[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] Segfault when updating newc archives
From: |
Burton, Ross |
Subject: |
Re: [Bug-cpio] Segfault when updating newc archives |
Date: |
Wed, 28 Nov 2018 14:32:50 +0000 |
https://gitlab.com/rossburton/cpio/commit/37b78fba8044411349ae791bcee98f55d4c0e442
is an addition to the test suite which fails for me.
Ross
On Wed, 28 Nov 2018 at 14:18, Burton, Ross <address@hidden> wrote:
>
> Using current git master of cpio, and introduced with the
> CVE-2016-2037 out-of-bounds patch, I can trivially crash cpio. For
> example from the top of the cpio git clone:
>
> $ find gnulib/ | ./src/cpio -o -H newc >foo.cpio
> 70240 blocks
> $ echo NEWS | ./src/cpio -oA -H newc -F foo.cpio
> Segmentation fault (core dumped)
>
> Adding a little debug and running in valgrind:
>
> ...
> cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
> 0x51da8a0 name 0x51da810 len 23
> cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
> 0x51da8a0 name 0x51da810 len 30
> cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
> 0x51da8a0 name 0x51da810 len 11
> ==30256== Conditional jump or move depends on uninitialised value(s)
> ==30256== at 0x4E800F0: vfprintf (vfprintf.c:1636)
> ==30256== by 0x4E87228: printf (printf.c:33)
> ==30256== by 0x116F42: cpio_set_c_name (util.c:1433)
> ==30256== by 0x110681: process_copy_out (copyout.c:663)
> ==30256== by 0x113A37: main (main.c:788)
> ==30256==
> cpio_set_c_name() about to memmove() file_hdr 0xfff0004e0 c_name (nil)
> name 0x51d9590 len 5
> ==30256== Conditional jump or move depends on uninitialised value(s)
> ==30256== at 0x4C300D3: address@hidden (vg_replace_strmem.c:1017)
> ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
> ==30256== by 0x110681: process_copy_out (copyout.c:663)
> ==30256== by 0x113A37: main (main.c:788)
> ==30256==
> ==30256== Conditional jump or move depends on uninitialised value(s)
> ==30256== at 0x4C300E5: address@hidden (vg_replace_strmem.c:1017)
> ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
> ==30256== by 0x110681: process_copy_out (copyout.c:663)
> ==30256== by 0x113A37: main (main.c:788)
> ==30256==
> ==30256== Conditional jump or move depends on uninitialised value(s)
> ==30256== at 0x4C30171: address@hidden (vg_replace_strmem.c:1017)
> ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
> ==30256== by 0x110681: process_copy_out (copyout.c:663)
> ==30256== by 0x113A37: main (main.c:788)
> ==30256==
> ==30256== Use of uninitialised value of size 8
> ==30256== at 0x4C3019B: address@hidden (vg_replace_strmem.c:1017)
> ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
> ==30256== by 0x110681: process_copy_out (copyout.c:663)
> ==30256== by 0x113A37: main (main.c:788)
> ==30256==
> ==30256== Invalid write of size 2
> ==30256== at 0x4C3019B: address@hidden (vg_replace_strmem.c:1017)
> ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434)
> ==30256== by 0x110681: process_copy_out (copyout.c:663)
> ==30256== by 0x113A37: main (main.c:788)
> ==30256== Address 0x0 is not stack'd, malloc'd or (recently) free'd
>
> Ross