Hi,

On Fri, Jan 29, 2016 at 03:55:09PM -0500, anarcat wrote:
> I can't actually reproduce with the test case provided on oss-security:
> 
> (gdb) run -i < ../overflow.cpio
> Starting program: /bin/cpio -i < ../overflow.cpio
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library
> "/lib/x86_64-linux-gnu/libthread_db.so.1".
> /bin/cpio: Malformed number0000000
> /bin/cpio: warning: skipped 8 bytes of junk
> /bin/cpio: Substituting `.' for empty member name
> /bin/cpio: . not created: newer or same age version exists
> /bin/cpio: premature end of file
> [Inferior 1 (process 191) exited with code 02]
> 
> Did i miss anything?

You should get the issue uncovered if you built with AddressSanitizer:

fuzzer@sid:~/cpio-2.11+dfsg$ ./src/cpio -i < ~/overflow.cpio 
./src/cpio: Malformed number0000000
./src/cpio: warning: skipped 8 bytes of junk
./src/cpio: Substituting `.' for empty member name
=================================================================
==31139==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000edd1 at pc 0x7f6640dd293a bp 0x7ffdd8768f20 sp 0x7ffdd87686d0
WRITE of size 2 at 0x60200000edd1 thread T0
    #0 0x7f6640dd2939 in __asan_memmove 
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x88939)
    #1 0x41df3b in cpio_safer_name_suffix 
/home/fuzzer/cpio-2.11+dfsg/src/util.c:1392
    #2 0x40b4ab in process_copy_in /home/fuzzer/cpio-2.11+dfsg/src/copyin.c:1436
    #3 0x4163eb in main /home/fuzzer/cpio-2.11+dfsg/src/main.c:746
    #4 0x7f66409c686f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2086f)
    #5 0x403368 in _start (/home/fuzzer/cpio-2.11+dfsg/src/cpio+0x403368)

0x60200000edd1 is located 0 bytes to the right of 1-byte region 
[0x60200000edd0,0x60200000edd1)
allocated by thread T0 here:
    #0 0x7f6640ddde9a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x93e9a)
    #1 0x438b6c in rpl_malloc /home/fuzzer/cpio-2.11+dfsg/gnu/malloc.c:51
    #2 0x43d4c5 in xmalloc /home/fuzzer/cpio-2.11+dfsg/gnu/xmalloc.c:47
    #3 0x409d94 in read_in_new_ascii 
/home/fuzzer/cpio-2.11+dfsg/src/copyin.c:1211
    #4 0x408cb2 in read_in_header /home/fuzzer/cpio-2.11+dfsg/src/copyin.c:1088
    #5 0x40b428 in process_copy_in /home/fuzzer/cpio-2.11+dfsg/src/copyin.c:1406
    #6 0x4163eb in main /home/fuzzer/cpio-2.11+dfsg/src/main.c:746
    #7 0x7f66409c686f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2086f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fa
  0x0c047fff9dc0: fa fa 05 fa fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==31139==ABORTING

Hope that helps.

Regards,
Salvatore

Reply via email to