_file (file_hdr, in_des, short_hdr->c_namesize); /* In binary mode, the amount of space allocated in the header for the filename is `c_namesize' rounded up to the next short-word, @@ -1245,6 +1220,7 @@ process_copy_in () read_pattern_file (); } file_hdr.c_name = NULL; + file_hdr.c_namesize = 0; if (rename_batch_file) { diff --git a/src/copyout.c b/src/copyout.c index 87c1932..7532dac 100644 --- a/src/copyout.c +++ b/src/copyout.c @@ -660,8 +660,7 @@ process_copy_out () cpio_safer_name_suffix (input_name.ds_string, false, !no_abs_paths_flag, true); #ifndef HPUX_CDF - file_hdr.c_name = input_name.ds_string; - file_hdr.c_namesize = strlen (input_name.ds_string) + 1; + cpio_set_c_name (&file_hdr, input_name.ds_string); #else if ( (archive_format != arf_tar) && (archive_format != arf_ustar) ) { @@ -670,16 +669,15 @@ process_copy_out () properly recreate the directory as hidden (in case the files of a directory go into the archive before the directory itself (e.g from "find ... -depth ... | cpio")). */ - file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string); - file_hdr.c_namesize = strlen (file_hdr.c_name) + 1; + cpio_set_c_name (&file_hdr, + add_cdf_double_slashes (input_name.ds_string)); } else { /* We don't mark CDF's in tar files. We assume the "hidden" directory will always go into the archive before any of its files. */ - file_hdr.c_name = input_name.ds_string; - file_hdr.c_namesize = strlen (input_name.ds_string) + 1; + cpio_set_c_name (&file_hdr, input_name.ds_string); } #endif @@ -866,8 +864,7 @@ process_copy_out () file_hdr.c_chksum = 0; file_hdr.c_filesize = 0; - file_hdr.c_namesize = 11; - file_hdr.c_name = CPIO_TRAILER_NAME; + cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME); if (archive_format != arf_tar && archive_format != arf_ustar) write_out_header (&file_hdr, out_file_des); else diff --git a/src/cpiohdr.h b/src/cpiohdr.h index c297415..588135b 100644 --- a/src/cpiohdr.h +++ b/src/cpiohdr.h @@ -129,5 +129,6 @@ struct cpio_file_stat /* Internal representation of a CPIO header */ char *c_tar_linkname; }; +void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name); #endif /* cpiohdr.h */ diff --git a/src/tar.c b/src/tar.c index 1b1156e..0a34845 100644 --- a/src/tar.c +++ b/src/tar.c @@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) if (null_block ((long *) &tar_rec, TARRECORDSIZE)) #endif { - file_hdr->c_name = CPIO_TRAILER_NAME; + cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME); return; } #if 0 @@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) } if (archive_format != arf_ustar) - file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name); + cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name)); else - file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name); + cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix, + tar_hdr->name)); + file_hdr->c_nlink = 1; file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode); file_hdr->c_mode = file_hdr->c_mode & 07777; @@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) case AREGTYPE: /* Old tar format; if the last char in filename is '/' then it is a directory, otherwise it's a regular file. */ - if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/') + if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/') file_hdr->c_mode |= CP_IFDIR; else file_hdr->c_mode |= CP_IFREG; diff --git a/src/util.c b/src/util.c index d78d576..10486dc 100644 --- a/src/util.c +++ b/src/util.c @@ -1409,8 +1409,34 @@ set_file_times (int fd, utime_error (name); } + +void +cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name) +{ + static size_t buflen = 0; + size_t len = strlen (name) + 1; + + if (buflen == 0) + { + buflen = len; + if (buflen < 32) + buflen = 32; + file_hdr->c_name = xmalloc (buflen); + } + else if (buflen < len) + { + buflen = len; + file_hdr->c_name = xrealloc (file_hdr->c_name, buflen); + } + + file_hdr->c_namesize = len; + memmove (file_hdr->c_name, name, len); +} + /* Do we have to ignore absolute paths, and if so, does the filename - have an absolute path? */ + have an absolute path? Before calling this function make sure that the + allocated NAME buffer has capacity at least 2 bytes. */ + void cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, bool strip_leading_dots) @@ -1425,6 +1451,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, ++p; } if (p != name) + /* The 'p' string is shortened version of 'name' with one exception; when + the 'name' points to an empty string (buffer where name[0] == '\0') the + 'p' then points to static string ".". So caller needs to ensure there + are at least two bytes available in 'name' buffer so memmove succeeds. */ memmove (name, p, (size_t)(strlen (p) + 1)); } diff --git a/tests/inout.at b/tests/inout.at index 86c7d02..fd7baea 100644 --- a/tests/inout.at +++ b/tests/inout.at @@ -35,7 +35,22 @@ while read NAME LENGTH do genfile --length $LENGTH > $NAME echo $NAME -done < filelist | - cpio --quiet -o > archive]) +done < filelist > filelist_raw + +for format in bin odc newc crc tar ustar hpbin hpodc +do + cpio --format=$format --quiet -o < filelist_raw > archive.$format + rm -rf output + mkdir output && cd output + cpio -i --quiet < ../archive.$format + + while read file + do + test -f $file || echo "$file not found" + done < ../filelist_raw + + cd .. +done +]) AT_CLEANUP -- 2.9.3