[Bug-cpio] out-of-bounds write with cpio -i

bug-cpio

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-cpio] out-of-bounds write with cpio -i

From:	Michal Zalewski
Subject:	[Bug-cpio] out-of-bounds write with cpio -i
Date:	Sat, 22 Nov 2014 23:37:07 -0800

Please see this test case for cpio 2.11:

http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio

As far as I can tell, it's a file with declared length field of
(int)-1. That gets us to this portion of code in copyin.c
(list_file()), with c_filesize just taken from the input file:

  link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
  link_name[file_hdr->c_filesize] = '\0';

...cpio ends up allocating a zero-sized buffer and then writing out of
bounds, which could conceivably pose a security risk when trying to
examine untrusted archives (e.g., when invoked from lesspipe).

/mz

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-cpio] out-of-bounds write with cpio -i, Michal Zalewski <=
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/11/25
  - Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/11/27

Prev by Date: Re: [Bug-cpio] [PATCH] Add option "--reproducible" for reproducible archives
Next by Date: Re: [Bug-cpio] out-of-bounds write with cpio -i
Previous by thread: Re: [Bug-cpio] [PATCH] Add option "--reproducible" for reproducible archives
Next by thread: Re: [Bug-cpio] out-of-bounds write with cpio -i
Index(es):
- Date
- Thread