Several memory safety violations in cpio 2.13

[Hanno Böck]

Hi,

I noticed that a new version of cpio (2.13) was released recently
fixing a few of the known security issues.
I did a quick run with afl and immediately found more unfixed memory
safety violations.

I'll provide minified samples base64 encoded. To reproduce read those
files with cpio compiled with asan (-fsanitize=address in CFLAGS).

Heap overflow of 2 bytes in copyin_link
=======================================

Sample:
x3EwMDAwMKEwMDAwMDAwMDAwMDAKAAAAAAAwMDAwMDAwMDAw

Stack trace:
==30762==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x602000000211 at pc 0x7f9320c202d5 bp 0x7ffe4d99a7b0 sp 0x7ffe4d999f58
WRITE of size 2 at 0x602000000211 thread T0
    #0 0x7f9320c202d4 in memmove 
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x9f2d4)
    #1 0x55b47559d9c9 in copyin_link /tmp/cpio-2.13/src/copyin.c:648
    #2 0x55b47559d9c9 in copyin_file /tmp/cpio-2.13/src/copyin.c:708
    #3 0x55b47559d9c9 in process_copy_in /tmp/cpio-2.13/src/copyin.c:1407
    #4 0x55b475580e27 in main /tmp/cpio-2.13/src/main.c:780
    #5 0x7f93209d6f1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
    #6 0x55b475582019 in _start (/tmp/y/cpio+0x14019)

0x602000000211 is located 0 bytes to the right of 1-byte region 
[0x602000000210,0x602000000211)
allocated by thread T0 here:
    #0 0x7f9320c8cca8 in __interceptor_malloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x10bca8)
    #1 0x55b475641e50 in xmalloc /tmp/cpio-2.13/gnu/xmalloc.c:41
    #2 0x55b47559d74d in get_link_name /tmp/cpio-2.13/src/copyin.c:120
    #3 0x55b47559d74d in copyin_link /tmp/cpio-2.13/src/copyin.c:637
    #4 0x55b47559d74d in copyin_file /tmp/cpio-2.13/src/copyin.c:708
    #5 0x55b47559d74d in process_copy_in /tmp/cpio-2.13/src/copyin.c:1407
    #6 0x55b475580e27 in main /tmp/cpio-2.13/src/main.c:780
    #7 0x7f93209d6f1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
    #8 0x55b475582019 in _start (/tmp/y/cpio+0x14019)


Heap out of bounds read (129 bytes) in add_inode
================================================

Sample:
x3EwMDAwMIEwMDAwMDAwMDAwMDACADAwMDAwMA==

Stack trace:
==30769==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60c000000240 at pc 0x7f8eea2c596d bp 0x7ffea661ef00 sp 0x7ffea661e6a8
READ of size 129 at 0x60c000000240 thread T0
    #0 0x7f8eea2c596c  
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x6696c)
    #1 0x55db5a36c216 in xstrdup /tmp/cpio-2.13/gnu/xmalloc.c:121
    #2 0x55db5a2f9792 in add_inode /tmp/cpio-2.13/src/util.c:743
    #3 0x55db5a2e2017 in link_to_maj_min_ino /tmp/cpio-2.13/src/copypass.c:358
    #4 0x55db5a2acf80 in copyin_regular_file /tmp/cpio-2.13/src/copyin.c:448
    #5 0x55db5a2c5fce in copyin_file /tmp/cpio-2.13/src/copyin.c:688
    #6 0x55db5a2c5fce in process_copy_in /tmp/cpio-2.13/src/copyin.c:1407
    #7 0x55db5a2aae27 in main /tmp/cpio-2.13/src/main.c:780
    #8 0x7f8eea0b4f1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
    #9 0x55db5a2ac019 in _start (/tmp/y/cpio+0x14019)

0x60c000000240 is located 0 bytes to the right of 128-byte region 
[0x60c0000001c0,0x60c000000240)
allocated by thread T0 here:
    #0 0x7f8eea36b0c9 in realloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x10c0c9)
    #1 0x55db5a36c006 in xrealloc /tmp/cpio-2.13/gnu/xmalloc.c:61
    #2 0x55db5a36c006 in x2nrealloc /tmp/cpio-2.13/gnu/xalloc.h:211
    #3 0x55db5a36c006 in x2realloc /tmp/cpio-2.13/gnu/xmalloc.c:76
    #4 0x55db5a302df7 in cpio_realloc_c_name /tmp/cpio-2.13/src/util.c:1259
    #5 0x55db5a2be8a1 in read_name_from_file /tmp/cpio-2.13/src/copyin.c:1001
    #6 0x55db5a2be8a1 in read_in_binary /tmp/cpio-2.13/src/copyin.c:1139
    #7 0x55db5a2c081f in read_in_header /tmp/cpio-2.13/src/copyin.c:989
    #8 0x55db5a2c27ac in process_copy_in /tmp/cpio-2.13/src/copyin.c:1278
    #9 0x55db5a2aae27 in main /tmp/cpio-2.13/src/main.c:780
    #10 0x7f8eea0b4f1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
    #11 0x55db5a2ac019 in _start (/tmp/y/cpio+0x14019)

Heap out of bounds read (1 byte) in last_component
==================================================

Sample:
x3EwMDAwMEEwMDAwMDAwMDAwMDAEADAwMDAwMDAw

Stack trace:
==30779==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60c000000240 at pc 0x557646af7841 bp 0x7ffedce12f60 sp 0x7ffedce12f50
READ of size 1 at 0x60c000000240 thread T0
    #0 0x557646af7840 in last_component /tmp/cpio-2.13/gnu/basename-lgpl.c:39
    #1 0x557646af80a0 in strip_trailing_slashes 
/tmp/cpio-2.13/gnu/stripslash.c:33
    #2 0x557646ab7396 in cpio_create_dir /tmp/cpio-2.13/src/util.c:1448
    #3 0x557646a74ade in copyin_file /tmp/cpio-2.13/src/copyin.c:692
    #4 0x557646a74ade in process_copy_in /tmp/cpio-2.13/src/copyin.c:1407
    #5 0x557646a5be27 in main /tmp/cpio-2.13/src/main.c:780
    #6 0x7fb33f32af1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
    #7 0x557646a5d019 in _start (/tmp/y/cpio+0x14019)

0x60c000000240 is located 0 bytes to the right of 128-byte region 
[0x60c0000001c0,0x60c000000240)
allocated by thread T0 here:
    #0 0x7fb33f5e10c9 in realloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x10c0c9)
    #1 0x557646b1d006 in xrealloc /tmp/cpio-2.13/gnu/xmalloc.c:61
    #2 0x557646b1d006 in x2nrealloc /tmp/cpio-2.13/gnu/xalloc.h:211
    #3 0x557646b1d006 in x2realloc /tmp/cpio-2.13/gnu/xmalloc.c:76
    #4 0x557646ab3df7 in cpio_realloc_c_name /tmp/cpio-2.13/src/util.c:1259
    #5 0x557646a6f8a1 in read_name_from_file /tmp/cpio-2.13/src/copyin.c:1001
    #6 0x557646a6f8a1 in read_in_binary /tmp/cpio-2.13/src/copyin.c:1139
    #7 0x557646a7181f in read_in_header /tmp/cpio-2.13/src/copyin.c:989
    #8 0x557646a737ac in process_copy_in /tmp/cpio-2.13/src/copyin.c:1278
    #9 0x557646a5be27 in main /tmp/cpio-2.13/src/main.c:780
    #10 0x7fb33f32af1a in __libc_start_main (/lib64/libc.so.6+0x23f1a)
    #11 0x557646a5d019 in _start (/tmp/y/cpio+0x14019)


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42