Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

malformed cab causes overlapping memcpy / segfault #506

Closed
kwrobot opened this issue Apr 11, 2015 · 1 comment

Comments

Projects
None yet
1 participant
@kwrobot
Copy link

commented Apr 11, 2015

Original issue 398 created by Google Code user hanno@hboeck.de on 2015-02-03T03:57:29.000Z:

<b>What steps will reproduce the problem?</b>
1. bsdtar -xf memcpy with either valgrind or address sanitizer will show overlapping memcpy command

<b>What version are you using?</b>
git head (e6c9668f3202215ddb71617b41c19b6f05acf008)

<b>On what operating system?</b>
Linux

<b>How did you build?  (cmake, configure, or pre-packaged binary)</b>
cmake

<b>What compiler or development environment (please include version)?</b>
gcc 4.9.2

<b>Please provide any additional information below.</b>
Found with american fuzzy lop.

==20141==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x60300000ee60,0x60300000ee62) and [0x60300000ee61, 0x60300000ee63) overlap
    #0 0x7f0173ebde94 (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2fe94)
    #1 0x6687fa in memcpy /usr/include/bits/string3.h:51
    #2 0x6687fa in archive_string_append /mnt/ram/libarchive/libarchive/archive_string.c:206
    #3 0x6687fa in archive_strncat /mnt/ram/libarchive/libarchive/archive_string.c:342
    #4 0x6687fa in archive_mstring_copy_mbs_len /mnt/ram/libarchive/libarchive/archive_string.c:4051
    #5 0x6687fa in archive_mstring_copy_mbs /mnt/ram/libarchive/libarchive/archive_string.c:4039
    #6 0x430626 in edit_pathname /mnt/ram/libarchive/tar/util.c:555
    #7 0x425c4b in read_archive /mnt/ram/libarchive/tar/read.c:331
    #8 0x425c4b in tar_mode_x /mnt/ram/libarchive/tar/read.c:104
    #9 0x415789 in main /mnt/ram/libarchive/tar/bsdtar.c:805
    #10 0x7f0172b04f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #11 0x41b10d (/mnt/ram/libarchive/b/bin/bsdtar+0x41b10d)

Will attach full asan and valgrind output.

See attachment: memcpy.cab
See attachment: memcpy.cab.asan.log
See attachment: memcpy.cab.valgrind.log

@kwrobot

This comment has been minimized.

Copy link
Author

commented Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-07T07:04:48.000Z:

Thank you again!  I appreciate your reporting these issues.

I believe this is completely fixed by git commit b6ba560.

In particular, archive_string_append() now uses memmove() to copy the string into the correct location in the string buffer, which should correctly handle cases where the source string was parsed from the string buffer itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.