Segfault when unpacking invalid rar archive with bsdtar #518

Closed
kwrobot opened this Issue Apr 11, 2015 · 6 comments

Comments

Projects
None yet
1 participant
@kwrobot

kwrobot commented Apr 11, 2015

Original issue 410 created by Google Code user hanno@hboeck.de on 2015-02-13T20:05:02.000Z:

Attached file will cause a segfault in bsdtar. Latest git code.

Address Sanitizer output:

==21177==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x7fa3390860ef bp 0x7fff1b3cff30 sp 0x7fff1b3cf1c8 T0)
    #0 0x7fa3390860ee in crc32 (/lib64/libz.so.1+0x30ee)
    #1 0x8db25b in read_data_compressed /mnt/ram/libarchive-asan/libarchive/archive_read_support_format_rar.c:2045:25
    #2 0x8c14fd in archive_read_format_rar_read_data /mnt/ram/libarchive-asan/libarchive/archive_read_support_format_rar.c:1025:11
    #3 0x5dc586 in _archive_read_data_block /mnt/ram/libarchive-asan/libarchive/archive_read.c:969:9
    #4 0xae29a2 in archive_read_data_block /mnt/ram/libarchive-asan/libarchive/archive_virtual.c:161:10
    #5 0x66080a in copy_data /mnt/ram/libarchive-asan/libarchive/archive_read_extract2.c:120:7
    #6 0x65feb0 in archive_read_extract2 /mnt/ram/libarchive-asan/libarchive/archive_read_extract2.c:82:7
    #7 0x4edcbf in read_archive /mnt/ram/libarchive-asan/tar/read.c:361:9
    #8 0x4ef665 in tar_mode_x /mnt/ram/libarchive-asan/tar/read.c:104:2
    #9 0x4d647f in main /mnt/ram/libarchive-asan/tar/bsdtar.c:805:3
    #10 0x7fa3381cdf9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r1/work/glibc-2.20/csu/libc-start.c:289
    #11 0x4c46ac in _start (/mnt/ram/libarchive-asan/bsdtar+0x4c46ac)

Found with american fuzzy lop.

See attachment: segfault.rar
See attachment: segfault.rar.asan.txt

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-14T04:35:42.000Z:

What was the SHA1 of the git checkout you're using?

I'm not reproducing it here, but I might not be running the same code.

kwrobot commented Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-14T04:35:42.000Z:

What was the SHA1 of the git checkout you're using?

I'm not reproducing it here, but I might not be running the same code.

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #2 originally posted by Google Code user hanno@hboeck.de on 2015-02-14T09:19:06.000Z:

Just re-tested with the very latest git code, still segfaults:
d24e79e8f9547ae475a3a0c9516e079a14010838

(and yesterday I tested it with yesterday's git head, which was:
d094dc02905605ca514baf87855f026b9bf52f1f
)

kwrobot commented Apr 11, 2015

Comment #2 originally posted by Google Code user hanno@hboeck.de on 2015-02-14T09:19:06.000Z:

Just re-tested with the very latest git code, still segfaults:
d24e79e8f9547ae475a3a0c9516e079a14010838

(and yesterday I tested it with yesterday's git head, which was:
d094dc02905605ca514baf87855f026b9bf52f1f
)
@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #3 originally posted by kientzle on 2015-02-22T19:34:54.000Z:

I set a breakpoint at every call from the Rar code to the crc32() function.  At each call, the arguments look just fine.

This is on Mac OS X.  I'm going to try it on Linux and see if I can reproduce it there.

kwrobot commented Apr 11, 2015

Comment #3 originally posted by kientzle on 2015-02-22T19:34:54.000Z:

I set a breakpoint at every call from the Rar code to the crc32() function.  At each call, the arguments look just fine.

This is on Mac OS X.  I'm going to try it on Linux and see if I can reproduce it there.

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #4 originally posted by Google Code user tim@kientzle.com on 2015-02-25T04:52:39.000Z:

Installed Ubuntu 14.10 x86_64 into a VMWare VM and still do not see the crash.  I installed git and make but it's otherwise a standard install.  I checked out the latest git code and did the following:

$ mkdir t
$ cd t
$ cmake ..
$ make
$ bin/bsdtar xvf segfault.rar
x test: Write request too large
bsdtar: Error exit delayed from previous errors.

Can you provide me any other details about your environment or how you're running things that might help me reproduce this here?

I'll try a 32-bit Ubuntu system as well to see if that makes a difference.

kwrobot commented Apr 11, 2015

Comment #4 originally posted by Google Code user tim@kientzle.com on 2015-02-25T04:52:39.000Z:

Installed Ubuntu 14.10 x86_64 into a VMWare VM and still do not see the crash.  I installed git and make but it's otherwise a standard install.  I checked out the latest git code and did the following:

$ mkdir t
$ cd t
$ cmake ..
$ make
$ bin/bsdtar xvf segfault.rar
x test: Write request too large
bsdtar: Error exit delayed from previous errors.

Can you provide me any other details about your environment or how you're running things that might help me reproduce this here?

I'll try a 32-bit Ubuntu system as well to see if that makes a difference.
@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #5 originally posted by kientzle on 2015-03-04T01:15:31.000Z:

A-ha!  I finally reproduced the crash on 32-bit Ubuntu 14.10.

kwrobot commented Apr 11, 2015

Comment #5 originally posted by kientzle on 2015-03-04T01:15:31.000Z:

A-ha!  I finally reproduced the crash on 32-bit Ubuntu 14.10.

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #6 originally posted by kientzle on 2015-03-04T04:45:54.000Z:

Once I finally reproduced it, the fix seems fairly simple.  I believe this is fixed by git aab7393

Thank you so much for your help!


kwrobot commented Apr 11, 2015

Comment #6 originally posted by kientzle on 2015-03-04T04:45:54.000Z:

Once I finally reproduced it, the fix seems fairly simple.  I believe this is fixed by git aab7393

Thank you so much for your help!


@kwrobot kwrobot closed this Apr 11, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment