[Bug-tar] Heap-based buffer overflow in xheader.c:188:xheader_set_keyword_equal().

[x ksi]

Hi All,

I'd like to report a defect in tar v1.30.

Execution of the following command will cause a heap-based buffer overflow:

-- cut --
$ ~/tar-asan/src/tar --pax-option==
=================================================================
==28267==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6070000006af at pc 0x562f9aa1b349 bp 0x7ffc7b4e51c0 sp
0x7ffc7b4e51b8
READ of size 1 at 0x6070000006af thread T0
    #0 0x562f9aa1b348 in xheader_set_keyword_equal
/home/s1m0n/tar/tar-asan/src/xheader.c:188
    #1 0x562f9aa1b348 in xheader_set_option
/home/s1m0n/tar/tar-asan/src/xheader.c:237
    #2 0x562f9aa9a91f in parse_opt /home/s1m0n/tar/tar-asan/src/tar.c:1845
    #3 0x562f9aaffac6 in group_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:234
    #4 0x562f9aaffac6 in parser_parse_opt
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:749
    #5 0x562f9aaffac6 in parser_parse_next
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:860
    #6 0x562f9aaffac6 in argp_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:928
    #7 0x562f9a9b164e in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2312
    #8 0x562f9a9b164e in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
    #9 0x7fdf7ac2fb16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
    #10 0x562f9a9baaa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
0x6070000006af is located 1 bytes to the left of 71-byte region
[0x6070000006b0,0x6070000006f7)
allocated by thread T0 here:
    #0 0x7fdf7aeb2ed0 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x562f9ab6e5f8 in xmalloc /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:41
    #2 0x562f9ab6ede4 in xmemdup /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:113
    #3 0x562f9ab6ee5c in xstrdup /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:121
    #4 0x562f9aa9a83f in expand_pax_option
/home/s1m0n/tar/tar-asan/src/tar.c:1202
    #5 0x562f9aa9a83f in parse_opt /home/s1m0n/tar/tar-asan/src/tar.c:1843
    #6 0x562f9aaffac6 in group_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:234
    #7 0x562f9aaffac6 in parser_parse_opt
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:749
    #8 0x562f9aaffac6 in parser_parse_next
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:860
    #9 0x562f9aaffac6 in argp_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:928
    #10 0x562f9a9b164e in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2312
    #11 0x562f9a9b164e in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
    #12 0x7fdf7ac2fb16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:188 in
xheader_set_keyword_equal
Shadow bytes around the buggy address:
  0x0c0e7fff8080: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff80b0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fff80d0: 00 00 fa fa fa[fa]00 00 00 00 00 00 00 00 07 fa
  0x0c0e7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28267==ABORTING
-- cut --

Please let me know if you have any questions.


Thanks,
Filip Palian