[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-cpio] Segfault when updating newc archives
From: |
Burton, Ross |
Subject: |
[Bug-cpio] Segfault when updating newc archives |
Date: |
Wed, 28 Nov 2018 14:18:13 +0000 |
Using current git master of cpio, and introduced with the
CVE-2016-2037 out-of-bounds patch, I can trivially crash cpio. For
example from the top of the cpio git clone:
$ find gnulib/ | ./src/cpio -o -H newc >foo.cpio
70240 blocks
$ echo NEWS | ./src/cpio -oA -H newc -F foo.cpio
Segmentation fault (core dumped)
Adding a little debug and running in valgrind:
...
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 23
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 30
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 11
==30256== Conditional jump or move depends on uninitialised value(s)
==30256== at 0x4E800F0: vfprintf (vfprintf.c:1636)
==30256== by 0x4E87228: printf (printf.c:33)
==30256== by 0x116F42: cpio_set_c_name (util.c:1433)
==30256== by 0x110681: process_copy_out (copyout.c:663)
==30256== by 0x113A37: main (main.c:788)
==30256==
cpio_set_c_name() about to memmove() file_hdr 0xfff0004e0 c_name (nil)
name 0x51d9590 len 5
==30256== Conditional jump or move depends on uninitialised value(s)
==30256== at 0x4C300D3: address@hidden (vg_replace_strmem.c:1017)
==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256== by 0x110681: process_copy_out (copyout.c:663)
==30256== by 0x113A37: main (main.c:788)
==30256==
==30256== Conditional jump or move depends on uninitialised value(s)
==30256== at 0x4C300E5: address@hidden (vg_replace_strmem.c:1017)
==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256== by 0x110681: process_copy_out (copyout.c:663)
==30256== by 0x113A37: main (main.c:788)
==30256==
==30256== Conditional jump or move depends on uninitialised value(s)
==30256== at 0x4C30171: address@hidden (vg_replace_strmem.c:1017)
==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256== by 0x110681: process_copy_out (copyout.c:663)
==30256== by 0x113A37: main (main.c:788)
==30256==
==30256== Use of uninitialised value of size 8
==30256== at 0x4C3019B: address@hidden (vg_replace_strmem.c:1017)
==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256== by 0x110681: process_copy_out (copyout.c:663)
==30256== by 0x113A37: main (main.c:788)
==30256==
==30256== Invalid write of size 2
==30256== at 0x4C3019B: address@hidden (vg_replace_strmem.c:1017)
==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256== by 0x110681: process_copy_out (copyout.c:663)
==30256== by 0x113A37: main (main.c:788)
==30256== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Ross
- [Bug-cpio] Segfault when updating newc archives,
Burton, Ross <=