Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in archive_read_format_cab_read_header #835

Closed
asarubbo opened this issue Dec 6, 2016 · 4 comments

Comments

Projects
None yet
3 participants
@asarubbo
Copy link

commented Dec 6, 2016

On 3.2.2:

# bsdtar -t -f $FILE
=================================================================                                                                                                                              
==21129==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000ff00 at pc 0x7fa070bd7827 bp 0x7fffb7183a30 sp 0x7fffb7183a28                                                      
READ of size 1 at 0x61500000ff00 thread T0                                                                                                                                                     
    #0 0x7fa070bd7826 in archive_read_format_cab_read_header /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_support_format_cab.c:903:9                   
    #1 0x7fa070b7145b in _archive_read_next_header2 /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:649:7                                               
    #2 0x7fa070b71100 in _archive_read_next_header /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:687:8                                                
    #3 0x514c89 in read_archive /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/read.c:261:7                                                                                  
    #4 0x51416b in tar_mode_t /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/read.c:94:2                                                                                     
    #5 0x50f1a8 in main /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/bsdtar.c:803:3
    #6 0x7fa06fc0461f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #7 0x41c168 in _init (/usr/bin/bsdtar+0x41c168)

0x61500000ff00 is located 0 bytes to the right of 512-byte region [0x61500000fd00,0x61500000ff00)
allocated by thread T0 here:
    #0 0x4d4f28 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fa070b6c854 in __archive_read_filter_ahead /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:1436:17
    #2 0x7fa070c528cd in archive_read_format_tar_bid /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_support_format_tar.c:310:6
    #3 0x7fa070b66670 in choose_format /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:712:10
    #4 0x7fa070b66670 in archive_read_open1 /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:529
    #5 0x7fa070b8d2e1 in archive_read_open_filenames /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_open_filename.c:152:10
    #6 0x7fa070b8ce8b in archive_read_open_filename /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_open_filename.c:109:9
    #7 0x5149eb in read_archive /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/read.c:223:6
    #8 0x51416b in tar_mode_t /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/read.c:94:2
    #9 0x50f1a8 in main /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/bsdtar.c:803:3
    #10 0x7fa06fc0461f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_support_format_cab.c:903:9 in archive_read_format_cab_read_header
Shadow bytes around the buggy address:
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9fe0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21129==ABORTING

Testcase: https://github.com/asarubbo/poc/blob/master/00106-libarchive-heapoverflow-archive_read_format_cab_read_header

Could you check if it a duplicate of #797 or a similar bug?

@jsonn

This comment has been minimized.

Copy link
Contributor

commented Dec 6, 2016

Please test against trunk.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Dec 6, 2016

current master seems to be fine with the provided testcase

@jsonn jsonn closed this Dec 20, 2016

@carnil

This comment has been minimized.

Copy link

commented May 1, 2017

This issue has been assigned CVE-2016-10350

@carnil

This comment has been minimized.

Copy link

commented May 1, 2017

Hi

I tried to bisect to find the fixing commit, the following lead me to 88eb9e1 to fix this issue.

git bisect start '--term-old' 'broken' '--term-new' 'fixed'
# broken: [629358182b04d7de2316bbd29708c58ddf797fd2] Libarchive 3.2.2
git bisect broken 629358182b04d7de2316bbd29708c58ddf797fd2
# fixed: [b68a5cd06c38281ff24af7e7ab79a5118018c085] Fix build on ancient systems without int64_t definition.
git bisect fixed b68a5cd06c38281ff24af7e7ab79a5118018c085
# fixed: [6a509898d71ad4b31e4e4a00f42f7e8b00b7f03a] Disable automatic detection of liblzo2 Replace liblzo with lzop in Travis CI builds Fix lzop tests
git bisect fixed 6a509898d71ad4b31e4e4a00f42f7e8b00b7f03a
# fixed: [7f6565656cf20c74057289d784f548ffd189b416] Allocate memory precisely. Avoid recomputions of sizes.
git bisect fixed 7f6565656cf20c74057289d784f548ffd189b416
# fixed: [ddb3954bfdb9a0a98d50fb1c50cbecb603d9adf0] Add more explanation comments to validate_number_field()
git bisect fixed ddb3954bfdb9a0a98d50fb1c50cbecb603d9adf0
# broken: [515c0f32612d990af5e4245dcdb135a89432a9ed] Merge pull request #825 from josusky/master
git bisect broken 515c0f32612d990af5e4245dcdb135a89432a9ed
# broken: [fa8dc4e93c45182de73cded86ebf58a348851f05] Spelling fixes (#830)
git bisect broken fa8dc4e93c45182de73cded86ebf58a348851f05
# fixed: [53d73345410d69e68171f05facaf4523e38e72bb] Fix heap buffer overflow in uudecode_bidder_bid()
git bisect fixed 53d73345410d69e68171f05facaf4523e38e72bb
# fixed: [88eb9e1d73fef46f04677c25b1697b8e25777ed3] Reread the CAB header skipping the self-extracting binary code.
git bisect fixed 88eb9e1d73fef46f04677c25b1697b8e25777ed3
# broken: [2d2b3e928605f795515b03f060fd638c265b0778] Restore compatibility with Perl Archive::Tar that was broken with #825
git bisect broken 2d2b3e928605f795515b03f060fd638c265b0778
# first fixed commit: [88eb9e1d73fef46f04677c25b1697b8e25777ed3] Reread the CAB header skipping the self-extracting binary code

tkatila added a commit to intel/ref-os-iot that referenced this issue Jun 8, 2017

libarchive: CVE-2016-10349 & CVE-2016-10350
libarchive/libarchive#835
libarchive/libarchive#834
libarchive/libarchive@88eb9e1?diff=unified

Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
Reviewed-by: Ravindran, Arun <arun.ravindran@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.