Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rar: Fix OOB access with unicode filenames #2203

Merged
merged 1 commit into from
Jun 2, 2024

Conversation

stoeckmann
Copy link
Contributor

Prevent out of boundary accesses by revalidating offset every time it is incremented.

@stoeckmann
Copy link
Contributor Author

Again it takes a specialized proof of concept binary to allow address sanitizer to detect this OOB access.

Proof of Concept:

  1. Compile libarchive with -fsanitize=address
  2. Create poc.rar
base64 -d <<< UmFyIRoHAAZBdAACIQAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAA= > poc.rar
  1. Create proof of concept code (write into poc.c)
#include <archive.h>
#include <err.h>

int
main(void)
{
	struct archive *a;
	struct archive_entry *entry;
	int r;

	a = archive_read_new();
	archive_read_support_format_rar(a);
	
	if (archive_read_open_filename(a, NULL, 26))
		errx(1, "archive_read_open_filename");
	if (archive_read_next_header(a, &entry))
		errx(2, "archive_read_next_header");

	archive_read_close(a);
	archive_read_free(a);

	return 0;
}
  1. Compile poc.c
cc -fsanitize=address -larchive -o poc poc.c
  1. Run poc with pipe input (to avoid disk-optimized block sizes)
cat poc.rar | ./poc     # maybe set LD_LIBRARY_PATH to ASAN'ed library

Prevent out of boundary accesses by revalidating offset every time it
is incremented.
@kientzle kientzle merged commit 582190e into libarchive:master Jun 2, 2024
19 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants