[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-tar] Use-after-free in names.c:1297:name_match().
|
From: |
x ksi |
|
Subject: |
[Bug-tar] Use-after-free in names.c:1297:name_match(). |
|
Date: |
Thu, 20 Dec 2018 21:08:09 +1100 |
Hi All,
I'd like to report a defect in tar v1.30.
Execution of the following command will cause a use-after-free:
-- cut --
$ touch none ; tar -cf bla.tar . ; /home/s1m0n/tar/tar-asan/src/tar -d
-f bla.tar -K ./none
=================================================================
==15682==ERROR: AddressSanitizer: heap-use-after-free on address
0x6080000000c8 at pc 0x564525c0ae21 bp 0x7ffdccdb03c0 sp
0x7ffdccdb03b8
READ of size 4 at 0x6080000000c8 thread T0
#0 0x564525c0ae20 in name_match /home/s1m0n/tar/tar-asan/src/names.c:1297
#1 0x564525beda15 in read_and /home/s1m0n/tar/tar-asan/src/list.c:197
#2 0x564525b5c27c in main /home/s1m0n/tar/tar-asan/src/tar.c:2743
#3 0x7f4c7465db16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
#4 0x564525b61aa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
0x6080000000c8 is located 40 bytes inside of 96-byte region
[0x6080000000a0,0x608000000100)
freed by thread T0 here:
#0 0x7f4c748e0b50 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50)
#1 0x564525c0ac2d in name_match /home/s1m0n/tar/tar-asan/src/names.c:1293
#2 0x564525beda15 in read_and /home/s1m0n/tar/tar-asan/src/list.c:197
#3 0x564525b5c27c in main /home/s1m0n/tar/tar-asan/src/tar.c:2743
#4 0x7f4c7465db16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
previously allocated by thread T0 here:
#0 0x7f4c748e0ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
#1 0x564525d155f8 in xmalloc /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:41
#2 0x564525d15c70 in xzalloc /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:86
#3 0x564525c083de in make_name /home/s1m0n/tar/tar-asan/src/names.c:584
#4 0x564525c083de in addname /home/s1m0n/tar/tar-asan/src/names.c:1211
#5 0x564525c43f3b in parse_opt /home/s1m0n/tar/tar-asan/src/tar.c:1441
#6 0x564525ca7ecf in group_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:234
#7 0x564525ca7ecf in parser_parse_opt
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:737
#8 0x564525ca7ecf in parser_parse_next
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:860
#9 0x564525ca7ecf in argp_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:928
#10 0x564525b5864e in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2312
#11 0x564525b5864e in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
#12 0x7f4c7465db16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/s1m0n/tar/tar-asan/src/names.c:1297 in name_match
Shadow bytes around the buggy address:
0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c107fff8010: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15682==ABORTING
-- cut --
Please let me know if you have any questions.
Thanks,
Filip Palian
- [Bug-tar] Use-after-free in names.c:1297:name_match().,
x ksi <=