Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV in archive_wstring_append_from_mbs() #842

Closed
fumfel opened this issue Dec 12, 2016 · 10 comments

Comments

Projects
None yet
6 participants
@fumfel
Copy link

commented Dec 12, 2016

SIGSEGV in archive_wstring_append_from_mbs()

Tested on Git HEAD: 54546be

Payload: https://frankowicz.me/storage/crashes/la_segv_archive_wstring_append_from_mbs

To reproduce: bsdtar -t -f la_segv_archive_wstring_append_from_mbs

ASAN Output:

==1002==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005fb3cc bp 0x7ffc5999dae0 sp 0x7ffc5999daa0 T0)
    #0 0x5fb3cb in archive_wstring_append_from_mbs libarchive/archive_string.c:603
    #1 0x60363a in archive_mstring_get_wcs libarchive/archive_string.c:3929
    #2 0x42a1c4 in archive_entry_pathname_w libarchive/archive_entry.c:580
    #3 0x5bfee9 in zip_read_local_file_header libarchive/archive_read_support_format_zip.c:871
    #4 0x5c2b1d in archive_read_format_zip_streamable_read_header libarchive/archive_read_support_format_zip.c:2149
    #5 0x45841b in _archive_read_next_header2 libarchive/archive_read.c:648
    #6 0x45841b in _archive_read_next_header libarchive/archive_read.c:686
    #7 0x41280f in read_archive tar/read.c:261
    #8 0x414b06 in tar_mode_t tar/read.c:94
    #9 0x40963f in main tar/bsdtar.c:803
    #10 0x7fb92a6f482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x40c3e8 in _start (/usr/local/bin/bsdtar+0x40c3e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libarchive/archive_string.c:603 
```archive_wstring_append_from_mbs
==1002==ABORTING

@fumfel fumfel changed the title SIGSEGV in archive_wstring_append_from_mbs libarchive() SIGSEGV in archive_wstring_append_from_mbs() Dec 12, 2016

@mmatuska

This comment has been minimized.

Copy link
Member

commented Dec 29, 2016

Could you please re-test with latest master?

@fumfel

This comment has been minimized.

Copy link
Author

commented Dec 29, 2016

e8a9de5 works fine :)

@fumfel fumfel closed this Dec 29, 2016

@rhertzog

This comment has been minimized.

Copy link

commented Apr 6, 2017

@fumfel I am unable to reproduce the segfault, not even when I reuse the very same git commit as you. Is https://frankowicz.me/storage/crashes/la_segv_archive_wstring_append_from_mbs the correct payload ?

Here's the checksum of the file that I downloaded:
$ sha1sum CVE-2016-10209-la_segv_archive_wstring_append_from_mbs
594afbd22628a6f78b466d235e235eebd25fb029 CVE-2016-10209-la_segv_archive_wstring_append_from_mbs

Instead of the segfault I always get this error message:
$ bsdtar -t -f CVE-2016-10209-la_segv_archive_wstring_append_from_mbs
bsdtar: Archive entry has empty or unreadable filename ... skipping.
bsdtar: (null)
bsdtar: Error exit delayed from previous errors.

@carnil

This comment has been minimized.

Copy link

commented Apr 7, 2017

Looking at the possible commits which fix the issue I guess the right one is 42a3408 (as e8a9de5 is just a change for the "Fix style typo in tar.5"), which is as well between the reporting date and the confirm that it does not happen anymore on "latest master".

@carnil

This comment has been minimized.

Copy link

commented Apr 7, 2017

FTR, this issue has been assigned CVE-2016-10209

@attritionorg

This comment has been minimized.

Copy link

commented Apr 8, 2017

For reference, this is also known as CVE-2016-1000349 which is listed as an assignment duplicate.

@msmeissn

This comment has been minimized.

Copy link

commented Apr 10, 2017

are you using a special $LANG ?

@rhertzog

This comment has been minimized.

Copy link

commented Apr 10, 2017

@msmeissn I have LANG set but it's not really a "special" value, just plain French.

$ env|grep LANG
LANG=fr_FR.UTF-8
GDM_LANG=fr_FR.UTF-8```
@msmeissn

This comment has been minimized.

Copy link

commented Apr 10, 2017

i was wondering about the original reporter. I also cannot get it crash with "C" or de_DE.utf8

@fumfel

This comment has been minimized.

Copy link
Author

commented Apr 10, 2017

I don't remember - probably I have "pl_PL.utf8" or "en_US.utf8".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.