{"id":1350,"date":"2017-02-21T15:34:59","date_gmt":"2017-02-21T13:34:59","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1350"},"modified":"2017-02-21T15:41:14","modified_gmt":"2017-02-21T13:41:14","slug":"gnu-paxutils-multiple-crashes","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/21\/gnu-paxutils-multiple-crashes\/","title":{"rendered":"gnu-paxutils: multiple crashes"},"content":{"rendered":"

Description<\/strong>:
\nGNU paxutils<\/a> is a suite of archive utilities: it will provide cpio, tar and POSIX pax archivers.<\/p>\n

A fuzzing on tar and pax shows multiple crashes.
\nI really don’t know if atm those tools are used somewhere.<\/p>\n

Details:<\/p>\n

# tar -t -f $FILE\r\nbuffer.c:1480:40: runtime error: index 7168 out of bounds for type 'char [512]'\r\nSUMMARY: AddressSanitizer: undefined-behavior buffer.c:1480:40 in \r\n.\/bins\/tar: Record size of archive appears to be 14 blocks (20 expected)\r\n.\/bins\/tar: Hmm, this doesn't look like a tar archive\r\n.\/bins\/tar: Skipping to next file header\r\n\r\nreading.c:327:19: runtime error: member access within null pointer of type 'union block'\r\nSUMMARY: AddressSanitizer: undefined-behavior reading.c:327:19 in \r\nreading.c:327:19: runtime error: member access within null pointer of type 'struct sparse_header'\r\nSUMMARY: AddressSanitizer: undefined-behavior reading.c:327:19 in \r\n\r\nASAN:DEADLYSIGNAL\r\n=================================================================\r\n==9542==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000001f8 (pc 0x000000570b4a bp 0x7ffd7ab13eb0 sp 0x7ffd7ab13e90 T0)\r\n==9542==The signal is caused by a READ memory access.\r\n==9542==Hint: address points to the zero page.\r\n    #0 0x570b49 in skip_extended_headers \/root\/paxutils-2.4h\/src\/reading.c:327:33\r\n    #1 0x55721d in list_archive \/root\/paxutils-2.4h\/src\/list.c:120:7\r\n    #2 0x5718ef in read_and \/root\/paxutils-2.4h\/src\/reading.c:406:5\r\n    #3 0x57c746 in main \/root\/paxutils-2.4h\/src\/.\/tar.c:1508:7\r\n    #4 0x7f5c524fc78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a498 in _start (\/root\/bins\/tar+0x41a498)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/root\/paxutils-2.4h\/src\/reading.c:327:33 in skip_extended_headers\r\n==9542==ABORTING\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00178-gnupaxutils-tar-segv<\/a><\/p>\n
Obviously, the runtime error “member access within null pointer…” is the ubsan’s way to print what asan subsequently said as SEGV, so it is the same issue.<\/p>\n
# pax -f $FILE\r\n==10938==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000141615f at pc 0x00000052853e bp 0x7ffed94bdc30 sp 0x7ffed94bdc28\r\nREAD of size 1 at 0x00000141615f thread T0\r\n    #0 0x52853d in read_in_tar_header \/root\/paxutils-2.4h\/src\/fmttar.c:363:8\r\n    #1 0x50dd65 in read_in_header \/root\/paxutils-2.4h\/src\/copyin.c:99:7\r\n    #2 0x50f675 in process_copy_in \/root\/paxutils-2.4h\/src\/copyin.c:236:7\r\n    #3 0x50d164 in main \/root\/paxutils-2.4h\/src\/.\/pax.c:485:3\r\n    #4 0x7fd70e06478f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41a448 in _start (\/usr\/bin\/pax+0x41a448)\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00179-gnupaxutils-pax-globaloverflow<\/a><\/p>\n
# pax -f $FILE\r\n==21061==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb9 at pc 0x00000048041a bp 0x7ffea3351e10 sp 0x7ffea33515c0\r\nREAD of size 10 at 0x60200000efb9 thread T0\r\n    #0 0x480419 in __interceptor_strcmp \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:284\r\n    #1 0x50f969 in process_copy_in \/root\/paxutils-2.4h\/src\/copyin.c:261:11\r\n    #2 0x50d164 in main \/root\/paxutils-2.4h\/src\/.\/pax.c:485:3\r\n    #3 0x7fe2d680178f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #4 0x41a448 in _start (\/usr\/bin\/pax+0x41a448)\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00180-gnupaxutils-pax-heapoverflow<\/a><\/p>\n
# pax -f $FILE\r\nfmttar.c:450:11: runtime error: index 6 out of bounds for type 'char [6]'                                                                                                                      \r\nSUMMARY: AddressSanitizer: undefined-behavior fmttar.c:450:11\r\n\r\n==7159==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7fe6f8001420,0x7fe6f800161f) and [0x7fe6f8001421, 0x7fe6f8001620) overlap\r\n    #0 0x4bc091 in __asan_memcpy \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:413\r\n    #1 0x526da0 in read_in_tar_header \/root\/paxutils-2.4h\/src\/fmttar.c:265:4\r\n    #2 0x50dd65 in read_in_header \/root\/paxutils-2.4h\/src\/copyin.c:99:7\r\n    #3 0x50f675 in process_copy_in \/root\/paxutils-2.4h\/src\/copyin.c:236:7\r\n    #4 0x50d164 in main \/root\/paxutils-2.4h\/src\/.\/pax.c:485:3\r\n    #5 0x7fe6fae7178f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #6 0x41a448 in _start (\/usr\/bin\/pax+0x41a448)\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00181-gnupaxutils-pax-memcpyparoverlap<\/a><\/p>\n
# pax -f $FILE\r\n==11514==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8b47900220 at pc 0x00000053bf25 bp 0x7ffd949d5cc0 sp 0x7ffd949d5cb8\r\nREAD of size 1 at 0x7f8b47900220 thread T0\r\n    #0 0x53bf24 in otoa \/root\/paxutils-2.4h\/lib\/octal.c:33:10\r\n    #1 0x5287f5 in is_tar_header \/root\/paxutils-2.4h\/src\/fmttar.c:427:3\r\n    #2 0x50d8d4 in read_in_header \/root\/paxutils-2.4h\/src\/copyin.c:74:27\r\n    #3 0x50f675 in process_copy_in \/root\/paxutils-2.4h\/src\/copyin.c:236:7\r\n    #4 0x50d164 in main \/root\/paxutils-2.4h\/src\/.\/pax.c:485:3\r\n    #5 0x7f8b4a75378f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #6 0x41a448 in _start (\/usr\/bin\/pax+0x41a448)\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00182-gnupaxutils-pax-stackoverflow<\/a><\/p>\n
Affected version:<\/strong>
\n2.4h<\/p>\n
Fixed version:<\/strong>
\nN\/A<\/p>\n
Commit fix:<\/strong>
\nN\/A<\/p>\n
Credit:<\/strong>
\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2017-02-17: bugs discovered
\n2017-02-21: bugs reported to upstream
\n2017-02-21: blog post about the issue<\/p>\n
Note:<\/strong>
\nThese bugs were found with American Fuzzy Lop<\/a>.
\nThe email to upstream was rejected.<\/p>\n
Permalink:<\/strong>
\nhttps:\/\/blogs.gentoo.org\/ago\/2017\/02\/21\/gnu-paxutils-multiple-crashes<\/p>\n","protected":false},"excerpt":{"rendered":"
Description: GNU paxutils is a suite of archive utilities: it will provide cpio, tar and POSIX pax archivers. A fuzzing on tar and pax shows multiple crashes. I really don’t know if atm those tools are used somewhere. Details: # … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-lM","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1350"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1350"}],"version-history":[{"count":7,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1350\/revisions"}],"predecessor-version":[{"id":1386,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1350\/revisions\/1386"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}