Skip to content

out-of-bounds read in lha_read_data_none() #948

Closed
@carnil

Description

@carnil

Hi

The following was reported downstream in Debian at https://bugs.debian.org/875960

The oob.lha base64 encoded is:

YQAtbGgwLQwAAAAMAAAAADs9SyACeJdNBwBh5AQAAAwAAWhlbGxvLnR4dBMAQv9zdWJkaXL/c3Vi
ZGlyMv8bAEEAAG5cdYrKAQAAblx1in8fAORrn6AjzQEGAADnVA8AADA=

tested against 5562545:

ASAN_OPTIONS="detect_leaks=0" ./bsdtar -xOf ~/oob.lha
=================================================================
==21722==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000024800 at pc 0x56536be61878 bp 0x7fffa2254ec0 sp 0x7fffa2254eb8
READ of size 2 at 0x631000024800 thread T0
    #0 0x56536be61877 in lha_crc16 libarchive/archive_read_support_format_lha.c:1740
    #1 0x56536be5f791 in lha_read_data_none libarchive/archive_read_support_format_lha.c:1429
    #2 0x56536be5f385 in archive_read_format_lha_read_data libarchive/archive_read_support_format_lha.c:1390
    #3 0x56536be06398 in _archive_read_data_block libarchive/archive_read.c:986
    #4 0x56536bec9481 in archive_read_data_block libarchive/archive_virtual.c:161
    #5 0x56536be0af76 in archive_read_data_into_fd libarchive/archive_read_data_into_fd.c:101
    #6 0x56536bde0c1e in read_archive tar/read.c:369
    #7 0x56536bddf303 in tar_mode_x tar/read.c:112
    #8 0x56536bddc62d in main tar/bsdtar.c:866
    #9 0x7fd1bd14c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #10 0x56536bdd7f79 in _start (/root/libarchive/bsdtar+0x3ff79)

0x631000024800 is located 0 bytes to the right of 65536-byte region [0x631000014800,0x631000024800)
allocated by thread T0 here:
    #0 0x7fd1bea69b70 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9b70)
    #1 0x56536be1926e in file_open libarchive/archive_read_open_filename.c:358
    #2 0x56536be03da8 in archive_read_open1 libarchive/archive_read.c:480
    #3 0x56536be186ba in archive_read_open_filenames libarchive/archive_read_open_filename.c:152
    #4 0x56536be182ae in archive_read_open_filename libarchive/archive_read_open_filename.c:109
    #5 0x56536bddfed2 in read_archive tar/read.c:222
    #6 0x56536bddf303 in tar_mode_x tar/read.c:112
    #7 0x56536bddc62d in main tar/bsdtar.c:866
    #8 0x7fd1bd14c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow libarchive/archive_read_support_format_lha.c:1740 in lha_crc16
Shadow bytes around the buggy address:
  0x0c627fffc8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffc900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21722==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions