[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-cpio] [PATCH] Fix signed integer overflow - big block sizes – cpio
From: |
David Moore |
Subject: |
[Bug-cpio] [PATCH] Fix signed integer overflow - big block sizes – cpio 2.12 |
Date: |
Tue, 9 Feb 2016 11:27:26 -0800 |
User-agent: |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 |
Hi -
A signed integer overflow is triggered in cpio 2.12 when large block
size values are
used during copy in on 32-bit Ubuntu 14.04.
The supplied block size is multiplied by 512 in main.c:parse_opt resulting
in a wrap around and a negative value for io_block_size. The resulting
bad read
is caught by glibc.
POC:
# python -c "print 'A'*1516" > file; echo file | cpio -o > int_overflow.cpio
# cpio -i --block-size=20971520 -F int_overflow.cpio
*** Error in `cpio': free(): invalid next size (fast): 0x08070eb0 ***
Aborted (core dumped)
# uname -a
Linux x-Acer 3.19.0-33-generic #38~14.04.1-Ubuntu SMP Fri Nov 6 18:17:49
UTC 2015 i686 i686 i686 GNU/Linux
I attempted to find a similar issue using --io-size but was unable to
cause an overflow.
This fix limits the upper bound on --block-size. Please consider the
attached patch and let me know if would like any changes.
Thank you and regards,
David Moore
@grajagandev
Patch Summary:
* src/main.c: add upper bound on --block-size
* tests/big-block-size.at: New file
* tests/Makefile.am: Add new file
* tests/testsuite.at: Add new file
Attached Patch Files:
0001-Add-test-for-signed-integer-overflow.patch
0002-Fix-signed-integer-overflow-big-block-sizes.patch
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
0001-Add-test-for-signed-integer-overflow.patch
Description: Text document
0002-Fix-signed-integer-overflow-big-block-sizes.patch
Description: Text document
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug-cpio] [PATCH] Fix signed integer overflow - big block sizes – cpio 2.12,
David Moore <=