Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out of bounds read in function process_add_entry() on malformed mtree file #550

Closed
hannob opened this issue May 21, 2015 · 1 comment
Closed
Assignees
Milestone

Comments

@hannob
Copy link
Contributor

hannob commented May 21, 2015

This sample file will generate an out of bounds read access:
https://crashes.fuzzing-project.org/libarchive-oob-process_add_entry.mtree

File content:
0
link=0 0/

Address Sanitizer output:
==26344==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ef4f at pc 0x0000004b26cc bp 0x7fff5ddb01d0 sp 0x7fff5ddaf988
READ of size 1 at 0x60300000ef4f thread T0
#0 0x4b26cb in __asan_memcpy (/f/libarchive/libarchive/bsdtar+0x4b26cb)
#1 0x8d28ac in process_add_entry /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:911:2
#2 0x8b4fc1 in read_mtree /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:984:8
#3 0x8ad598 in read_header /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:1033:7
#4 0x62452d in _archive_read_next_header2 /f/libarchive/libarchive/libarchive/archive_read.c:645:8
#5 0x622de2 in _archive_read_next_header /f/libarchive/libarchive/libarchive/archive_read.c:685:8
#6 0xb0c7de in archive_read_next_header /f/libarchive/libarchive/libarchive/archive_virtual.c:148:11
#7 0x513e1f in read_archive /f/libarchive/libarchive/tar/read.c:263:7
#8 0x51835b in tar_mode_x /f/libarchive/libarchive/tar/read.c:114:2
#9 0x4fee52 in main /f/libarchive/libarchive/tar/bsdtar.c:805:3
#10 0x7f26f4e54f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#11 0x442206 in _start (/f/libarchive/libarchive/bsdtar+0x442206)

0x60300000ef4f is located 1 bytes to the left of 32-byte region [0x60300000ef50,0x60300000ef70)
allocated by thread T0 here:
#0 0x4c9515 in realloc (/f/libarchive/libarchive/bsdtar+0x4c9515)
#1 0xa86925 in archive_string_ensure /f/libarchive/libarchive/libarchive/archive_string.c:311:14
#2 0x8ce613 in readline /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:1947:7
#3 0x8b41d7 in read_mtree /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:963:9
#4 0x8ad598 in read_header /f/libarchive/libarchive/libarchive/archive_read_support_format_mtree.c:1033:7
#5 0x62452d in _archive_read_next_header2 /f/libarchive/libarchive/libarchive/archive_read.c:645:8
#6 0x622de2 in _archive_read_next_header /f/libarchive/libarchive/libarchive/archive_read.c:685:8
#7 0xb0c7de in archive_read_next_header /f/libarchive/libarchive/libarchive/archive_virtual.c:148:11
#8 0x513e1f in read_archive /f/libarchive/libarchive/tar/read.c:263:7
#9 0x51835b in tar_mode_x /f/libarchive/libarchive/tar/read.c:114:2
#10 0x4fee52 in main /f/libarchive/libarchive/tar/bsdtar.c:805:3
#11 0x7f26f4e54f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9de0: fa fa fa fa 00 00 00 00 fa[fa]00 00 00 00 fa fa
0x0c067fff9df0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26344==ABORTING

@kientzle kientzle self-assigned this Jul 14, 2015
@kientzle kientzle modified the milestone: 3.2 Aug 1, 2015
@kientzle
Copy link
Contributor

kientzle commented Apr 3, 2016

Fixed in 64d5628

@kientzle kientzle closed this as completed Apr 3, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants