Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 13:45:05 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: out-of-bounds write with cpio 2.11

Hello,

An out-of-bounds write in cpio 2.11 was found in the parsing of cpio files
(other version are probably affected).  Find attached a test case to
reproduce it. The ASAN report is here:

=================================================================
==5480==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000edd0 at pc 0x41f187 bp 0x7fffffffdc50 sp 0x7fffffffdc48
WRITE of size 2 at 0x60200000edd0 thread T0
    #0 0x41f186 in cpio_safer_name_suffix
/home/g/Codigo/cpio-2.11+dfsg/src/util.c:1392
    #1 0x40b3d7 in process_copy_in
/home/g/Codigo/cpio-2.11+dfsg/src/copyin.c:1391
    #2 0x416754 in main /home/g/Codigo/cpio-2.11+dfsg/src/main.c:739
    #3 0x7ffff6b5eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #4 0x403408 (/home/g/Codigo/cpio-2.11+dfsg/src/cpio+0x403408)

0x60200000edd1 is located 0 bytes to the right of 1-byte region
[0x60200000edd0,0x60200000edd1)
allocated by thread T0 here:
    #0 0x7ffff6f567ef in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547ef)
    #1 0x440f3e in xmalloc /home/g/Codigo/cpio-2.11+dfsg/gnu/xmalloc.c:47
    #2 0x409c74 in read_in_new_ascii
/home/g/Codigo/cpio-2.11+dfsg/src/copyin.c:1166
    #3 0x408a26 in read_in_header
/home/g/Codigo/cpio-2.11+dfsg/src/copyin.c:1043
    #4 0x40b354 in process_copy_in
/home/g/Codigo/cpio-2.11+dfsg/src/copyin.c:1361
    #5 0x416754 in main /home/g/Codigo/cpio-2.11+dfsg/src/main.c:739
    #6 0x7ffff6b5eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/g/Codigo/cpio-2.11+dfsg/src/util.c:1392 cpio_safer_name_suffix
Shadow bytes around the buggy address:
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 06 fa
  0x0c047fff9dc0: fa fa 05 fa fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==5480==ABORTING


This issue was found using QuickFuzz.

Regards,
Gus.

Content of type "text/html" skipped

Download attachment "overflow.cpio" of type "application/x-cpio" (524 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.