malformed cab causes overlapping memcpy / segfault #506

Closed
kwrobot opened this Issue Apr 11, 2015 · 1 comment

Comments

Projects
None yet
1 participant
@kwrobot

kwrobot commented Apr 11, 2015

Original issue 398 created by Google Code user hanno@hboeck.de on 2015-02-03T03:57:29.000Z:

<b>What steps will reproduce the problem?</b>
1. bsdtar -xf memcpy with either valgrind or address sanitizer will show overlapping memcpy command

<b>What version are you using?</b>
git head (e6c9668f3202215ddb71617b41c19b6f05acf008)

<b>On what operating system?</b>
Linux

<b>How did you build?  (cmake, configure, or pre-packaged binary)</b>
cmake

<b>What compiler or development environment (please include version)?</b>
gcc 4.9.2

<b>Please provide any additional information below.</b>
Found with american fuzzy lop.

==20141==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x60300000ee60,0x60300000ee62) and [0x60300000ee61, 0x60300000ee63) overlap
    #0 0x7f0173ebde94 (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2fe94)
    #1 0x6687fa in memcpy /usr/include/bits/string3.h:51
    #2 0x6687fa in archive_string_append /mnt/ram/libarchive/libarchive/archive_string.c:206
    #3 0x6687fa in archive_strncat /mnt/ram/libarchive/libarchive/archive_string.c:342
    #4 0x6687fa in archive_mstring_copy_mbs_len /mnt/ram/libarchive/libarchive/archive_string.c:4051
    #5 0x6687fa in archive_mstring_copy_mbs /mnt/ram/libarchive/libarchive/archive_string.c:4039
    #6 0x430626 in edit_pathname /mnt/ram/libarchive/tar/util.c:555
    #7 0x425c4b in read_archive /mnt/ram/libarchive/tar/read.c:331
    #8 0x425c4b in tar_mode_x /mnt/ram/libarchive/tar/read.c:104
    #9 0x415789 in main /mnt/ram/libarchive/tar/bsdtar.c:805
    #10 0x7f0172b04f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #11 0x41b10d (/mnt/ram/libarchive/b/bin/bsdtar+0x41b10d)

Will attach full asan and valgrind output.

See attachment: memcpy.cab
See attachment: memcpy.cab.asan.log
See attachment: memcpy.cab.valgrind.log

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-07T07:04:48.000Z:

Thank you again!  I appreciate your reporting these issues.

I believe this is completely fixed by git commit b6ba560.

In particular, archive_string_append() now uses memmove() to copy the string into the correct location in the string buffer, which should correctly handle cases where the source string was parsed from the string buffer itself.

kwrobot commented Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-07T07:04:48.000Z:

Thank you again!  I appreciate your reporting these issues.

I believe this is completely fixed by git commit b6ba560.

In particular, archive_string_append() now uses memmove() to copy the string into the correct location in the string buffer, which should correctly handle cases where the source string was parsed from the string buffer itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment