Re: cpio RCE Exploit Caused by Integer Overflow

[Salvatore Bonaccorso]

Hi,

On Tue, Aug 17, 2021 at 07:39:31AM +0200, Sergey Poznyakoff wrote:
> Hi Juerg,
> 
> > While the hang is gone I'm still seeing a regression when building an Ubuntu
> > kernel:
> 
> I can't reproduce it.  Can you send me output of this command:
> 
> > find . -path './debian' -prune -o -path './debian.raspi' -prune \
> >   -o -path './include/*' -prune \
> >   -o -path './scripts/*' -prune -o -type f \
> >   \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
> >      -name '*.sh' -o -name '*.pl' -o -name '*.lds' \) \
> >   -print

Notabene the following is purely experimental trying, the cause it not
pingpointed at all. But as we notice the very same with a kernel build
in Debian, playing around with the following:

$ zcat /tmp/list.gz | cpio -pd --preserve-modification-time 
'/home/build/linux-5.10.46/debian/linux-headers-5.10.0-8-common-rt//usr/src/linux-headers-5.10.0-8-common-rt'
cpio: g-mssr.h: Cannot stat: No such file or directory
73156 blocks
$ zcat /tmp/list.gz | cpio -pd --preserve-modification-time 
'/home/build/linux-5.10.46/debian/linux-headers-5.10.0-8-common-rt//usr/src/linux-headers-5.10.0-8-common-r'
cpio: -mssr.h: Cannot stat: No such file or directory
73156 blocks
$ zcat /tmp/list.gz | cpio -pd --preserve-modification-time 
'/home/build/linux-5.10.46/debian/linux-headers-5.10.0-8-common-rt//usr/src/linux-headers-5.10.0-8-common-'
cpio: mssr.h: Cannot stat: No such file or directory
73156 blocks
$ zcat /tmp/list.gz | cpio -pd --preserve-modification-time 
'/home/build/linux-5.10.46/debian/linux-headers-5.10.0-8-common-rt//usr/src/linux-headers-5.10.0-8-common'
cpio: ssr.h: Cannot stat: No such file or directory
73156 blocks

And attaching as welll the list.gz as used.

Do we fill somewhere a fixed length buffer?

Regards,
Salvatore

list.gz
Description: application/gzip