[Bug-cpio] Segfault when updating newc archives

Wed, 28 Nov 2018 07:20:02 -0800 

Using current git master of cpio, and introduced with the
CVE-2016-2037 out-of-bounds patch, I can trivially crash cpio.  For
example from the top of the cpio git clone:

$ find gnulib/ | ./src/cpio -o -H newc >foo.cpio
70240 blocks
$ echo NEWS | ./src/cpio  -oA  -H newc -F foo.cpio
Segmentation fault (core dumped)

Adding a little debug and running in valgrind:

...
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 23
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 30
cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name
0x51da8a0 name 0x51da810 len 11
==30256== Conditional jump or move depends on uninitialised value(s)
==30256==    at 0x4E800F0: vfprintf (vfprintf.c:1636)
==30256==    by 0x4E87228: printf (printf.c:33)
==30256==    by 0x116F42: cpio_set_c_name (util.c:1433)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
cpio_set_c_name() about to memmove() file_hdr 0xfff0004e0 c_name (nil)
name 0x51d9590 len 5
==30256== Conditional jump or move depends on uninitialised value(s)
==30256==    at 0x4C300D3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
==30256== Conditional jump or move depends on uninitialised value(s)
==30256==    at 0x4C300E5: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
==30256== Conditional jump or move depends on uninitialised value(s)
==30256==    at 0x4C30171: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
==30256== Use of uninitialised value of size 8
==30256==    at 0x4C3019B: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==
==30256== Invalid write of size 2
==30256==    at 0x4C3019B: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==30256==    by 0x116F5D: cpio_set_c_name (util.c:1434)
==30256==    by 0x110681: process_copy_out (copyout.c:663)
==30256==    by 0x113A37: main (main.c:788)
==30256==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

Ross

Reply via email to