[Bug-tar] Heap-based buffer overflow in xheader.c:{316, 344, 358}:xhead

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-tar] Heap-based buffer overflow in xheader.c:{316, 344, 358}:xhead

From:	x ksi
Subject:	[Bug-tar] Heap-based buffer overflow in xheader.c:{316, 344, 358}:xheader_format_name().
Date:	Thu, 20 Dec 2018 21:05:57 +1100

Hi All,

I'd like to report a defect in tar v1.30.

Execution of the following commands will cause a heap-based buffer overflows:

-- cut --
$ ~/tar-asan/src/tar -c -f none
--pax-option=globexthdr.name="%%%%%%",listopt="" none
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:316 in xheader_format_name

$ ~/tar-asan/src/tar -c -f none
--pax-option=globexthdr.name="%%%%%",listopt="" none
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:344 in xheader_format_name

$ ~/tar-asan/src/tar -c -f none
--pax-option=globexthdr.name="%%%",listopt="" none
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:358 in xheader_format_name

--

=================================================================
==12460==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000692 at pc 0x55f10f33bc91 bp 0x7ffdbeab0150 sp
0x7ffdbeab0148
WRITE of size 1 at 0x602000000692 thread T0
    #0 0x55f10f33bc90 in xheader_format_name
/home/s1m0n/tar/tar-asan/src/xheader.c:316
    #1 0x55f10f33bdf7 in xheader_ghdr_name
/home/s1m0n/tar/tar-asan/src/xheader.c:387
    #2 0x55f10f34183d in xheader_write_global
/home/s1m0n/tar/tar-asan/src/xheader.c:455
    #3 0x55f10f2dc02f in buffer_write_global_xheader
/home/s1m0n/tar/tar-asan/src/buffer.c:209
    #4 0x55f10f31184e in create_archive
/home/s1m0n/tar/tar-asan/src/create.c:1355
    #5 0x55f10f2d42b0 in main /home/s1m0n/tar/tar-asan/src/tar.c:2724
    #6 0x7f7968be5b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
    #7 0x55f10f2d9aa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
0x602000000692 is located 0 bytes to the right of 2-byte region
[0x602000000690,0x602000000692)
allocated by thread T0 here:
    #0 0x7f7968e68ed0 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x55f10f48d5f8 in xmalloc /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:41
    #2 0x55f10f33aaa7 in xheader_format_name
/home/s1m0n/tar/tar-asan/src/xheader.c:308
    #3 0x55f10f33bdf7 in xheader_ghdr_name
/home/s1m0n/tar/tar-asan/src/xheader.c:387
    #4 0x55f10f34183d in xheader_write_global
/home/s1m0n/tar/tar-asan/src/xheader.c:455
    #5 0x55f10f2dc02f in buffer_write_global_xheader
/home/s1m0n/tar/tar-asan/src/buffer.c:209
    #6 0x55f10f31184e in create_archive
/home/s1m0n/tar/tar-asan/src/create.c:1355
    #7 0x55f10f2d42b0 in main /home/s1m0n/tar/tar-asan/src/tar.c:2724
    #8 0x7f7968be5b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:316 in xheader_format_name
Shadow bytes around the buggy address:
  0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
  0x0c047fff8090: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
  0x0c047fff80a0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
  0x0c047fff80b0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
  0x0c047fff80c0: fa fa 00 03 fa fa 04 fa fa fa 00 00 fa fa 00 fa
=>0x0c047fff80d0: fa fa[02]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12460==ABORTING
-- cut --

Please let me know if you have any questions.


Thanks,
Filip Palian

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-tar] Heap-based buffer overflow in xheader.c:{316, 344, 358}:xheader_format_name()., x ksi <=
- Re: [Bug-tar] Heap-based buffer overflow in xheader.c:{316, 344, 358}:xheader_format_name()., Sergey Poznyakoff, 2018/12/21

Prev by Date: [Bug-tar] Heap-based buffer overflow in xheader.c:188:xheader_set_keyword_equal().
Next by Date: [Bug-tar] Use-after-free in names.c:1297:name_match().
Previous by thread: [Bug-tar] Heap-based buffer overflow in xheader.c:188:xheader_set_keyword_equal().
Next by thread: Re: [Bug-tar] Heap-based buffer overflow in xheader.c:{316, 344, 358}:xheader_format_name().
Index(es):
- Date
- Thread