[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack

From: Ladislav Michnovič
Subject: Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Date: Fri, 17 Aug 2007 11:37:03 +0200

2007/8/17, Dmitry V. Levin <address@hidden>:
> Hi,
> paxlib's safer_name_suffix() function uses alloca() to report prefix string
> it is going to strip, and recent tar and cpio versions use this function
> both in list and extract modes.
> The problem is that length of this string (i.e. size passed to alloca)
> is under tarball owner control.
> As result, tar/cpio crashes if this string is sufficiently long.
> Fortunately, memcpy() call which follows alloca() call makes this stack
> overflow a plain crash, so it does not look exploitable.
> Reproducer:
> $ ulimit -s
> 8192
> $ ./tarnull null.tar
> $ bzip2 -9 null.tar
> $ ls -log null.tar.bz2
> -rw-r--r-- 1 543 Aug 15 18:00 null.tar.bz2
> $ tar tf null.tar.bz2
> Segmentation fault


 I have tested your reproducer and I've got segfault. I recompiled
cpio 2.9 with your patch but I'm still getting segfault.
Have I missed something?

 Regards Ladislav.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]