Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack

bug-cpio

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack

From:	Ladislav Michnovič
Subject:	Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Date:	Fri, 17 Aug 2007 11:37:03 +0200

2007/8/17, Dmitry V. Levin <address@hidden>:
> Hi,
>
> paxlib's safer_name_suffix() function uses alloca() to report prefix string
> it is going to strip, and recent tar and cpio versions use this function
> both in list and extract modes.
> The problem is that length of this string (i.e. size passed to alloca)
> is under tarball owner control.
> As result, tar/cpio crashes if this string is sufficiently long.
>
> Fortunately, memcpy() call which follows alloca() call makes this stack
> overflow a plain crash, so it does not look exploitable.
>
> Reproducer:
> $ ulimit -s
> 8192
> $ ./tarnull null.tar
> $ bzip2 -9 null.tar
> $ ls -log null.tar.bz2
> -rw-r--r-- 1 543 Aug 15 18:00 null.tar.bz2
> $ tar tf null.tar.bz2
> Segmentation fault

Hello.

 I have tested your reproducer and I've got segfault. I recompiled
cpio 2.9 with your patch but I'm still getting segfault.
Have I missed something?

 Regards Ladislav.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/16
- Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Ladislav Michnovič <=
  - Re: [Bug-tar] Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Sergey Poznyakoff, 2007/08/17
  - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/17
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Ladislav Michnovič, 2007/08/17
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Ladislav Michnovič, 2007/08/21
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/22
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Ladislav Michnovič, 2007/08/23
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/23
- Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Sergey Poznyakoff, 2007/08/17
  - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/17
    - Re: [Bug-tar] Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Sergey Poznyakoff, 2007/08/17

Prev by Date: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Next by Date: Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Previous by thread: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Next by thread: Re: [Bug-tar] Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Index(es):
- Date
- Thread