bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-cpio] [PATCH] Fix signed integer overflow - big block sizes – cpio


From: David Moore
Subject: [Bug-cpio] [PATCH] Fix signed integer overflow - big block sizes – cpio 2.12
Date: Tue, 9 Feb 2016 11:27:26 -0800
User-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1

Hi -

A signed integer overflow is triggered in cpio 2.12 when large block size values are
used during copy in on 32-bit Ubuntu 14.04.

The supplied block size is multiplied by 512 in main.c:parse_opt resulting
in a wrap around and a negative value for io_block_size. The resulting bad read
is caught by glibc.

POC:
# python -c "print 'A'*1516" > file; echo file | cpio -o > int_overflow.cpio
# cpio -i --block-size=20971520 -F int_overflow.cpio
*** Error in `cpio': free(): invalid next size (fast): 0x08070eb0 ***
Aborted (core dumped)

# uname -a
Linux x-Acer 3.19.0-33-generic #38~14.04.1-Ubuntu SMP Fri Nov 6 18:17:49
UTC 2015 i686 i686 i686 GNU/Linux

I attempted to find a similar issue using --io-size but was unable to cause an overflow.

This fix limits the upper bound on --block-size. Please consider the
attached patch and let me know if would like any changes.

Thank you and regards,
David Moore
@grajagandev


Patch Summary:
* src/main.c: add upper bound on --block-size
* tests/big-block-size.at: New file
* tests/Makefile.am: Add new file
* tests/testsuite.at: Add new file

Attached Patch Files:
0001-Add-test-for-signed-integer-overflow.patch
0002-Fix-signed-integer-overflow-big-block-sizes.patch



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Attachment: 0001-Add-test-for-signed-integer-overflow.patch
Description: Text document

Attachment: 0002-Fix-signed-integer-overflow-big-block-sizes.patch
Description: Text document


reply via email to

[Prev in Thread] Current Thread [Next in Thread]