[Bug-tar] Heap-based buffer overflow in names.c:1824:collect_and_sort

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-tar] Heap-based buffer overflow in names.c:1824:collect_and_sort_na

From:	x ksi
Subject:	[Bug-tar] Heap-based buffer overflow in names.c:1824:collect_and_sort_names().
Date:	Thu, 20 Dec 2018 21:02:16 +1100

Hi All,

I'd like to report a defect in tar v1.30.

Execution of the following command will cause a heap-based buffer overflow:

-- cut --
$ ~/tar-asan/src/tar -c -f none --add-file= -g none
=================================================================
==7359==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x608000000110 at pc 0x55d81c0bc341 bp 0x7ffd7d643f30 sp
0x7ffd7d643f28
READ of size 8 at 0x608000000110 thread T0
    #0 0x55d81c0bc340 in collect_and_sort_names
/home/s1m0n/tar/tar-asan/src/names.c:1824
    #1 0x55d81c03abb5 in create_archive
/home/s1m0n/tar/tar-asan/src/create.c:1363
    #2 0x55d81bffd2b0 in main /home/s1m0n/tar/tar-asan/src/tar.c:2724
    #3 0x7f97f2cedb16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
    #4 0x55d81c002aa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
Address 0x608000000110 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/names.c:1824 in collect_and_sort_names
Shadow bytes around the buggy address:
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff8010: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8020: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7359==ABORTING
-- cut --

Please let me know if you have any questions.


Thanks,
Filip Palian

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-tar] Heap-based buffer overflow in names.c:1824:collect_and_sort_names()., x ksi <=
- Re: [Bug-tar] Heap-based buffer overflow in names.c:1824:collect_and_sort_names()., Sergey Poznyakoff, 2018/12/21

Prev by Date: [Bug-tar] Heap-based buffer overflow in suffix.c:105:strip_compression_suffix().
Next by Date: Re: [Bug-tar] NULL pointer dereference in create.c:511:start_private_header().
Previous by thread: [Bug-tar] Heap-based buffer overflow in suffix.c:105:strip_compression_suffix().
Next by thread: Re: [Bug-tar] Heap-based buffer overflow in names.c:1824:collect_and_sort_names().
Index(es):
- Date
- Thread