Hi All, I'd like to report a defect in cpio v2.12 (3be097c12ec14a69b3f3df3e2138fa235a3154d7).
Execution of the following command with the attached test-case will
cause a heap-based buffer overflow:
-- cut --
$ ~/cpio-git-asan/src/cpio -i --io-size=9.0 < ./hbof_1
=================================================================
==18400==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x626000002900 at pc 0x00000044ca1d bp 0x7ffe20009e10 sp
0x7ffe200095c0
WRITE of size 5120 at 0x626000002900 thread T0
#0 0x44ca1c in __interceptor_read.part.49
(/home/s1m0n/cpio/cpio-asan/src/cpio+0x44ca1c)
#1 0x5e0243 in safe_read /home/s1m0n/cpio/cpio-asan/gnu/safe-read.c:66:24
#2 0x55b516 in tape_buffered_peek
/home/s1m0n/cpio/cpio-asan/src/util.c:364:24
#3 0x51059f in read_in_header /home/s1m0n/cpio/cpio-asan/src/copyin.c:971:19
#4 0x51e718 in process_copy_in
/home/s1m0n/cpio/cpio-asan/src/copyin.c:1358:7
#5 0x548817 in main /home/s1m0n/cpio/cpio-asan/src/main.c:788:3
#6 0x7f832ed05b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
#7 0x41e8c9 in _start (/home/s1m0n/cpio/cpio-asan/src/cpio+0x41e8c9)
0x626000002900 is located 0 bytes to the right of 10240-byte region
[0x626000000100,0x626000002900)
allocated by thread T0 here:
#0 0x4d3f20 in malloc (/home/s1m0n/cpio/cpio-asan/src/cpio+0x4d3f20)
#1 0x5e99e4 in xmalloc /home/s1m0n/cpio/cpio-asan/gnu/xmalloc.c:41:13
#2 0x548335 in initialize_buffers
/home/s1m0n/cpio/cpio-asan/src/main.c:763:27
#3 0x5487f0 in main /home/s1m0n/cpio/cpio-asan/src/main.c:786:3
#4 0x7f832ed05b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/s1m0n/cpio/cpio-asan/src/cpio+0x44ca1c) in
__interceptor_read.part.49
Shadow bytes around the buggy address:
0x0c4c7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff8520:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18400==ABORTING
-- cut --
Please let me know if you have any questions.
Thanks,
Filip Palian
hbof_1
Description: Binary data
