{"id":513,"date":"2016-09-11T12:10:44","date_gmt":"2016-09-11T10:10:44","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=513"},"modified":"2016-12-01T15:41:56","modified_gmt":"2016-12-01T13:41:56","slug":"libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/11\/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c\/","title":{"rendered":"libarchive: bsdtar: memory corruption\/unknown-crash in bid_entry (archive_read_support_format_mtree.c)"},"content":{"rendered":"

Description<\/strong>:
\nlibarchive<\/a> is a multi-format archive and compression library.<\/p>\n

After it got fuzzed by hanno and some other people (1<\/a> 2<\/a> 3<\/a>)I decided to fuzz it too.<\/p>\n

A crafted file causes an heap overflow in the bid_entry function in the mtree parser.
\nThis bug seems to be similar to THIS<\/a> bug, but in this case ASan does not report the issue as in the heap.
\nAlso, this bug was discovered by gsingh93 using the libarchive api.<\/p>\n

The complete ASan output:<\/p>\n

# bsdtar -t -f $FILE\r\n==6147==ERROR: AddressSanitizer: unknown-crash on address 0x7fa7103c437b at pc 0x7fa70fd73bb6 bp 0x7ffc3948db30 sp 0x7ffc3948db28\r\nREAD of size 1 at 0x7fa7103c437b thread T0\r\n    #0 0x7fa70fd73bb5 in bid_entry \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read_support_format_mtree.c:567:7\r\n    #1 0x7fa70fd73bb5 in detect_form \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read_support_format_mtree.c:676\r\n    #2 0x7fa70fc3918b in choose_format \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read.c:712:10\r\n    #3 0x7fa70fc3918b in archive_read_open1 \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read.c:529\r\n    #4 0x7fa70fc70f1f in archive_read_open_filename \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read_open_filename.c:109:9\r\n    #5 0x501f66 in read_archive \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/read.c:223:6\r\n    #6 0x501473 in tar_mode_t \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/read.c:94:2\r\n    #7 0x4f8929 in main \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/bsdtar.c:803:3\r\n    #8 0x7fa70ecac61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #9 0x41b778 in _init (\/usr\/bin\/bsdtar+0x41b778)\r\n\r\nAddressSanitizer can not describe address in more detail (wild memory access suspected).\r\nSUMMARY: AddressSanitizer: unknown-crash \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/libarchive\/archive_read_support_format_mtree.c:567:7 in bid_entry\r\nShadow bytes around the buggy address:\r\n  0x0ff562070810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0ff562070820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0ff562070830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0ff562070840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0ff562070850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n=>0x0ff562070860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe[fe]\r\n  0x0ff562070870: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0ff562070880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0ff562070890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0ff5620708a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0ff5620708b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==6147==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n3.2.1<\/p>\n
Fixed version:<\/strong>
\n3.2.2<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/libarchive\/libarchive\/commit\/eec077f52bfa2d3f7103b4b74d52572ba8a15aca<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.
\nThis bug was discovered by gsingh93.<\/p>\n
CVE:<\/strong>
\nCVE-2016-8688<\/p>\n
Timeline:<\/strong>
\n2016-08-11: bug discovered
\n2016-08-11: bug reported to upstream
\n2016-09-11: blog post about the issue
\n2016-09-19: upstream released a patch
\n2016-10-16: CVE Assigned
\n2016-10-24: Upstream released 3.2.2<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
libarchive: bsdtar: memory corruption\/unknown-crash in bid_entry (archive_read_support_format_mtree.c)<\/a><\/p><\/blockquote>\n