Dear CPIO developers,
We are security researchers from Columbia University testing a bug finding tool on CPIO.
We
have found a bug that would cause CPIO to get stuck. It is caused by
the fact that existing files may be opened, and files that are named
pipes can cause the open function to hang.
There are two calls to open, starting on line 390 in src/copyin.c:
out_file_des = open (d->header.c_name,
O_CREAT | O_WRONLY | O_BINARY, 0600);
if (out_file_des < 0 && create_dir_flag)
{
create_all_directories (d->header.c_name);
out_file_des = open (d->header.c_name,
O_CREAT | O_WRONLY | O_BINARY,
0600);
}
When
extracting the attached sample file, CPIO will attempt to create the
same file twice after having checked for their existence. The first
time, it will create the named pipe. In addition to the "-i" and "-I"
flags, we also tried all combinations that included or excluded "-u" and
"--no-absolute-filenames". The bug was discovered on the latest
version, 2.12.
To bypass this inherent timing gap, we
recommend adding the O_EXCL flag to the second argument in the calls to
the open functions. This prevents CPIO from hanging when trying to
extract the sample file.
Best,
overlap_pair.cpio