Out of bounds read in function process_add_entry() on malformed mtree file #550

Closed
hannob opened this Issue May 21, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@hannob
Contributor

hannob commented May 21, 2015

This sample file will generate an out of bounds read access:
https://crashes.fuzzing-project.org/libarchive-oob-process_add_entry.mtree

File content:
0
link=0 0/

Address Sanitizer output:
==26344==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ef4f at pc 0x0000004b26cc bp 0x7fff5ddb01d0 sp 0x7fff5ddaf988
READ of size 1 at 0x60300000ef4f thread T0
#0 0x4b26cb in __asan_memcpy (/f/libarchive/libarchive/bsdtar+0x4b26cb)
#1 0x8d28ac in process_add_entry /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:911:2
#2 0x8b4fc1 in read_mtree /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:984:8
#3 0x8ad598 in read_header /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:1033:7
#4 0x62452d in _archive_read_next_header2 /f/libarchive/libarchive/libarchive/archive_read.c:645:8
#5 0x622de2 in _archive_read_next_header /f/libarchive/libarchive/libarchive/archive_read.c:685:8
#6 0xb0c7de in archive_read_next_header /f/libarchive/libarchive/libarchive/archive_virtual.c:148:11
#7 0x513e1f in read_archive /f/libarchive/libarchive/tar/read.c:263:7
#8 0x51835b in tar_mode_x /f/libarchive/libarchive/tar/read.c:114:2
#9 0x4fee52 in main /f/libarchive/libarchive/tar/bsdtar.c:805:3
#10 0x7f26f4e54f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#11 0x442206 in _start (/f/libarchive/libarchive/bsdtar+0x442206)

0x60300000ef4f is located 1 bytes to the left of 32-byte region [0x60300000ef50,0x60300000ef70)
allocated by thread T0 here:
#0 0x4c9515 in realloc (/f/libarchive/libarchive/bsdtar+0x4c9515)
#1 0xa86925 in archive_string_ensure /f/libarchive/libarchive/libarchive/archive_string.c:311:14
#2 0x8ce613 in readline /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:1947:7
#3 0x8b41d7 in read_mtree /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:963:9
#4 0x8ad598 in read_header /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:1033:7
#5 0x62452d in _archive_read_next_header2 /f/libarchive/libarchive/libarchive/archive_read.c:645:8
#6 0x622de2 in _archive_read_next_header /f/libarchive/libarchive/libarchive/archive_read.c:685:8
#7 0xb0c7de in archive_read_next_header /f/libarchive/libarchive/libarchive/archive_virtual.c:148:11
#8 0x513e1f in read_archive /f/libarchive/libarchive/tar/read.c:263:7
#9 0x51835b in tar_mode_x /f/libarchive/libarchive/tar/read.c:114:2
#10 0x4fee52 in main /f/libarchive/libarchive/tar/bsdtar.c:805:3
#11 0x7f26f4e54f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9de0: fa fa fa fa 00 00 00 00 fa[fa]00 00 00 00 fa fa
0x0c067fff9df0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26344==ABORTING

@kientzle kientzle self-assigned this Jul 14, 2015

@kientzle kientzle modified the milestone: 3.2 Aug 1, 2015

@kientzle

This comment has been minimized.

Show comment
Hide comment
@kientzle

kientzle Apr 3, 2016

Contributor

Fixed in 64d5628

Contributor

kientzle commented Apr 3, 2016

Fixed in 64d5628

@kientzle kientzle closed this Apr 3, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment