Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory allocate error #705

Closed
vah13 opened this issue May 12, 2016 · 7 comments
Closed

memory allocate error #705

vah13 opened this issue May 12, 2016 · 7 comments
Milestone

Comments

@vah13
Copy link

vah13 commented May 12, 2016

hi guys.
I with use afl & asan found some exceptions with memory allocate.
exp1

exp2

exp3

*download file and remove .png extension

@vah13
Copy link
Author

vah13 commented May 12, 2016

==28519==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:66 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x7f415bfe5ba3 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x59ba3)
    #1 0x7f415bfe9ae3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5dae3)
    #2 0x7f415bfee4c1 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x624c1)
    #3 0x7f415bfa89d8 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x1c9d8)
    #4 0x7f415bfe06f0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x546f0)
    #5 0x46ed4e in __archive_read_filter_ahead libarchive/archive_read.c:1436
    #6 0x46ed4e in __archive_read_ahead libarchive/archive_read.c:1303
    #7 0x502611 in archive_read_format_cpio_read_header libarchive/archive_read_support_format_cpio.c:404
    #8 0x46193d in _archive_read_next_header2 libarchive/archive_read.c:649
    #9 0x46193d in _archive_read_next_header libarchive/archive_read.c:687
    #10 0x4150f6 in read_archive tar/read.c:261
    #11 0x4171c6 in tar_mode_t tar/read.c:94
    #12 0x40b07d in main tar/bsdtar.c:803
    #13 0x7f415b01bb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #14 0x40dfbe (/usr/local/bin/bsdtar+0x40dfbe)

@kientzle
Copy link
Contributor

This is caused when a corrupted cpio archive has a ridiculously large size for a symlink. malloc() fails here when trying to allocate memory to contain the entire symlink.

I've looked through the surrounding code and it looks like libarchive correctly handles the malloc() failure in this case.

I suppose the cpio code could sanity-check the symlink size and return ARCHIVE_FATAL in this case without even trying to read it, but that would be a fairly minor improvement.

@vah13
Copy link
Author

vah13 commented May 12, 2016

I agree with you

@vah13
Copy link
Author

vah13 commented May 12, 2016

but I don't use bsdcpio, my test case bsdtar -tf %file_name%

@kientzle
Copy link
Contributor

bsdtar recognizes and extracts many formats, including cpio formats.

@kientzle
Copy link
Contributor

I just pushed commit fd7e0c0 which rejects archives with symlinks more than 1MB in size.

@vah13
Copy link
Author

vah13 commented May 31, 2016

CVE-2016-4809

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants