Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV in archive_wstring_append_from_mbs() #842

Closed
fumfel opened this issue Dec 12, 2016 · 10 comments
Closed

SIGSEGV in archive_wstring_append_from_mbs() #842

fumfel opened this issue Dec 12, 2016 · 10 comments

Comments

@fumfel
Copy link

fumfel commented Dec 12, 2016

SIGSEGV in archive_wstring_append_from_mbs()

Tested on Git HEAD: 54546be

Payload: https://frankowicz.me/storage/crashes/la_segv_archive_wstring_append_from_mbs

To reproduce: bsdtar -t -f la_segv_archive_wstring_append_from_mbs

ASAN Output:

==1002==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005fb3cc bp 0x7ffc5999dae0 sp 0x7ffc5999daa0 T0)
    #0 0x5fb3cb in archive_wstring_append_from_mbs libarchive/archive_string.c:603
    #1 0x60363a in archive_mstring_get_wcs libarchive/archive_string.c:3929
    #2 0x42a1c4 in archive_entry_pathname_w libarchive/archive_entry.c:580
    #3 0x5bfee9 in zip_read_local_file_header libarchive/archive_read_support_format_zip.c:871
    #4 0x5c2b1d in archive_read_format_zip_streamable_read_header libarchive/archive_read_support_format_zip.c:2149
    #5 0x45841b in _archive_read_next_header2 libarchive/archive_read.c:648
    #6 0x45841b in _archive_read_next_header libarchive/archive_read.c:686
    #7 0x41280f in read_archive tar/read.c:261
    #8 0x414b06 in tar_mode_t tar/read.c:94
    #9 0x40963f in main tar/bsdtar.c:803
    #10 0x7fb92a6f482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x40c3e8 in _start (/usr/local/bin/bsdtar+0x40c3e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libarchive/archive_string.c:603 
```archive_wstring_append_from_mbs
==1002==ABORTING

@fumfel fumfel changed the title SIGSEGV in archive_wstring_append_from_mbs libarchive() SIGSEGV in archive_wstring_append_from_mbs() Dec 12, 2016
@mmatuska
Copy link
Member

Could you please re-test with latest master?

@fumfel
Copy link
Author

fumfel commented Dec 29, 2016

e8a9de5 works fine :)

@fumfel fumfel closed this as completed Dec 29, 2016
@rhertzog
Copy link

rhertzog commented Apr 6, 2017

@fumfel I am unable to reproduce the segfault, not even when I reuse the very same git commit as you. Is https://frankowicz.me/storage/crashes/la_segv_archive_wstring_append_from_mbs the correct payload ?

Here's the checksum of the file that I downloaded:
$ sha1sum CVE-2016-10209-la_segv_archive_wstring_append_from_mbs
594afbd22628a6f78b466d235e235eebd25fb029 CVE-2016-10209-la_segv_archive_wstring_append_from_mbs

Instead of the segfault I always get this error message:
$ bsdtar -t -f CVE-2016-10209-la_segv_archive_wstring_append_from_mbs
bsdtar: Archive entry has empty or unreadable filename ... skipping.
bsdtar: (null)
bsdtar: Error exit delayed from previous errors.

@carnil
Copy link

carnil commented Apr 7, 2017

Looking at the possible commits which fix the issue I guess the right one is 42a3408 (as e8a9de5 is just a change for the "Fix style typo in tar.5"), which is as well between the reporting date and the confirm that it does not happen anymore on "latest master".

@carnil
Copy link

carnil commented Apr 7, 2017

FTR, this issue has been assigned CVE-2016-10209

@attritionorg
Copy link

For reference, this is also known as CVE-2016-1000349 which is listed as an assignment duplicate.

@msmeissn
Copy link

are you using a special $LANG ?

@rhertzog
Copy link

rhertzog commented Apr 10, 2017

@msmeissn I have LANG set but it's not really a "special" value, just plain French.

$ env|grep LANG
LANG=fr_FR.UTF-8
GDM_LANG=fr_FR.UTF-8```

@msmeissn
Copy link

i was wondering about the original reporter. I also cannot get it crash with "C" or de_DE.utf8

@fumfel
Copy link
Author

fumfel commented Apr 10, 2017

I don't remember - probably I have "pl_PL.utf8" or "en_US.utf8".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants