bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-cpio] out-of-bounds write with cpio -i


From: Michal Zalewski
Subject: [Bug-cpio] out-of-bounds write with cpio -i
Date: Sat, 22 Nov 2014 23:37:07 -0800

Please see this test case for cpio 2.11:

http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio

As far as I can tell, it's a file with declared length field of
(int)-1. That gets us to this portion of code in copyin.c
(list_file()), with c_filesize just taken from the input file:

  link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
  link_name[file_hdr->c_filesize] = '\0';

...cpio ends up allocating a zero-sized buffer and then writing out of
bounds, which could conceivably pose a security risk when trying to
examine untrusted archives (e.g., when invoked from lesspipe).

/mz



reply via email to

[Prev in Thread] Current Thread [Next in Thread]