{"id":510,"date":"2016-09-11T12:12:51","date_gmt":"2016-09-11T10:12:51","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=510"},"modified":"2016-12-01T15:42:15","modified_gmt":"2016-12-01T13:42:15","slug":"libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/11\/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c\/","title":{"rendered":"libarchive: bsdtar: heap-based buffer overflow in bid_entry (archive_read_support_format_mtree.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.libarchive.org\/\">libarchive<\/a> is a multi-format archive and compression library.<\/p>\n<p>After it got fuzzed by hanno and some other people (<a href=\"https:\/\/blog.fuzzing-project.org\/47-Many-invalid-memory-access-issues-in-libarchive.html\">1<\/a> <a href=\"https:\/\/blog.fuzzing-project.org\/48-Out-of-bounds-read-and-signed-integer-overflow-in-libarchive.html\">2<\/a> <a href=\"http:\/\/blog.talosintel.com\/2016\/06\/the-poisoned-archives.html\">3<\/a>)I decided to fuzz it too.<\/p>\n<p>A crafted file causes an heap overflow in the bid_entry function in the mtree parser.<br \/>\nThis bug seems to be similar to <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/11\/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c\">THIS<\/a> bug, but in this case ASan reports that the issue happens in the heap.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># bsdtar -t -f $FILE\r\n==786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f3cae7e9a65 at pc 0x7f3cae1c0bb6 bp 0x7ffe4f21cb30 sp 0x7ffe4f21cb28\r\nREAD of size 1 at 0x7f3cae7e9a65 thread T0\r\n    #0 0x7f3cae1c0bb5 in bid_entry \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read_support_format_mtree.c:567:7\r\n    #1 0x7f3cae1c0bb5 in detect_form \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read_support_format_mtree.c:676\r\n    #2 0x7f3cae08618b in choose_format \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read.c:712:10\r\n    #3 0x7f3cae08618b in archive_read_open1 \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read.c:529\r\n    #4 0x7f3cae0bdf1f in archive_read_open_filename \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read_open_filename.c:109:9\r\n    #5 0x501f66 in read_archive \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/read.c:223:6\r\n    #6 0x501473 in tar_mode_t \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/read.c:94:2\r\n    #7 0x4f8929 in main \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/bsdtar.c:803:3\r\n    #8 0x7f3cad0f961f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #9 0x41b778 in _init (\/usr\/bin\/bsdtar+0x41b778)\r\n\r\n0x7f3cae7e9a65 is located 613 bytes to the right of 262144-byte region [0x7f3cae7a9800,0x7f3cae7e9800)\r\nallocated by thread T0 here:\r\n    #0 0x4c2cc8 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.0-r3\/work\/llvm-3.8.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:52\r\n    #1 0x7f3cae08dbca in __archive_read_filter_ahead \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read.c:1436:17\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read_support_format_mtree.c:567:7 in bid_entry\r\nShadow bytes around the buggy address:\r\n  0x0fe815cf52f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0fe815cf5300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0fe815cf5310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0fe815cf5320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0fe815cf5330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=&gt;0x0fe815cf5340: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa\r\n  0x0fe815cf5350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0fe815cf5360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0fe815cf5370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0fe815cf5380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0fe815cf5390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==786==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n3.2.1<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n3.2.2<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/libarchive\/libarchive\/commit\/eec077f52bfa2d3f7103b4b74d52572ba8a15aca\">https:\/\/github.com\/libarchive\/libarchive\/commit\/eec077f52bfa2d3f7103b4b74d52572ba8a15aca<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-8688<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-08-11: bug discovered<br \/>\n2016-08-11: bug reported to upstream<br \/>\n2016-09-11: blog post about the issue<br \/>\n2016-09-19: upstream released a patch<br \/>\n2016-10-16: CVE Assigned<br \/>\n2016-10-24: Upstream released 3.2.2<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"yIZkbty87u\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/09\/11\/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c\/\">libarchive: bsdtar: heap-based buffer overflow in bid_entry (archive_read_support_format_mtree.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/09\/11\/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c\/embed\/#?secret=yIZkbty87u\" data-secret=\"yIZkbty87u\" width=\"600\" height=\"338\" title=\"&#8220;libarchive: bsdtar: heap-based buffer overflow in bid_entry (archive_read_support_format_mtree.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: libarchive is a multi-format archive and compression library. After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too. A crafted file causes an heap overflow in the bid_entry function in the &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/11\/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-8e","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/510"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=510"}],"version-history":[{"count":11,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/510\/revisions"}],"predecessor-version":[{"id":983,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/510\/revisions\/983"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}