libarchive: bsdtar: stack-based buffer overflow in bsdtar_expand_char (util.c)

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

This bug comes out after 5 days of fuzzing and when AFL reports that it already made 15 cycles. This means that in some cases is not enough do few hours of fuzzing and believe that there aren’t more bugs…

A crafted file causes a stack-buffer overflow write.
Upstream was not able to reproduce the issue, maybe different compiler and compiler options, so he committed the fix based on what the stacktrace printed. The bug is now not anymore reachable through the provided testcase, but I asked to make a new release to launch the fuzzer again.

The complete ASan output:

# bsdtar -t -f $FILE
bsdtar: Missing type keyword in mtree specification
5!\\{bsdtar: Missing type keyword in mtree specification

zO!\\{bsdtar: Missing type keyword in mtree specification

zO\r\r\\{bsdtar: Missing type keyword in mtree specification

zO\r\\w\200r\rbsdtar: Missing type keyword in mtree specification

@;\r\005@{bsdtar: Missing type keyword in mtree specification

zO\r\r\\{bsdtar: Malformed attribute "" (-51)

z\f\fbsdtar: Missing type keyword in mtree specification

h\352*((-.I,\002:%1=\037\257:B\362\020\217(\300\351!\002\341\341\341*(\244\244\263\377\377\377\377\244\377\177\244\244\244\244\244\244\244\264\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\036\036\036\036\036\036\036\036\036\036bsdtar: Missing type keyword in mtree specification
=================================================================
==6259==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fae139bf660 at pc 0x0000004957dc bp 0x7ffc9de91a90 sp 0x7ffc9de91240
WRITE of size 4 at 0x7fae139bf660 thread T0
    #0 0x4957db in vsprintf /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1128
    #1 0x495912 in sprintf /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1159
    #2 0x50ab22 in bsdtar_expand_char /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/util.c:223:4
    #3 0x509c47 in safe_fprintf /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/util.c:174:21
    #4 0x50307f in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:320:5
    #5 0x501bf3 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #6 0x4f8b9f in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #7 0x7fae1780761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

Address 0x7fae139bf660 is located in stack of thread T0 at offset 608 in frame
    #0 0x50964f in safe_fprintf /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/util.c:95

  This frame has 4 object(s):
    [32, 288) 'fmtbuff_stack'
    [352, 608) 'outbuff' 0x0ff64272fec0: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x0ff64272fed0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 04 f3 f3 f3
  0x0ff64272fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff64272fef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff64272ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff64272ff10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6259==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8687

Timeline:
2016-08-17: bug discovered
2016-08-17: bug reported to upstream
2016-08-21: upstream released a patch
2016-09-11: blog post about the issue
2016-10-16: CVE Assigned
2016-10-24: Upstream released 3.2.2

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar: stack-based buffer overflow in bsdtar_expand_char (util.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.