https://gitlab.com/rossburton/cpio/commit/37b78fba8044411349ae791bcee98f55d4c0e442 is an addition to the test suite which fails for me.
Ross On Wed, 28 Nov 2018 at 14:18, Burton, Ross <ross.bur...@intel.com> wrote: > > Using current git master of cpio, and introduced with the > CVE-2016-2037 out-of-bounds patch, I can trivially crash cpio. For > example from the top of the cpio git clone: > > $ find gnulib/ | ./src/cpio -o -H newc >foo.cpio > 70240 blocks > $ echo NEWS | ./src/cpio -oA -H newc -F foo.cpio > Segmentation fault (core dumped) > > Adding a little debug and running in valgrind: > > ... > cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name > 0x51da8a0 name 0x51da810 len 23 > cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name > 0x51da8a0 name 0x51da810 len 30 > cpio_set_c_name() about to memmove() file_hdr 0xfff000360 c_name > 0x51da8a0 name 0x51da810 len 11 > ==30256== Conditional jump or move depends on uninitialised value(s) > ==30256== at 0x4E800F0: vfprintf (vfprintf.c:1636) > ==30256== by 0x4E87228: printf (printf.c:33) > ==30256== by 0x116F42: cpio_set_c_name (util.c:1433) > ==30256== by 0x110681: process_copy_out (copyout.c:663) > ==30256== by 0x113A37: main (main.c:788) > ==30256== > cpio_set_c_name() about to memmove() file_hdr 0xfff0004e0 c_name (nil) > name 0x51d9590 len 5 > ==30256== Conditional jump or move depends on uninitialised value(s) > ==30256== at 0x4C300D3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) > ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434) > ==30256== by 0x110681: process_copy_out (copyout.c:663) > ==30256== by 0x113A37: main (main.c:788) > ==30256== > ==30256== Conditional jump or move depends on uninitialised value(s) > ==30256== at 0x4C300E5: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) > ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434) > ==30256== by 0x110681: process_copy_out (copyout.c:663) > ==30256== by 0x113A37: main (main.c:788) > ==30256== > ==30256== Conditional jump or move depends on uninitialised value(s) > ==30256== at 0x4C30171: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) > ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434) > ==30256== by 0x110681: process_copy_out (copyout.c:663) > ==30256== by 0x113A37: main (main.c:788) > ==30256== > ==30256== Use of uninitialised value of size 8 > ==30256== at 0x4C3019B: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) > ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434) > ==30256== by 0x110681: process_copy_out (copyout.c:663) > ==30256== by 0x113A37: main (main.c:788) > ==30256== > ==30256== Invalid write of size 2 > ==30256== at 0x4C3019B: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) > ==30256== by 0x116F5D: cpio_set_c_name (util.c:1434) > ==30256== by 0x110681: process_copy_out (copyout.c:663) > ==30256== by 0x113A37: main (main.c:788) > ==30256== Address 0x0 is not stack'd, malloc'd or (recently) free'd > > Ross
