Hello,
Two reads out-of-bounds in cpio 2.11 were found in the parsing of cpio files (other version are probably affected). Find attached a test case to reproduce them. The ASAN report of the first one is here:
$ ./cpio -i < overflow.cpio
./cpio: warning: skipped 8 bytes of junk
=================================================================
==31838==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edb2 at pc 0x7fb81910ba28 bp 0x7fffa1c286d0 sp 0x7fffa1c27e80
READ of size 2 at 0x60200000edb2 thread T0
#0 0x7fb81910ba27 in strchr (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6ea27)
#1 0x407174 in path_contains_symlink /home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:718
#2 0x40bce0 in process_copy_in /home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:1524
#3 0x4165c6 in main /home/vagrant/repos/cpio-2.11+dfsg/src/main.c:746
#4 0x7fb818cf9ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#5 0x403408 (/home/vagrant/repos/cpio-2.11+dfsg/src/cpio+0x403408)
0x60200000edb2 is located 0 bytes to the right of 2-byte region [0x60200000edb0,0x60200000edb2)
allocated by thread T0 here:
#0 0x7fb81913176a in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9476a)
#1 0x43da22 in xrealloc /home/vagrant/repos/cpio-2.11+dfsg/gnu/xmalloc.c:59
#2 0x40b5ab in process_copy_in /home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:1437
#3 0x4165c6 in main /home/vagrant/repos/cpio-2.11+dfsg/src/main.c:746
#4 0x7fb818cf9ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
and the second one is here:
$ ./cpio -t < overflow.cpio
./cpio: warning: skipped 8 bytes of junk
=================================================================
==3962==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edb2 at pc 0x7f705ab831b1 bp 0x7ffc620c3f70 sp 0x7ffc620c3720
READ of size 3 at 0x60200000edb2 thread T0
#0 0x7f705ab831b0 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x5e1b0)
#1 0x7f705ab837b7 in __interceptor_vprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x5e7b7)
#2 0x7f705ab838a9 in __interceptor_printf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x5e8a9)
#3 0x403d55 in list_file /home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:180
#4 0x40b958 in process_copy_in /home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:1478
#5 0x4165c6 in main /home/vagrant/repos/cpio-2.11+dfsg/src/main.c:746
#6 0x7f705a781ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#7 0x403408 (/home/vagrant/repos/cpio-2.11+dfsg/src/cpio+0x403408)
0x60200000edb2 is located 0 bytes to the right of 2-byte region [0x60200000edb0,0x60200000edb2)
allocated by thread T0 here:
#0 0x7f705abb976a in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9476a)
#1 0x43da22 in xrealloc /home/vagrant/repos/cpio-2.11+dfsg/gnu/xmalloc.c:59
#2 0x40b5ab in process_copy_in /home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:1437
#3 0x4165c6 in main /home/vagrant/repos/cpio-2.11+dfsg/src/main.c:746
#4 0x7f705a781ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
These issues were found using QuickFuzz.