[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-tar] Heap-based buffer overflow in xheader.c:188:xheader_set_keywor
From: |
x ksi |
Subject: |
[Bug-tar] Heap-based buffer overflow in xheader.c:188:xheader_set_keyword_equal(). |
Date: |
Thu, 20 Dec 2018 20:59:19 +1100 |
Hi All,
I'd like to report a defect in tar v1.30.
Execution of the following command will cause a heap-based buffer overflow:
-- cut --
$ ~/tar-asan/src/tar --pax-option==
=================================================================
==28267==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6070000006af at pc 0x562f9aa1b349 bp 0x7ffc7b4e51c0 sp
0x7ffc7b4e51b8
READ of size 1 at 0x6070000006af thread T0
#0 0x562f9aa1b348 in xheader_set_keyword_equal
/home/s1m0n/tar/tar-asan/src/xheader.c:188
#1 0x562f9aa1b348 in xheader_set_option
/home/s1m0n/tar/tar-asan/src/xheader.c:237
#2 0x562f9aa9a91f in parse_opt /home/s1m0n/tar/tar-asan/src/tar.c:1845
#3 0x562f9aaffac6 in group_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:234
#4 0x562f9aaffac6 in parser_parse_opt
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:749
#5 0x562f9aaffac6 in parser_parse_next
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:860
#6 0x562f9aaffac6 in argp_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:928
#7 0x562f9a9b164e in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2312
#8 0x562f9a9b164e in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
#9 0x7fdf7ac2fb16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
#10 0x562f9a9baaa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
0x6070000006af is located 1 bytes to the left of 71-byte region
[0x6070000006b0,0x6070000006f7)
allocated by thread T0 here:
#0 0x7fdf7aeb2ed0 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:86
#1 0x562f9ab6e5f8 in xmalloc /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:41
#2 0x562f9ab6ede4 in xmemdup /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:113
#3 0x562f9ab6ee5c in xstrdup /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:121
#4 0x562f9aa9a83f in expand_pax_option
/home/s1m0n/tar/tar-asan/src/tar.c:1202
#5 0x562f9aa9a83f in parse_opt /home/s1m0n/tar/tar-asan/src/tar.c:1843
#6 0x562f9aaffac6 in group_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:234
#7 0x562f9aaffac6 in parser_parse_opt
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:749
#8 0x562f9aaffac6 in parser_parse_next
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:860
#9 0x562f9aaffac6 in argp_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:928
#10 0x562f9a9b164e in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2312
#11 0x562f9a9b164e in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
#12 0x7fdf7ac2fb16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:188 in
xheader_set_keyword_equal
Shadow bytes around the buggy address:
0x0c0e7fff8080: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
0x0c0e7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0e7fff80b0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fff80d0: 00 00 fa fa fa[fa]00 00 00 00 00 00 00 00 07 fa
0x0c0e7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28267==ABORTING
-- cut --
Please let me know if you have any questions.
Thanks,
Filip Palian
- [Bug-tar] Heap-based buffer overflow in xheader.c:188:xheader_set_keyword_equal().,
x ksi <=