[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-tar] Buffer overflow causes sigabort in tar-1.23
|
From: |
John Emil Karlson |
|
Subject: |
[Bug-tar] Buffer overflow causes sigabort in tar-1.23 |
|
Date: |
Sun, 25 Apr 2010 20:11:06 +0300 (EEST) |
|
User-agent: |
Alpine 2.00 (DEB 1167 2008-08-23) |
greetings
There is an buffer overflow in tar-1.23 when creating archives and gcc-4.5
is used to compile tar.
Attached a patch from fedora-12 and fedora-13, fix seems to fix the
problem.
*** buffer overflow detected ***: tar terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f2eddfcfec7]
/lib/libc.so.6(+0xe4d20)[0x7f2eddfcdd20]
tar[0x409fb2]
tar[0x40b000]
tar[0x40a49d]
tar[0x40b4ad]
tar[0x41d155]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f2eddf07bbd]
tar[0x404079]
======= Memory map: ========
00400000-00441000 r-xp 00000000 08:02 27287892
/bin/tar
00640000-00641000 r--p 00040000 08:02 27287892
/bin/tar
00641000-00644000 rw-p 00041000 08:02 27287892
/bin/tar
00644000-00666000 rw-p 00000000 00:00 0
[heap]
7f2edd7ad000-7f2edd7c2000 r-xp 00000000 08:02 335778640
/lib64/libgcc_s.so.1
7f2edd7c2000-7f2edd9c1000 ---p 00015000 08:02 335778640
/lib64/libgcc_s.so.1
7f2edd9c1000-7f2edd9c2000 r--p 00014000 08:02 335778640
/lib64/libgcc_s.so.1
7f2edd9c2000-7f2edd9c3000 rw-p 00015000 08:02 335778640
/lib64/libgcc_s.so.1
7f2edd9c3000-7f2eddccd000 r--p 00000000 08:02 671820892
/usr/lib64/locale/locale-archive
7f2eddccd000-7f2eddce4000 r-xp 00000000 08:02 471264017
/lib64/libpthread-2.11.so
7f2eddce4000-7f2eddee3000 ---p 00017000 08:02 471264017
/lib64/libpthread-2.11.so
7f2eddee3000-7f2eddee4000 r--p 00016000 08:02 471264017
/lib64/libpthread-2.11.so
7f2eddee4000-7f2eddee5000 rw-p 00017000 08:02 471264017
/lib64/libpthread-2.11.so
7f2eddee5000-7f2eddee9000 rw-p 00000000 00:00 0
7f2eddee9000-7f2ede039000 r-xp 00000000 08:02 471265782
/lib64/libc-2.11.so
7f2ede039000-7f2ede238000 ---p 00150000 08:02 471265782
/lib64/libc-2.11.so
7f2ede238000-7f2ede23c000 r--p 0014f000 08:02 471265782
/lib64/libc-2.11.so
7f2ede23c000-7f2ede23d000 rw-p 00153000 08:02 471265782
/lib64/libc-2.11.so
7f2ede23d000-7f2ede242000 rw-p 00000000 00:00 0
7f2ede242000-7f2ede24a000 r-xp 00000000 08:02 471264199
/lib64/librt-2.11.so
7f2ede24a000-7f2ede449000 ---p 00008000 08:02 471264199
/lib64/librt-2.11.so
7f2ede449000-7f2ede44a000 r--p 00007000 08:02 471264199
/lib64/librt-2.11.so
7f2ede44a000-7f2ede44b000 rw-p 00008000 08:02 471264199
/lib64/librt-2.11.so
7f2ede44b000-7f2ede469000 r-xp 00000000 08:02 471265776
/lib64/ld-2.11.so
7f2ede635000-7f2ede638000 rw-p 00000000 00:00 0
7f2ede667000-7f2ede668000 rw-p 00000000 00:00 0
7f2ede668000-7f2ede669000 r--p 0001d000 08:02 471265776
/lib64/ld-2.11.so
7f2ede669000-7f2ede66a000 rw-p 0001e000 08:02 471265776
/lib64/ld-2.11.so
7f2ede66a000-7f2ede66b000 rw-p 00000000 00:00 0
7fff5abe8000-7fff5ac09000 rw-p 00000000 00:00 0
[stack]
7fff5aca4000-7fff5aca5000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted
Program received signal SIGABRT, Aborted.
0x00007ffff78af1b5 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or
directory.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt full
#0 0x00007ffff78af1b5 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
pid = <value optimized out>
selftid = <value optimized out>
#1 0x00007ffff78b05e0 in *__GI_abort () at abort.c:92
act = {__sigaction_handler = {sa_handler = 0x7fffffffd280,
sa_sigaction = 0x7fffffffd280}, sa_mask = {__val = {140737488343872,
140737488348167, 8, 140737347436941, 3, 140737488343882, 6,
140737347436945, 2, 140737488343870, 2, 140737347428168, 1,
140737347436941, 3, 140737488343876}}, sa_flags = 12, sa_restorer =
0x7ffff799c191}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007ffff78e9e77 in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area =
0x7fffffffdc40, reg_save_area = 0x7fffffffdb50}}
ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area =
0x7fffffffdc40, reg_save_area = 0x7fffffffdb50}}
fd = 5
on_2 = <value optimized out>
list = <value optimized out>
nlist = 0
cp = <value optimized out>
written = false
#3 0x00007ffff7963ec7 in *__GI___fortify_fail (msg=0x7ffff799c194 "buffer
overflow detected") at fortify_fail.c:32
No locals.
#4 0x00007ffff7961d20 in *__GI___chk_fail () at chk_fail.c:29
No locals.
#5 0x0000000000409fb2 in strcpy (st=0x7fffffffde20) at
/usr/include/bits/string3.h:107
No locals.
#6 start_header (st=0x7fffffffde20) at create.c:912
header = 0x649000
#7 0x000000000040b000 in dump_dir0 (st=0xfffffffffffffff8, p=0x647120
"tyo/kurssit", top_level=1, parent_device=0) at create.c:1104
blk = 0x0
block_ordinal = 0
our_device = 2050
tag_file_name = <value optimized out>
#8 dump_dir (st=0xfffffffffffffff8, p=0x647120 "tyo/kurssit",
top_level=1, parent_device=0) at create.c:1261
directory = 0x6481c0 "suunnitelmat"
#9 dump_file0 (st=0xfffffffffffffff8, p=0x647120 "tyo/kurssit",
top_level=1, parent_device=0) at create.c:1595
tag_file_name = <value optimized out>
ok = <value optimized out>
fd = <value optimized out>
final_stat = {st_dev = 0, st_ino = 140737353917920, st_nlink = 1,
st_mode = 0, st_uid = 0, st_gid = 1, __pad0 = 0, st_rdev =
140737354129640, st_size = 4294968736, st_blksize = 140737353917920,
st_blocks = 1, st_atim = {tv_sec = 140737354130496, tv_nsec =
140737488346784}, st_mtim = {tv_sec = 0, tv_nsec = 140737354130496},
st_ctim = {tv_sec = 140737488346576, tv_nsec = 140737488346600}, __unused
= {8453523610, 479434442, 4201838}}
header = <value optimized out>
type = <value optimized out>
original_size = 39
restore_times = {{tv_sec = 1269031839, tv_nsec = 842428219},
{tv_sec = 1239310757, tv_nsec = 969634721}}
block_ordinal = -1
is_dir = true
#10 0x000000000040a49d in dump_file (p=0x647120 "tyo/kurssit",
top_level=1, parent_device=0) at create.c:1787
st = {orig_file_name = 0x647190 "tyo/kurssit/", file_name =
0x6471b0 "tyo/kurssit/", had_trailing_slash = false, link_name = 0x0,
uname = 0x0, gname = 0x0, stat = {st_dev = 2050, st_ino = 873821510,
st_nlink = 4, st_mode = 16832, st_uid = 1000, st_gid = 1005, __pad0 = 0,
st_rdev = 0, st_size = 0, st_blksize = 4096, st_blocks = 0, st_atim =
{tv_sec = 1269031839, tv_nsec = 842428219}, st_mtim = {tv_sec =
1239310757, tv_nsec = 969634721}, st_ctim = {tv_sec = 1239310757, tv_nsec
= 969634721}, __unused = {0, 0, 0}}, atime = {tv_sec = 1269031839, tv_nsec
= 842428219}, mtime = {tv_sec = 1239310757, tv_nsec = 969634721}, ctime =
{tv_sec = 1239310757, tv_nsec = 969634721}, archive_file_size = 39,
is_sparse = false, sparse_major = 0, sparse_minor = 0, sparse_map_avail =
0, sparse_map_size = 0, sparse_map = 0x0, xhdr = {stk = 0x0, size = 0,
buffer = 0x0, string_length = 0}, is_dumpdir = false, skipped = false,
dumpdir = 0x0}
#11 0x000000000040b4ad in create_archive () at create.c:1329
p = 0x647120 "tyo/kurssit"
#12 0x000000000041d155 in main (argc=<value optimized out>, argv=<value
optimized out>) at tar.c:2490
No locals.
Best regards
-Emil
John Emil Karlson
Jämeräntaival 11I186
02150 Espoo
+358 (0)44 0407831
address@hidden
tar-1.22-fortifysourcessigabrt.patch
Description: Text Data
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug-tar] Buffer overflow causes sigabort in tar-1.23,
John Emil Karlson <=