libarchive: bsdtar: memory corruption/unknown-crash in bid_entry (archive_read_support_format_mtree.c)

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

A crafted file causes an heap overflow in the bid_entry function in the mtree parser.
This bug seems to be similar to THIS bug, but in this case ASan does not report the issue as in the heap.
Also, this bug was discovered by gsingh93 using the libarchive api.

The complete ASan output:

# bsdtar -t -f $FILE
==6147==ERROR: AddressSanitizer: unknown-crash on address 0x7fa7103c437b at pc 0x7fa70fd73bb6 bp 0x7ffc3948db30 sp 0x7ffc3948db28
READ of size 1 at 0x7fa7103c437b thread T0
    #0 0x7fa70fd73bb5 in bid_entry /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:567:7
    #1 0x7fa70fd73bb5 in detect_form /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:676
    #2 0x7fa70fc3918b in choose_format /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:712:10
    #3 0x7fa70fc3918b in archive_read_open1 /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:529
    #4 0x7fa70fc70f1f in archive_read_open_filename /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_open_filename.c:109:9
    #5 0x501f66 in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:223:6
    #6 0x501473 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #7 0x4f8929 in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #8 0x7fa70ecac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:567:7 in bid_entry
Shadow bytes around the buggy address:
  0x0ff562070810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0ff562070860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe[fe]
  0x0ff562070870: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff5620708a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff5620708b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6147==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was discovered by gsingh93.

CVE:
CVE-2016-8688

Timeline:
2016-08-11: bug discovered
2016-08-11: bug reported to upstream
2016-09-11: blog post about the issue
2016-09-19: upstream released a patch
2016-10-16: CVE Assigned
2016-10-24: Upstream released 3.2.2

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar: memory corruption/unknown-crash in bid_entry (archive_read_support_format_mtree.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.