Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack

bug-cpio

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack

From:	Dmitry V. Levin
Subject:	Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Date:	Fri, 17 Aug 2007 15:11:51 +0400

On Fri, Aug 17, 2007 at 11:37:03AM +0200, Ladislav Michnovi?? wrote:
> 2007/8/17, Dmitry V. Levin:
> > Hi,
> >
> > paxlib's safer_name_suffix() function uses alloca() to report prefix string
> > it is going to strip, and recent tar and cpio versions use this function
> > both in list and extract modes.
> > The problem is that length of this string (i.e. size passed to alloca)
> > is under tarball owner control.
> > As result, tar/cpio crashes if this string is sufficiently long.
> >
> > Fortunately, memcpy() call which follows alloca() call makes this stack
> > overflow a plain crash, so it does not look exploitable.
> >
> > Reproducer:
> > $ ulimit -s
> > 8192
> > $ ./tarnull null.tar
> > $ bzip2 -9 null.tar
> > $ ls -log null.tar.bz2
> > -rw-r--r-- 1 543 Aug 15 18:00 null.tar.bz2
> > $ tar tf null.tar.bz2
> > Segmentation fault
> 
> Hello.
> 
>  I have tested your reproducer and I've got segfault. I recompiled
> cpio 2.9 with your patch but I'm still getting segfault.
> Have I missed something?

How did you test cpio with reproducer for tar?


-- 
ldv

pgpwDmNqEJ673.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/16
- Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Ladislav Michnovič, 2007/08/17
  - Re: [Bug-tar] Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Sergey Poznyakoff, 2007/08/17
  - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin <=
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Ladislav Michnovič, 2007/08/17
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Ladislav Michnovič, 2007/08/21
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/22
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Ladislav Michnovič, 2007/08/23
    - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/23
- Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Sergey Poznyakoff, 2007/08/17
  - Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/17
    - Re: [Bug-tar] Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Sergey Poznyakoff, 2007/08/17
    - Re: [Bug-tar] Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow, Dmitry V. Levin, 2007/08/17

Prev by Date: Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Next by Date: Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Previous by thread: Re: [Bug-tar] Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Next by thread: Re: [Bug-cpio] [PATCH] lib/paxnames.c: Do not use alloca to avoid stack overflow
Index(es):
- Date
- Thread