Hi All,
I'd like to report a defect in tar v1.30.
Execution of the following command will cause a heap-based buffer overflow:
-- cut --
$ ~/tar-asan/src/tar --transform="s///"
=================================================================
==4615==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000066f at pc 0x55fcbf10c3dd bp 0x7ffe443251d0 sp
0x7ffe443251c8
READ of size 1 at 0x60200000066f thread T0
#0 0x55fcbf10c3dc in parse_transform_expr
/home/s1m0n/tar/tar-asan/src/transform.c:276
#1 0x55fcbf10c4c9 in set_transform_expr
/home/s1m0n/tar/tar-asan/src/transform.c:414
#2 0x55fcbf101ecf in parse_opt /home/s1m0n/tar/tar-asan/src/tar.c:1947
#3 0x55fcbf164ac6 in group_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:234
#4 0x55fcbf164ac6 in parser_parse_opt
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:749
#5 0x55fcbf164ac6 in parser_parse_next
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:860
#6 0x55fcbf164ac6 in argp_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:928
#7 0x55fcbf01664e in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2312
#8 0x55fcbf01664e in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
#9 0x7f6afb635b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
#10 0x55fcbf01faa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
0x60200000066f is located 1 bytes to the left of 1-byte region
[0x602000000670,0x602000000671)
allocated by thread T0 here:
#0 0x7f6afb8b8ed0 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:86
#1 0x55fcbf1d35f8 in xmalloc /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:41
#2 0x55fcbf1096df in parse_transform_expr
/home/s1m0n/tar/tar-asan/src/transform.c:263
#3 0x55fcbf10c4c9 in set_transform_expr
/home/s1m0n/tar/tar-asan/src/transform.c:414
#4 0x55fcbf101ecf in parse_opt /home/s1m0n/tar/tar-asan/src/tar.c:1947
#5 0x55fcbf164ac6 in group_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:234
#6 0x55fcbf164ac6 in parser_parse_opt
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:749
#7 0x55fcbf164ac6 in parser_parse_next
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:860
#8 0x55fcbf164ac6 in argp_parse
/home/s1m0n/tar/tar-asan/gnu/argp-parse.c:928
#9 0x55fcbf01664e in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2312
#10 0x55fcbf01664e in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
#11 0x7f6afb635b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/transform.c:276 in parse_transform_expr
Shadow bytes around the buggy address:
0x0c047fff8070: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff8090: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80a0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80b0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
=>0x0c047fff80c0: fa fa 00 03 fa fa 04 fa fa fa 00 00 fa[fa]01 fa
0x0c047fff80d0: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80e0: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 00 fa
0x0c047fff80f0: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4615==ABORTING
-- cut --
Please let me know if you have any questions.
Thanks,
Filip Palian
