{"id":533,"date":"2016-09-11T12:40:58","date_gmt":"2016-09-11T10:40:58","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=533"},"modified":"2016-12-01T15:43:01","modified_gmt":"2016-12-01T13:43:01","slug":"libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/11\/libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c\/","title":{"rendered":"libarchive: bsdtar: stack-based buffer overflow in bsdtar_expand_char (util.c)"},"content":{"rendered":"

Description<\/strong>:
\nlibarchive<\/a> is a multi-format archive and compression library.<\/p>\n

After it got fuzzed by hanno and some other people (1<\/a> 2<\/a> 3<\/a>)I decided to fuzz it too.<\/p>\n

This bug comes out after 5 days of fuzzing and when AFL reports that it already made 15 cycles. This means that in some cases is not enough do few hours of fuzzing and believe that there aren’t more bugs…<\/p>\n

A crafted file causes a stack-buffer overflow write.
\nUpstream was not able to reproduce the issue, maybe different compiler and compiler options, so he committed the fix based on what the stacktrace printed. The bug is now not anymore reachable through the provided testcase, but I asked to make a new release to launch the fuzzer again.<\/p>\n

The complete ASan output:<\/p>\n

# bsdtar -t -f $FILE\r\nbsdtar: Missing type keyword in mtree specification\r\n5!\\\\{bsdtar: Missing type keyword in mtree specification\r\n\r\nzO!\\\\{bsdtar: Missing type keyword in mtree specification\r\n\r\nzO\\r\\r\\\\{bsdtar: Missing type keyword in mtree specification\r\n\r\nzO\\r\\\\w\\200r\\rbsdtar: Missing type keyword in mtree specification\r\n\r\n@;\\r\\005@{bsdtar: Missing type keyword in mtree specification\r\n\r\nzO\\r\\r\\\\{bsdtar: Malformed attribute \"\" (-51)\r\n\r\nz\\f\\fbsdtar: Missing type keyword in mtree specification\r\n\r\nh\\352*((-.I,\\002:%1=\\037\\257:B\\362\\020\\217(\\300\\351!\\002\\341\\341\\341*(\\244\\244\\263\\377\\377\\377\\377\\244\\377\\177\\244\\244\\244\\244\\244\\244\\244\\264\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\244\\036\\036\\036\\036\\036\\036\\036\\036\\036\\036bsdtar: Missing type keyword in mtree specification\r\n=================================================================\r\n==6259==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fae139bf660 at pc 0x0000004957dc bp 0x7ffc9de91a90 sp 0x7ffc9de91240\r\nWRITE of size 4 at 0x7fae139bf660 thread T0\r\n    #0 0x4957db in vsprintf \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:1128\r\n    #1 0x495912 in sprintf \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:1159\r\n    #2 0x50ab22 in bsdtar_expand_char \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/util.c:223:4\r\n    #3 0x509c47 in safe_fprintf \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/util.c:174:21\r\n    #4 0x50307f in read_archive \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/read.c:320:5\r\n    #5 0x501bf3 in tar_mode_t \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/read.c:94:2\r\n    #6 0x4f8b9f in main \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/bsdtar.c:803:3\r\n    #7 0x7fae1780761f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #8 0x41b778 in _init (\/usr\/bin\/bsdtar+0x41b778)\r\n\r\nAddress 0x7fae139bf660 is located in stack of thread T0 at offset 608 in frame\r\n    #0 0x50964f in safe_fprintf \/var\/tmp\/portage\/app-arch\/libarchive-3.2.1-r3\/work\/libarchive-3.2.1\/tar\/util.c:95\r\n\r\n  This frame has 4 object(s):\r\n    [32, 288) 'fmtbuff_stack'\r\n    [352, 608) 'outbuff' 0x0ff64272fec0: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2\r\n  0x0ff64272fed0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 04 f3 f3 f3\r\n  0x0ff64272fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0ff64272fef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0ff64272ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0ff64272ff10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==6259==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n3.2.1<\/p>\n
Fixed version:<\/strong>
\n3.2.2<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/libarchive\/libarchive\/commit\/e37b620fe8f14535d737e89a4dcabaed4517bf1a<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-8687<\/p>\n
Timeline:<\/strong>
\n2016-08-17: bug discovered
\n2016-08-17: bug reported to upstream
\n2016-08-21: upstream released a patch
\n2016-09-11: blog post about the issue
\n2016-10-16: CVE Assigned
\n2016-10-24: Upstream released 3.2.2<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
libarchive: bsdtar: stack-based buffer overflow in bsdtar_expand_char (util.c)<\/a><\/p><\/blockquote>\n