bug-cpio
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack over

From: Dmitry V. Levin
Subject: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Date: Fri, 17 Aug 2007 03:16:31 +0400 
Hi,

paxlib's safer_name_suffix() function uses alloca() to report prefix string
it is going to strip, and recent tar and cpio versions use this function
both in list and extract modes.
The problem is that length of this string (i.e. size passed to alloca)
is under tarball owner control.
As result, tar/cpio crashes if this string is sufficiently long.

Fortunately, memcpy() call which follows alloca() call makes this stack
overflow a plain crash, so it does not look exploitable.

Reproducer:
$ ulimit -s
8192
$ ./tarnull null.tar
$ bzip2 -9 null.tar
$ ls -log null.tar.bz2
-rw-r--r-- 1 543 Aug 15 18:00 null.tar.bz2
$ tar tf null.tar.bz2
Segmentation fault

My suggestion is to avoid using alloca() with user controllable size.
In this particular case, memcpy() call could be optimized out as well.


-- 
ldv

Attachment: paxlib-owl-alloca.diff
Description: Text document

Attachment: tarnull.c
Description: Text document

Attachment: pgpJEYXK4l1UD.pgp
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]