bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-cpio] Heap-based buffer overflow in safe-read.c:66:safe_read().


From: Filip Palian
Subject: [Bug-cpio] Heap-based buffer overflow in safe-read.c:66:safe_read().
Date: Wed, 2 Jan 2019 23:27:56 +1100

Hi All,

I'd like to report a defect in cpio v2.12
(3be097c12ec14a69b3f3df3e2138fa235a3154d7).

Execution of the following command with the attached test-case will
cause a heap-based buffer overflow:

-- cut --
$  ~/cpio-git-asan/src/cpio -i --io-size=9.0 < ./hbof_1
=================================================================
==18400==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x626000002900 at pc 0x00000044ca1d bp 0x7ffe20009e10 sp
0x7ffe200095c0
WRITE of size 5120 at 0x626000002900 thread T0
    #0 0x44ca1c in __interceptor_read.part.49
(/home/s1m0n/cpio/cpio-asan/src/cpio+0x44ca1c)
    #1 0x5e0243 in safe_read /home/s1m0n/cpio/cpio-asan/gnu/safe-read.c:66:24
    #2 0x55b516 in tape_buffered_peek
/home/s1m0n/cpio/cpio-asan/src/util.c:364:24
    #3 0x51059f in read_in_header /home/s1m0n/cpio/cpio-asan/src/copyin.c:971:19
    #4 0x51e718 in process_copy_in
/home/s1m0n/cpio/cpio-asan/src/copyin.c:1358:7
    #5 0x548817 in main /home/s1m0n/cpio/cpio-asan/src/main.c:788:3
    #6 0x7f832ed05b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
    #7 0x41e8c9 in _start (/home/s1m0n/cpio/cpio-asan/src/cpio+0x41e8c9)
0x626000002900 is located 0 bytes to the right of 10240-byte region
[0x626000000100,0x626000002900)
allocated by thread T0 here:
    #0 0x4d3f20 in malloc (/home/s1m0n/cpio/cpio-asan/src/cpio+0x4d3f20)
    #1 0x5e99e4 in xmalloc /home/s1m0n/cpio/cpio-asan/gnu/xmalloc.c:41:13
    #2 0x548335 in initialize_buffers
/home/s1m0n/cpio/cpio-asan/src/main.c:763:27
    #3 0x5487f0 in main /home/s1m0n/cpio/cpio-asan/src/main.c:786:3
    #4 0x7f832ed05b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/s1m0n/cpio/cpio-asan/src/cpio+0x44ca1c) in
__interceptor_read.part.49
Shadow bytes around the buggy address:
  0x0c4c7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff8520:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18400==ABORTING
-- cut --

Please let me know if you have any questions.


Thanks,
Filip Palian

Attachment: hbof_1
Description: Binary data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]