oss-sec mailing list archives

CVE request: reads out-of-bounds with cpio 2.11

From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Thu, 25 Feb 2016 14:18:07 -0300

Hello,

Two reads out-of-bounds in cpio 2.11 were found in the parsing of cpio
files (other version are probably affected).  Find attached a test case to
reproduce them. The ASAN report of the first one is here:

$ ./cpio -i < overflow.cpio

./cpio: warning: skipped 8 bytes of junk
=================================================================
==31838==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000edb2 at pc 0x7fb81910ba28 bp 0x7fffa1c286d0 sp 0x7fffa1c27e80
READ of size 2 at 0x60200000edb2 thread T0
    #0 0x7fb81910ba27 in strchr
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6ea27)
    #1 0x407174 in path_contains_symlink
/home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:718
    #2 0x40bce0 in process_copy_in
/home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:1524
    #3 0x4165c6 in main /home/vagrant/repos/cpio-2.11+dfsg/src/main.c:746
    #4 0x7fb818cf9ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #5 0x403408  (/home/vagrant/repos/cpio-2.11+dfsg/src/cpio+0x403408)

0x60200000edb2 is located 0 bytes to the right of 2-byte region
[0x60200000edb0,0x60200000edb2)
allocated by thread T0 here:
    #0 0x7fb81913176a in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9476a)
    #1 0x43da22 in xrealloc
/home/vagrant/repos/cpio-2.11+dfsg/gnu/xmalloc.c:59
    #2 0x40b5ab in process_copy_in
/home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:1437
    #3 0x4165c6 in main /home/vagrant/repos/cpio-2.11+dfsg/src/main.c:746
    #4 0x7fb818cf9ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

and the second one is here:

$ ./cpio -t < overflow.cpio

./cpio: warning: skipped 8 bytes of junk
=================================================================
==3962==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000edb2 at pc 0x7f705ab831b1 bp 0x7ffc620c3f70 sp 0x7ffc620c3720
READ of size 3 at 0x60200000edb2 thread T0
    #0 0x7f705ab831b0  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x5e1b0)
    #1 0x7f705ab837b7 in __interceptor_vprintf
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x5e7b7)
    #2 0x7f705ab838a9 in __interceptor_printf
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x5e8a9)
    #3 0x403d55 in list_file
/home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:180
    #4 0x40b958 in process_copy_in
/home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:1478
    #5 0x4165c6 in main /home/vagrant/repos/cpio-2.11+dfsg/src/main.c:746
    #6 0x7f705a781ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x403408  (/home/vagrant/repos/cpio-2.11+dfsg/src/cpio+0x403408)

0x60200000edb2 is located 0 bytes to the right of 2-byte region
[0x60200000edb0,0x60200000edb2)
allocated by thread T0 here:
    #0 0x7f705abb976a in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9476a)
    #1 0x43da22 in xrealloc
/home/vagrant/repos/cpio-2.11+dfsg/gnu/xmalloc.c:59
    #2 0x40b5ab in process_copy_in
/home/vagrant/repos/cpio-2.11+dfsg/src/copyin.c:1437
    #3 0x4165c6 in main /home/vagrant/repos/cpio-2.11+dfsg/src/main.c:746
    #4 0x7f705a781ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

These issues were found using QuickFuzz.

Regards,
Gustavo.

Attachment: overflow.cpio
Description:

Current thread:

CVE request: reads out-of-bounds with cpio 2.11 Gustavo Grieco (Feb 25)
- Re: CVE request: reads out-of-bounds with cpio 2.11 cve-assign (Feb 26)