{"id":1749,"date":"2017-05-01T14:03:51","date_gmt":"2017-05-01T12:03:51","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1749"},"modified":"2017-05-01T15:20:04","modified_gmt":"2017-05-01T13:20:04","slug":"libarchive-two-heap-based-buffer-overflow-read","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/05\/01\/libarchive-two-heap-based-buffer-overflow-read\/","title":{"rendered":"libarchive: two heap-based buffer overflow read"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.libarchive.org\/\">libarchive<\/a> is a multi-format archive and compression library.<\/p>\n<p>In the 2016 I reported two heap-based buffer over-read to libarchive. They appear to have already been fixed in the trunk when I reported them; here are the details:<\/p>\n<pre><font size=\"2\"># bsdtar -t -f $FILE\r\n=================================================================                                                                                                                              \r\n==27838==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000ff05 at pc 0x7fad7b060778 bp 0x7ffe35698a10 sp 0x7ffe35698a08                                                      \r\nREAD of size 1 at 0x61500000ff05 thread T0                                                                                                                                                     \r\n    #0 0x7fad7b060777 in archive_le32dec \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_endian.h:122:20                                                       \r\n    #1 0x7fad7b060777 in cab_read_header \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_support_format_cab.c:669                                         \r\n    #2 0x7fad7b060777 in archive_read_format_cab_read_header \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_support_format_cab.c:903                     \r\n    #3 0x7fad7affa45b in _archive_read_next_header2 \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:649:7                                               \r\n    #4 0x7fad7affa100 in _archive_read_next_header \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:687:8                                                \r\n    #5 0x514c89 in read_archive \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/read.c:261:7                                                                                  \r\n    #6 0x51416b in tar_mode_t \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/read.c:94:2                                                                                     \r\n    #7 0x50f1a8 in main \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/bsdtar.c:803:3                                                                                        \r\n    #8 0x7fad7a08d61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                        \r\n    #9 0x41c168 in _init (\/usr\/bin\/bsdtar+0x41c168)                                                                                                                                            \r\n                                                                                                                                                                                               \r\n0x61500000ff05 is located 5 bytes to the right of 512-byte region [0x61500000fd00,0x61500000ff00)                                                                                              \r\nallocated by thread T0 here:                                                                                                                                                                   \r\n    #0 0x4d4f28 in malloc \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:64                                                       \r\n    #1 0x7fad7aff5854 in __archive_read_filter_ahead \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:1436:17                                            \r\n    #2 0x7fad7b0db8cd in archive_read_format_tar_bid \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_support_format_tar.c:310:6                           \r\n    #3 0x7fad7afef670 in choose_format \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:712:10                                                           \r\n    #4 0x7fad7afef670 in archive_read_open1 \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:529                                                         \r\n    #5 0x7fad7b0162e1 in archive_read_open_filenames \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_open_filename.c:152:10                               \r\n    #6 0x7fad7b015e8b in archive_read_open_filename \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_open_filename.c:109:9                                 \r\n    #7 0x5149eb in read_archive \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/read.c:223:6                                                                                  \r\n    #8 0x51416b in tar_mode_t \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/read.c:94:2                                                                                     \r\n    #9 0x50f1a8 in main \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/bsdtar.c:803:3                                                                                        \r\n    #10 0x7fad7a08d61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                       \r\n                                                                                                                                                                                               \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_endian.h:122:20 in archive_le32dec\r\nShadow bytes around the buggy address:\r\n  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=&gt;0x0c2a7fff9fe0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==27838==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n3.2.2<br \/>\n<strong>Fixed version:<\/strong><br \/>\n3.3.0<br \/>\n<strong>Commit fix:<\/strong><br \/>\nN\/A<br \/>\n<strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00105-libarchive-heapoverflow-archive_le32dec\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00105-libarchive-heapoverflow-archive_le32dec<\/a><br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2016-10349<\/p>\n<p>#############################<\/p>\n<pre><font size=\"2\"># bsdtar -t -f $FILE\r\n==21129==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000ff00 at pc 0x7fa070bd7827 bp 0x7fffb7183a30 sp 0x7fffb7183a28                                                      \r\nREAD of size 1 at 0x61500000ff00 thread T0                                                                                                                                                     \r\n    #0 0x7fa070bd7826 in archive_read_format_cab_read_header \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_support_format_cab.c:903:9                   \r\n    #1 0x7fa070b7145b in _archive_read_next_header2 \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:649:7                                               \r\n    #2 0x7fa070b71100 in _archive_read_next_header \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:687:8                                                \r\n    #3 0x514c89 in read_archive \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/read.c:261:7                                                                                  \r\n    #4 0x51416b in tar_mode_t \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/read.c:94:2                                                                                     \r\n    #5 0x50f1a8 in main \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/bsdtar.c:803:3\r\n    #6 0x7fa06fc0461f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #7 0x41c168 in _init (\/usr\/bin\/bsdtar+0x41c168)\r\n\r\n0x61500000ff00 is located 0 bytes to the right of 512-byte region [0x61500000fd00,0x61500000ff00)\r\nallocated by thread T0 here:\r\n    #0 0x4d4f28 in malloc \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:64\r\n    #1 0x7fa070b6c854 in __archive_read_filter_ahead \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:1436:17\r\n    #2 0x7fa070c528cd in archive_read_format_tar_bid \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_support_format_tar.c:310:6\r\n    #3 0x7fa070b66670 in choose_format \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:712:10\r\n    #4 0x7fa070b66670 in archive_read_open1 \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read.c:529\r\n    #5 0x7fa070b8d2e1 in archive_read_open_filenames \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_open_filename.c:152:10\r\n    #6 0x7fa070b8ce8b in archive_read_open_filename \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_open_filename.c:109:9\r\n    #7 0x5149eb in read_archive \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/read.c:223:6\r\n    #8 0x51416b in tar_mode_t \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/read.c:94:2\r\n    #9 0x50f1a8 in main \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/tar\/bsdtar.c:803:3\r\n    #10 0x7fa06fc0461f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/app-arch\/libarchive-3.2.2\/work\/libarchive-3.2.2\/libarchive\/archive_read_support_format_cab.c:903:9 in archive_read_format_cab_read_header\r\nShadow bytes around the buggy address:\r\n  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=&gt;0x0c2a7fff9fe0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c2a7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==21129==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n3.2.2<br \/>\n<strong>Fixed version:<\/strong><br \/>\n3.3.0<br \/>\n<strong>Commit fix:<\/strong><br \/>\nN\/A<br \/>\n<strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00106-libarchive-heapoverflow-archive_read_format_cab_read_header\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00106-libarchive-heapoverflow-archive_read_format_cab_read_header<\/a><br \/>\n<strong>CVE:<\/strong><br \/>\nCVE-2016-10350<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<br \/>\nThese bugs were also discovered by oss-fuzz<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-12-06: bugs discovered and reported to upstream<br \/>\n2017-05-01: blog post about the issue<br \/>\n2017-05-01: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"kif1ViqrH3\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/05\/01\/libarchive-two-heap-based-buffer-overflow-read\/\">libarchive: two heap-based buffer overflow read<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/05\/01\/libarchive-two-heap-based-buffer-overflow-read\/embed\/#?secret=kif1ViqrH3\" data-secret=\"kif1ViqrH3\" width=\"600\" height=\"338\" title=\"&#8220;libarchive: two heap-based buffer overflow read&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: libarchive is a multi-format archive and compression library. In the 2016 I reported two heap-based buffer over-read to libarchive. They appear to have already been fixed in the trunk when I reported them; here are the details: # bsdtar &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/05\/01\/libarchive-two-heap-based-buffer-overflow-read\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-sd","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1749"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1749"}],"version-history":[{"count":3,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1749\/revisions"}],"predecessor-version":[{"id":1754,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1749\/revisions\/1754"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1749"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1749"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1749"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}