bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write


From: Kristýna Streitová
Subject: Re: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write
Date: Thu, 6 Apr 2017 15:01:46 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

Hello Pavel,

Thank you for your patch. This approach definitely suits upstream better
than the minimalistic maintenance patch.

I tested it with the reproducers I sent you in my previous mail and with
the reproducer for CVE-2016-2037 and it works fine for me.

>> Basically, there are 2 problems:
>>
>> 1) file_hdr.c_namesize is not defined for tar and ustar archive formats. 
>> Therefore we have a random memory here and that's the reason why it's 
>> reproducible randomly.
> 
> It means that we should initialize c_namesize I guess, even though this is
> different issue.

That's a good idea. Maybe it would be worth to initialize other
variables that are not initialized yet. For tar archives it's for
example c_ino, c_dev_maj and c_dev_min variables. But that's definitely
a different issue.

>> 2) file_hdr.c_name uses static memory [1] for tar and ustar archive 
>> formats. Therefore 'xrealloc(file_hdr.c_name, 2)' call causes a dump for 
>> these archive types as we are trying to realloc static memory.
> 
> Yes, that's something which complicated fixing and reading of the code, so
> the attached patch should rather use buffer on heap.  It is still not very
> clean approach, and not as trivial patch as before - but the code should be
> a bit cleaner I hope.

Thank you for it. I have just small comments on your patch:

1) It seems that the first hunk slightly changes the logic.
Before your patch, the 'is_tar_filename_too_long()' function was called
for tar and ustar archives only but now it's called for all archive types.

As this function checks whether the filename is too long to fit in a tar
header, it should be called for tar/ustar archives only, I believe.

2) It's just a small thing but it seems that you forgot to use your new
'cpio_set_c_name()' function for 'file_hdr.c_name = CPIO_TRAILER_NAME'
in the copyout.c file.

Best regards,
Kristyna Streitova

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]