Dear CPIO developers,
We are security researchers from Columbia University testing a bug finding
tool on CPIO.
We have found a bug that would cause CPIO to get stuck. It is caused by the
fact that existing files may be opened, and files that are named pipes can
cause the open function to hang.
There are two calls to open, starting on line 390 in src/copyin.c:
out_file_des = open (d->header.c_name,
O_CREAT | O_WRONLY | O_BINARY, 0600);
if (out_file_des < 0 && create_dir_flag)
{
create_all_directories (d->header.c_name);
out_file_des = open (d->header.c_name,
O_CREAT | O_WRONLY | O_BINARY,
0600);
}When extracting the attached sample file, CPIO will attempt to create the same file twice after having checked for their existence. The first time, it will create the named pipe. In addition to the "-i" and "-I" flags, we also tried all combinations that included or excluded "-u" and "--no-absolute-filenames". The bug was discovered on the latest version, 2.12. To bypass this inherent timing gap, we recommend adding the O_EXCL flag to the second argument in the calls to the open functions. This prevents CPIO from hanging when trying to extract the sample file. Best, Yuan Kang
overlap_pair.cpio
Description: CPIO file
