[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] out-of-bounds write with cpio -i
|
From: |
Pavel Raiskup |
|
Subject: |
Re: [Bug-cpio] out-of-bounds write with cpio -i |
|
Date: |
Thu, 11 Dec 2014 08:32:39 +0100 |
|
User-agent: |
KMail/4.14.3 (Linux/3.17.4-200.fc20.x86_64; KDE/4.14.3; x86_64; ; ) |
On Tuesday 02 of December 2014 11:39:30 Sergey Poznyakoff wrote:
> Pavel Raiskup <address@hidden> ha escrit:
>
> > Thanks for fixing! Just a nit:
>
> Yes, of course.
There is still one new NULL pointer dereference. Also, the get_link_name
does not guarantee the two possibilities only: "successful read of symlink
name and seek the archive properly OR exit_failure" so cpio is unable to
recovery, potentially.
See the bt:
(gdb) run -idv < lesspipe-cpio-bad-write.cpio
Starting program: /home/praiskup/cpio/src/cpio -idv <
lesspipe-cpio-bad-write.cpio
Missing separate debuginfos, use: debuginfo-install glibc-2.20-5.fc21.i686
/home/praiskup/cpio/src/cpio: hello: stored filename length is out of range
Program received signal SIGSEGV, Segmentation fault.
0x0805db58 in quotearg_buffer_restyled (buffer=0x806d040 <slot0> "",
buffersize=256, arg=0x0, argsize=4294967295,
quoting_style=literal_quoting_style, flags=1, quote_these_too=0xbffff378,
left_quote=0x0, right_quote=0x0)
at quotearg.c:345
345 for (i = 0; ! (argsize == SIZE_MAX ? arg[i] == '\0' : i ==
argsize); i++)
(gdb) bt
#0 0x0805db58 in quotearg_buffer_restyled (buffer=0x806d040 <slot0> "",
buffersize=256, arg=0x0, argsize=4294967295,
quoting_style=literal_quoting_style, flags=1, quote_these_too=0xbffff378,
left_quote=0x0, right_quote=0x0)
at quotearg.c:345
#1 0x0805df66 in quotearg_n_options (n=0, arg=0x0, argsize=4294967295,
options=0xbffff370) at quotearg.c:804
#2 0x0805e1ad in quotearg_char_mem (arg=0x0, argsize=4294967295, ch=58 ':')
at quotearg.c:884
#3 0x0805e1d0 in quotearg_char (arg=0x0, ch=58 ':') at quotearg.c:890
#4 0x0805e1e8 in quotearg_colon (arg=0x0) at quotearg.c:896
#5 0x0804b548 in copyin_link (file_hdr=0xbffff488, in_file_des=0) at
copyin.c:680
#6 0x0804b6da in copyin_file (file_hdr=0xbffff488, in_file_des=0) at
copyin.c:729
#7 0x0804ceeb in process_copy_in () at copyin.c:1480
#8 0x08051527 in main (argc=2, argv=0xbffff624) at main.c:788
Note also, that I had to install the attached fix for the testsuite - as
the actual CVE fix causes different errors among different architectures.
The tested scenario is too non-deterministic also.
Pavel
0001-testsuite-cover-architecture-differences.patch
Description: Text Data
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/01
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Florian Weimer, 2014/12/01
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/01
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/01
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/02
- Re: [Bug-cpio] out-of-bounds write with cpio -i,
Pavel Raiskup <=
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/11
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/11
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/11
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/11
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/11