Re: [PATCH v2] tar: regression with hardlinked symlinks

Sun, 15 Apr 2018 11:25:30 -0700 

ping
FWIW, this problem actually came up with an archive containing a fsroot including a busybox installation again, but this time, the archive was created after a deduplication step had hardlinked identical files and symlinks. 

On 4/1/18 1:37 PM, Harald van Dijk wrote:

When the creation of symlinks got delayed until after all other files 
had been extracted, that didn't take into account that the archive may 
contain hardlinks to those symlinks. The extraction of those hardlinks 
did not get delayed so would fail.



This patch generalises the symlink_placeholders approach to a 
link_placeholders which allows delaying the extraction of hardlinks too. 
It changes the order in which delayed links are added to ensure that a 
hardlink to an earlier symlink will create the symlink first.



It delays all hardlinks without regards to the target. It may be 
desirable to instead tweak it to determine whether the link target is a 
delayed symlink, but that is a cost/benefits tradeoff. As hardlinks are 
relatively rare, I guess the benefit of such an optimisation would be 
small, but I am not really qualified to make that determination.


Test case:

   mkdir dir
   >dir/a
   ln -s ../dir/a dir/b
   ln dir/b dir/c
   mkdir new
   tar cf - dir/* | tar -C new -xf -

busybox ad4e9613:

tar: can't create hardlink 'dir/c' to 'dir/b': No such file or directory

busybox ad4e9613 + patch:

No error output. The archive is successfully extracted.


The security hole that the delayed extraction of symlinks was meant to 
prevent should not be re-introduced by the delayed creation of 
hardlinks: the parent components of archive entries still get created 
first, so if an archive contains a file "exploit", a symlink "parent -> 
..", and a hardlink "parent/exploit -> exploit", the presence of that 
hardlink causes "parent" to be immediately created as a regular 
directory. The symlink creation "parent -> .." will therefore fail. This 
could use careful review though.


Cheers,
Harald van Dijk

_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox






















					Reply via email to