search

pombreda / libarchive

Automatically exported from code.google.com/p/libarchive
Other
0 stars 0 forks source link

malformed cpio file causes segfault #395

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The attached file will crash bsdcpio.

What steps will reproduce the problem?
1. bsdcpio -i < crash.cpio
2. segfault

What version are you using?
tried both 3.1.2 and current git.

On what operating system?
Linux

How did you build?  (cmake, configure, or pre-packaged binary)
3.1.2 with configure, git with cmake

What compiler or development environment (please include version)?
gcc 4.9.2

Please provide any additional information below.

crash dump by valgrind:
==14051== Invalid read of size 8
==14051==    at 0x4C2ECB0: memcpy@@GLIBC_2.14 (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14051==    by 0x41AEAD: __archive_read_ahead (in 
/mnt/ram/libarchive/c/bin/bsdcpio)
==14051==    by 0x42FDE7: header_bin_le (in /mnt/ram/libarchive/c/bin/bsdcpio)
==14051==    by 0x430530: archive_read_format_cpio_read_header (in 
/mnt/ram/libarchive/c/bin/bsdcpio)
==14051==    by 0x418B98: _archive_read_next_header (in 
/mnt/ram/libarchive/c/bin/bsdcpio)
==14051==    by 0x40DFAE: main (in /mnt/ram/libarchive/c/bin/bsdcpio)
==14051==  Address 0xffffffff8954c260 is not stack'd, malloc'd or (recently) 
free'd

I will also attach full valgrind and address sanitizer output.

This issue was found with american fuzzy lop.

Original issue reported on code.google.com by hanno@hboeck.de on 1 Feb 2015 at 8:50

Attachments:

GoogleCodeExporter commented 9 years ago 
This is exactly the same as Issue 394.

Original comment by kientzle@gmail.com on 1 Feb 2015 at 10:11

GoogleCodeExporter commented 9 years ago 
ah, okay, I saw 394 but it talked about bsdtar, not bsdcpio, so I thought it 
must be a different issue.

I just checked current git and it hangs on the file. Is this the expected 
behaviour? (in bug 394 you mention that it just encodes a very large input file 
- so it may just do its job and try to decompress something big - GNU cpio also 
hangs)

Original comment by hanno@hboeck.de on 3 Feb 2015 at 3:21

GoogleCodeExporter commented 9 years ago 
I'm not seeing the hang here.  After applying the fix for bug 394, it seems to 
correctly fail with an error.

The only issue I do see:  The error message is empty.  I've just committed a 
fix for that.

If you're still seeing it with current git commit 24f5de6, please give me more 
details and I'll see if I can track it down.

Thank you!

Original comment by t...@kientzle.com on 7 Feb 2015 at 6:09

GoogleCodeExporter commented 9 years ago 
With latest git it seems fine. Prints an error as expected and no hang.

Original comment by hanno@hboeck.de on 7 Feb 2015 at 10:34