Hi -
A signed integer overflow is triggered in cpio 2.12 when large block
size values are
used during copy in on 32-bit Ubuntu 14.04.
The supplied block size is multiplied by 512 in main.c:parse_opt resulting
in a wrap around and a negative value for io_block_size. The resulting
bad read
is caught by glibc.
POC:
# python -c "print 'A'*1516" > file; echo file | cpio -o > int_overflow.cpio
# cpio -i --block-size=20971520 -F int_overflow.cpio
*** Error in `cpio': free(): invalid next size (fast): 0x08070eb0 ***
Aborted (core dumped)
# uname -a
Linux x-Acer 3.19.0-33-generic #38~14.04.1-Ubuntu SMP Fri Nov 6 18:17:49
UTC 2015 i686 i686 i686 GNU/Linux
I attempted to find a similar issue using --io-size but was unable to
cause an overflow.
This fix limits the upper bound on --block-size. Please consider the
attached patch and let me know if would like any changes.
Thank you and regards,
David Moore
@grajagandev
Patch Summary:
* src/main.c: add upper bound on --block-size
* tests/big-block-size.at: New file
* tests/Makefile.am: Add new file
* tests/testsuite.at: Add new file
Attached Patch Files:
0001-Add-test-for-signed-integer-overflow.patch
0002-Fix-signed-integer-overflow-big-block-sizes.patch
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
From a5937fbc189d9a770d191d01f471682eb5477b57 Mon Sep 17 00:00:00 2001
From: grajagandev <dmoor...@gmail.com>
Date: Mon, 8 Feb 2016 07:53:08 -0800
Subject: [PATCH 1/2] Add test for signed integer overflow
---
tests/big-block-size.at | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 tests/big-block-size.at
diff --git a/tests/big-block-size.at b/tests/big-block-size.at
new file mode 100644
index 0000000..380e025
--- /dev/null
+++ b/tests/big-block-size.at
@@ -0,0 +1,37 @@
+# Process this file with autom4te to create testsuite. -*- Autotest -*-
+# Copyright (C) 2009-2010, 2014-2015 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+AT_SETUP([big block size])
+AT_KEYWORDS([block integer overflow])
+
+# Description: Cpio versions up to 2.12 did not check the size of the
+# value supplied to the --block-size argument. This could result in
+# a signed integer overflow.
+
+AT_CHECK([
+echo
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
> file
+echo file | cpio -o > a
+cpio -i --block-size=20971520 -F a
+],
+[2],
+[],
+[4 blocks
+cpio: invalid block size
+Try 'cpio --help' or 'cpio --usage' for more information.]
+)
+AT_CLEANUP
+
+
--
1.9.1
From dff61b4f2a79efd07d4f94891d6c946d539f1696 Mon Sep 17 00:00:00 2001
From: grajagandev <dmoor...@gmail.com>
Date: Mon, 8 Feb 2016 07:58:45 -0800
Subject: [PATCH 2/2] Fix signed integer overflow - big block sizes
---
src/main.c | 2 +-
tests/Makefile.am | 3 ++-
tests/testsuite.at | 1 +
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/main.c b/src/main.c
index a13861f..5a30a7b 100644
--- a/src/main.c
+++ b/src/main.c
@@ -321,7 +321,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
case BLOCK_SIZE_OPTION: /* --block-size */
io_block_size = atoi (arg);
- if (io_block_size < 1)
+ if (io_block_size < 1 || io_block_size > INT_MAX/512)
USAGE_ERROR ((0, 0, _("invalid block size")));
io_block_size *= 512;
break;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 2fbee29..863f46c 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -55,7 +55,8 @@ TESTSUITE_AT = \
symlink-bad-length.at\
symlink-long.at\
symlink-to-stdout.at\
- version.at
+ version.at\
+ big-block-size.at
TESTSUITE = $(srcdir)/testsuite
diff --git a/tests/testsuite.at b/tests/testsuite.at
index 81e205b..b11c4a0 100644
--- a/tests/testsuite.at
+++ b/tests/testsuite.at
@@ -42,3 +42,4 @@ m4_include([setstat02.at])
m4_include([setstat03.at])
m4_include([setstat04.at])
m4_include([setstat05.at])
+m4_include([big-block-size.at])
--
1.9.1
