[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-cpio] out-of-bounds write with cpio -i
From: |
Michal Zalewski |
Subject: |
[Bug-cpio] out-of-bounds write with cpio -i |
Date: |
Sat, 22 Nov 2014 23:37:07 -0800 |
Please see this test case for cpio 2.11:
http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio
As far as I can tell, it's a file with declared length field of
(int)-1. That gets us to this portion of code in copyin.c
(list_file()), with c_filesize just taken from the input file:
link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
link_name[file_hdr->c_filesize] = '\0';
...cpio ends up allocating a zero-sized buffer and then writing out of
bounds, which could conceivably pose a security risk when trying to
examine untrusted archives (e.g., when invoked from lesspipe).
/mz
- [Bug-cpio] out-of-bounds write with cpio -i,
Michal Zalewski <=