[Bug-cpio] Segfault when updating newc archives

bug-cpio

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-cpio] Segfault when updating newc archives

From:	Burton, Ross
Subject:	[Bug-cpio] Segfault when updating newc archives
Date:	Wed, 28 Nov 2018 14:18:13 +0000

Using current git master of cpio, and introduced with the
CVE-2016-2037 out-of-bounds patch, I can trivially crash cpio.  For
example from the top of the cpio git clone:

$ find gnulib/ | ./src/cpio -o -H newc >foo.cpio
70240 blocks
$ echo NEWS | ./src/cpio  -oA  -H newc -F foo.cpio
Segmentation fault (core dumped)

Adding a little debug and running in valgrind:

...
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 23
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 30
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 11
==30256== Conditional jump or move depends on uninitialised value(s)
==30256==    at 0x4E800F0: vfprintf (vfprintf.c:1636)
==30256==    by 0x4E87228: printf (printf.c:33)
==30256==    by 0x116F42: cpio_set_c_name (util.c:1433)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
cpio_set_c_name() about to memmove() file_hdr 0xfff0004e0 c_name (nil)
name 0x51d9590 len 5
==30256== Conditional jump or move depends on uninitialised value(s)
==30256==    at 0x4C300D3: address@hidden (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
==30256== Conditional jump or move depends on uninitialised value(s)
==30256==    at 0x4C300E5: address@hidden (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
==30256== Conditional jump or move depends on uninitialised value(s)
==30256==    at 0x4C30171: address@hidden (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
==30256== Use of uninitialised value of size 8
==30256==    at 0x4C3019B: address@hidden (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
==30256== Invalid write of size 2
==30256==    at 0x4C3019B: address@hidden (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

Ross

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-cpio] Segfault when updating newc archives, Burton, Ross <=
- Re: [Bug-cpio] Segfault when updating newc archives, Burton, Ross, 2018/11/28
  - Re: [Bug-cpio] Segfault when updating newc archives, Burton, Ross, 2018/11/28
- Re: [Bug-cpio] Segfault when updating newc archives, Pavel Raiskup, 2018/11/29
  - Re: [Bug-cpio] Segfault when updating newc archives, Burton, Ross, 2018/11/29

Next by Date: Re: [Bug-cpio] Segfault when updating newc archives
Next by thread: Re: [Bug-cpio] Segfault when updating newc archives
Index(es):
- Date
- Thread