Re: [Bug-cpio] out-of-bounds write with cpio -i

bug-cpio

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] out-of-bounds write with cpio -i

From:	Sergey Poznyakoff
Subject:	Re: [Bug-cpio] out-of-bounds write with cpio -i
Date:	Mon, 01 Dec 2014 15:46:45 +0200

Pavel Raiskup <address@hidden> ha escrit:

> Well, that patch follows the "no-limit" GNU advice.  Taking some weird big
> cpio archive into account (consisting of only symlink name), we could
> rather end up with something like MAX_SYMLINK_LENGTH constant.  The pros
> would be probably smaller code change.  Thoughts?

Yes, that would be better.  The natural limit is SIZE_MAX, I pushed
the attached patch.

Regards,
Sergey

>From 746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <address@hidden>
Date: Mon, 1 Dec 2014 15:15:28 +0200
Subject: [PATCH] Fix memory overrun on reading improperly created link
 records.

See http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html

* src/copyin.c (get_link_name): New function.
(list_file, copyin_link): use get_link_name

* tests/symlink-bad-length.at: New file.
* tests/symlink-long.at: New file.
* tests/Makefile.am: Add new files.
* tests/testsuite.at: Likewise.
---
 src/copyin.c                | 50 ++++++++++++++++++++++++++++-----------------
 tests/Makefile.am           |  2 ++
 tests/symlink-bad-length.at | 49 ++++++++++++++++++++++++++++++++++++++++++++
 tests/symlink-long.at       | 46 +++++++++++++++++++++++++++++++++++++++++
 tests/testsuite.at          |  2 ++
 5 files changed, 130 insertions(+), 19 deletions(-)
 create mode 100644 tests/symlink-bad-length.at
 create mode 100644 tests/symlink-long.at

diff --git a/src/copyin.c b/src/copyin.c
index 38d809f..c502c7d 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -124,10 +124,30 @@ tape_skip_padding (int in_file_des, off_t offset)
   if (pad != 0)
     tape_toss_input (in_file_des, pad);
 }
-
+
+static char *
+get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
+{
+  off_t n = file_hdr->c_filesize + 1;
+  char *link_name;
+
+  if (n == 0 || n > SIZE_MAX)
+    {
+      error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
+      link_name = NULL;
+    }
+  else
+    {
+      link_name = xmalloc (n);
+      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+      link_name[file_hdr->c_filesize] = '\0';
+      tape_skip_padding (in_file_des, file_hdr->c_filesize);
+    }
+  return link_name;
+}
 
 static void
-list_file(struct cpio_file_stat* file_hdr, int in_file_des)
+list_file (struct cpio_file_stat* file_hdr, int in_file_des)
 {
   if (verbose_flag)
     {
@@ -136,21 +156,16 @@ list_file(struct cpio_file_stat* file_hdr, int 
in_file_des)
        {
          if (archive_format != arf_tar && archive_format != arf_ustar)
            {
-             char *link_name = NULL;   /* Name of hard and symbolic links.  */
-
-             link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize 
+ 1);
-             link_name[file_hdr->c_filesize] = '\0';
-             tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
-             long_format (file_hdr, link_name);
-             free (link_name);
-             tape_skip_padding (in_file_des, file_hdr->c_filesize);
-             return;
+             char *link_name = get_link_name (file_hdr, in_file_des);
+             if (link_name)
+               {
+                 long_format (file_hdr, link_name);
+                 free (link_name);
+               }
            }
          else
-           {
-             long_format (file_hdr, file_hdr->c_tar_linkname);
-             return;
-           }
+           long_format (file_hdr, file_hdr->c_tar_linkname);
+         return;
        }
       else
 #endif
@@ -643,10 +658,7 @@ copyin_link(struct cpio_file_stat *file_hdr, int 
in_file_des)
           tape_skip_padding (in_file_des, file_hdr->c_filesize);
           return;
         }
-      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
-      link_name[file_hdr->c_filesize] = '\0';
-      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
-      tape_skip_padding (in_file_des, file_hdr->c_filesize);
+      link_name = get_link_name (file_hdr, in_file_des);
     }
   else
     {
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 3f714d1..b4ca92d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -51,6 +51,8 @@ TESTSUITE_AT = \
  setstat04.at\
  setstat05.at\
  symlink.at\
+ symlink-bad-length.at\
+ symlink-long.at\
  symlink-to-stdout.at\
  version.at

diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
new file mode 100644
index 0000000..6f804b1
--- /dev/null
+++ b/tests/symlink-bad-length.at
@@ -0,0 +1,49 @@
+# Process this file with autom4te to create testsuite.  -*- Autotest -*-
+# Copyright (C) 2014 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301 USA.
+
+# Cpio v2.11 did segfault with badly set symlink length.
+# References:
+# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
+
+AT_SETUP([symlink-bad-length])
+AT_KEYWORDS([symlink-long copyout])
+
+AT_DATA([ARCHIVE.base64],
+[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
+JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
+UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+])
+
+AT_CHECK([
+base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
+cpio -ntv < ARCHIVE
+test $? -eq 2
+],
+[0],
+[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
+],[cpio: LINK: stored filename length too big
+cpio: premature end of file
+])
+
+AT_CLEANUP
diff --git a/tests/symlink-long.at b/tests/symlink-long.at
new file mode 100644
index 0000000..d3def2d
--- /dev/null
+++ b/tests/symlink-long.at
@@ -0,0 +1,46 @@
+# Process this file with autom4te to create testsuite.  -*- Autotest -*-
+# Copyright (C) 2014 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301 USA.
+
+# Cpio v2.11.90 changed the way symlink name is read from archive.
+# References:
+# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
+
+AT_SETUP([symlink-long])
+AT_KEYWORDS([symlink-long copyout])
+
+AT_CHECK([
+
+# len(dirname) > READBUFSIZE
+dirname=
+for i in {1..52}; do
+    dirname="xxxxxxxxx/$dirname"
+    mkdir "$dirname"
+done
+ln -s "$dirname" x || AT_SKIP_TEST
+
+echo x | cpio -o > ar
+list=`cpio -tv < ar | sed 's|.*-> ||'`
+test "$list" = "$dirname" && echo success || echo fail
+],
+[0],
+[success
+],[2 blocks
+2 blocks
+])
+
+AT_CLEANUP
diff --git a/tests/testsuite.at b/tests/testsuite.at
index e67689f..3b5377e 100644
--- a/tests/testsuite.at
+++ b/tests/testsuite.at
@@ -32,6 +32,8 @@ m4_include([version.at])

 m4_include([inout.at])
 m4_include([symlink.at])
+m4_include([symlink-bad-length.at])
+m4_include([symlink-long.at])
 m4_include([symlink-to-stdout.at])
 m4_include([interdir.at])

--
1.7.12.1

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff <=
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Florian Weimer, 2014/12/01
  - Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/01
    - Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/01
    - Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/02
    - Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/11
    - Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/11
    - Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/11
    - Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/11
    - Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/11
    - Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/11

Next by Date: Re: [Bug-cpio] [PATCH] Add option "--reproducible" for reproducible archives
Next by thread: Re: [Bug-cpio] out-of-bounds write with cpio -i
Index(es):
- Date
- Thread