bug-tar
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

possible memory corruption bug

From: Kapus, Timotej
Subject: possible memory corruption bug
Date: Tue, 19 May 2020 13:47:02 +0000
Hi,

I think I've found a bug in tar-1.32 (also present in 1.29). If I run

$ ./tar tG --tra=s
./tar: Unknown flag in transform _expression_: X
Try './tar --help' or './tar --usage' for more information.

However if I run

$ RND_ENV=irrelevant ./tar tG --tra=s
./tar: Unknown flag in transform _expression_: M
Try './tar --help' or './tar --usage' for more information.

Valgrind and ASan are happy, so I tried debugging a bit with gdb. The X in the first case is printed on transform.c:254 , where pointer p points to

(gdb) print p
$5 = 0x7fffffffe873 "XDG_SESSION_ID=292"

So I'm pretty sure p starts pointing at environment variables and that this shouldn't be the case. I also have a stack trace from the tool that found this, which you might find helpful:

Error: memory error: out of bound pointer
File: transform.c
Line: 213
assembly.ll line: 100309
Stack: 
	#000100309 in parse_transform_expr (expr) at transform.c:213
	#100099974 in set_transform_expr (expr) at transform.c:413
	#200095813 in parse_opt (key=200, arg, state=143966064) at tar.c:1950
	#300090246 in group_parse (group=135938048, state=143966064, key=200, arg) at argp-parse.c:233
	#400090706 in parser_parse_opt (parser=143965952, opt=16777416, val) at argp-parse.c:745
	#500089825 in parser_parse_next (parser=143965952, arg_ebadkey=139413200) at argp-parse.c:856
	#600081596 in argp_parse (argp=28822208, argc=4, argv=135839104, flags=8, end_index=134188176, input=134134912) at argp-parse.c:924
	#700129430 in decode_options (argc=3, argv=135463200) at tar.c:2314
	#800128994 in __klee_posix_wrapped_main (argc=3, argv=135463200) at tar.c:2703
	#900009370 in __user_main (argcPtr=5, argvPtr=72146400, envp=72146448) at /data/klee/runtime/POSIX/klee_init_env.c:245
	#1000002742 in __uClibc_main (main=38907656, argc=5, argv=72146400, app_init=0, app_fini=0, rtld_fini=0, stack_end=0) at libc/misc/internals/__uClibc_main.c:401
	#1100002913 in main (=5, =72146400)
Info: 
	address: (Add w64 134187439
          (SExt w64 (ZExt w32 (Eq 45 (Read w8 1 arg01)))))
	example: 134187440
	range: [134187440, 134187440]
	next: object at 134187840 of size 4
		MO7628[4] allocated at decode_options():  %new_argc = alloca i32, align 4
	prev: object at 134187432 of size 8
		MO5979[8] allocated at __get_sym_str():  %call = call noalias i8* @malloc(i64 %conv) #8, !dbg !7385

(note that this is for version 1.29, so line numbers might be slightly different)

Cheers,
Timotej



reply via email to
[Prev in Thread] Current Thread [Next in Thread]