[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Several memory safety violations in cpio 2.13
From: |
Hanno Böck |
Subject: |
Several memory safety violations in cpio 2.13 |
Date: |
Thu, 7 Nov 2019 09:22:58 +0100 |
Hi,
I noticed that a new version of cpio (2.13) was released recently
fixing a few of the known security issues.
I did a quick run with afl and immediately found more unfixed memory
safety violations.
I'll provide minified samples base64 encoded. To reproduce read those
files with cpio compiled with asan (-fsanitize=address in CFLAGS).
Heap overflow of 2 bytes in copyin_link
=======================================
Sample:
x3EwMDAwMKEwMDAwMDAwMDAwMDAKAAAAAAAwMDAwMDAwMDAw
Stack trace:
==30762==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000211 at pc 0x7f9320c202d5 bp 0x7ffe4d99a7b0 sp 0x7ffe4d999f58
WRITE of size 2 at 0x602000000211 thread T0
#0 0x7f9320c202d4 in memmove
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x9f2d4)
#1 0x55b47559d9c9 in copyin_link /tmp/cpio-2.13/src/copyin.c:648
#2 0x55b47559d9c9 in copyin_file /tmp/cpio-2.13/src/copyin.c:708
#3 0x55b47559d9c9 in process_copy_in /tmp/cpio-2.13/src/copyin.c:1407
#4 0x55b475580e27 in main /tmp/cpio-2.13/src/main.c:780
#5 0x7f93209d6f1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
#6 0x55b475582019 in _start (/tmp/y/cpio+0x14019)
0x602000000211 is located 0 bytes to the right of 1-byte region
[0x602000000210,0x602000000211)
allocated by thread T0 here:
#0 0x7f9320c8cca8 in __interceptor_malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x10bca8)
#1 0x55b475641e50 in xmalloc /tmp/cpio-2.13/gnu/xmalloc.c:41
#2 0x55b47559d74d in get_link_name /tmp/cpio-2.13/src/copyin.c:120
#3 0x55b47559d74d in copyin_link /tmp/cpio-2.13/src/copyin.c:637
#4 0x55b47559d74d in copyin_file /tmp/cpio-2.13/src/copyin.c:708
#5 0x55b47559d74d in process_copy_in /tmp/cpio-2.13/src/copyin.c:1407
#6 0x55b475580e27 in main /tmp/cpio-2.13/src/main.c:780
#7 0x7f93209d6f1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
#8 0x55b475582019 in _start (/tmp/y/cpio+0x14019)
Heap out of bounds read (129 bytes) in add_inode
================================================
Sample:
x3EwMDAwMIEwMDAwMDAwMDAwMDACADAwMDAwMA==
Stack trace:
==30769==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60c000000240 at pc 0x7f8eea2c596d bp 0x7ffea661ef00 sp 0x7ffea661e6a8
READ of size 129 at 0x60c000000240 thread T0
#0 0x7f8eea2c596c
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x6696c)
#1 0x55db5a36c216 in xstrdup /tmp/cpio-2.13/gnu/xmalloc.c:121
#2 0x55db5a2f9792 in add_inode /tmp/cpio-2.13/src/util.c:743
#3 0x55db5a2e2017 in link_to_maj_min_ino /tmp/cpio-2.13/src/copypass.c:358
#4 0x55db5a2acf80 in copyin_regular_file /tmp/cpio-2.13/src/copyin.c:448
#5 0x55db5a2c5fce in copyin_file /tmp/cpio-2.13/src/copyin.c:688
#6 0x55db5a2c5fce in process_copy_in /tmp/cpio-2.13/src/copyin.c:1407
#7 0x55db5a2aae27 in main /tmp/cpio-2.13/src/main.c:780
#8 0x7f8eea0b4f1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
#9 0x55db5a2ac019 in _start (/tmp/y/cpio+0x14019)
0x60c000000240 is located 0 bytes to the right of 128-byte region
[0x60c0000001c0,0x60c000000240)
allocated by thread T0 here:
#0 0x7f8eea36b0c9 in realloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x10c0c9)
#1 0x55db5a36c006 in xrealloc /tmp/cpio-2.13/gnu/xmalloc.c:61
#2 0x55db5a36c006 in x2nrealloc /tmp/cpio-2.13/gnu/xalloc.h:211
#3 0x55db5a36c006 in x2realloc /tmp/cpio-2.13/gnu/xmalloc.c:76
#4 0x55db5a302df7 in cpio_realloc_c_name /tmp/cpio-2.13/src/util.c:1259
#5 0x55db5a2be8a1 in read_name_from_file /tmp/cpio-2.13/src/copyin.c:1001
#6 0x55db5a2be8a1 in read_in_binary /tmp/cpio-2.13/src/copyin.c:1139
#7 0x55db5a2c081f in read_in_header /tmp/cpio-2.13/src/copyin.c:989
#8 0x55db5a2c27ac in process_copy_in /tmp/cpio-2.13/src/copyin.c:1278
#9 0x55db5a2aae27 in main /tmp/cpio-2.13/src/main.c:780
#10 0x7f8eea0b4f1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
#11 0x55db5a2ac019 in _start (/tmp/y/cpio+0x14019)
Heap out of bounds read (1 byte) in last_component
==================================================
Sample:
x3EwMDAwMEEwMDAwMDAwMDAwMDAEADAwMDAwMDAw
Stack trace:
==30779==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60c000000240 at pc 0x557646af7841 bp 0x7ffedce12f60 sp 0x7ffedce12f50
READ of size 1 at 0x60c000000240 thread T0
#0 0x557646af7840 in last_component /tmp/cpio-2.13/gnu/basename-lgpl.c:39
#1 0x557646af80a0 in strip_trailing_slashes
/tmp/cpio-2.13/gnu/stripslash.c:33
#2 0x557646ab7396 in cpio_create_dir /tmp/cpio-2.13/src/util.c:1448
#3 0x557646a74ade in copyin_file /tmp/cpio-2.13/src/copyin.c:692
#4 0x557646a74ade in process_copy_in /tmp/cpio-2.13/src/copyin.c:1407
#5 0x557646a5be27 in main /tmp/cpio-2.13/src/main.c:780
#6 0x7fb33f32af1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
#7 0x557646a5d019 in _start (/tmp/y/cpio+0x14019)
0x60c000000240 is located 0 bytes to the right of 128-byte region
[0x60c0000001c0,0x60c000000240)
allocated by thread T0 here:
#0 0x7fb33f5e10c9 in realloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x10c0c9)
#1 0x557646b1d006 in xrealloc /tmp/cpio-2.13/gnu/xmalloc.c:61
#2 0x557646b1d006 in x2nrealloc /tmp/cpio-2.13/gnu/xalloc.h:211
#3 0x557646b1d006 in x2realloc /tmp/cpio-2.13/gnu/xmalloc.c:76
#4 0x557646ab3df7 in cpio_realloc_c_name /tmp/cpio-2.13/src/util.c:1259
#5 0x557646a6f8a1 in read_name_from_file /tmp/cpio-2.13/src/copyin.c:1001
#6 0x557646a6f8a1 in read_in_binary /tmp/cpio-2.13/src/copyin.c:1139
#7 0x557646a7181f in read_in_header /tmp/cpio-2.13/src/copyin.c:989
#8 0x557646a737ac in process_copy_in /tmp/cpio-2.13/src/copyin.c:1278
#9 0x557646a5be27 in main /tmp/cpio-2.13/src/main.c:780
#10 0x7fb33f32af1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
#11 0x557646a5d019 in _start (/tmp/y/cpio+0x14019)
--
Hanno Böck
https://hboeck.de/
mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
- Several memory safety violations in cpio 2.13,
Hanno Böck <=
- Re: Several memory safety violations in cpio 2.13, Sergey Poznyakoff, 2019/11/08
- Re: Several memory safety violations in cpio 2.13, Hanno Böck, 2019/11/08
- Re: Several memory safety violations in cpio 2.13, Sergey Poznyakoff, 2019/11/08
- Re: Several memory safety violations in cpio 2.13, Hanno Böck, 2019/11/10
- Re: Several memory safety violations in cpio 2.13, Sergey Poznyakoff, 2019/11/10
- Re: Several memory safety violations in cpio 2.13, Hanno Böck, 2019/11/11
- Re: Several memory safety violations in cpio 2.13, Sergey Poznyakoff, 2019/11/11
- Re: Several memory safety violations in cpio 2.13, Pavel Raiskup, 2019/11/19
- Re: Several memory safety violations in cpio 2.13, Sergey Poznyakoff, 2019/11/19