Hi All, I'd like to report a defect in tar v1.30.
Execution of the following command with the attached test-case will
cause a use-after-free:
-- cut --
$ ~/tar-asan/src/tar -d -f none -g ./uaf_2.tar
/home/s1m0n/tar/tar-asan/src/tar: ./uaf_2.tar:1: Invalid time stamp:
Invalid argument
/home/s1m0n/tar/tar-asan/src/tar: ./uaf_2.tar:2: Invalid device
number: Invalid argument
=================================================================
==11565==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000000670 at pc 0x55980167ae1d bp 0x7ffee0f3a8e0 sp
0x7ffee0f3a8d8
READ of size 1 at 0x602000000670 thread T0
#0 0x55980167ae1c in strtosysint /home/s1m0n/tar/tar-asan/src/misc.c:399
#1 0x55980165e1ea in read_incr_db_01
/home/s1m0n/tar/tar-asan/src/incremen.c:1075
#2 0x55980165e1ea in read_directory_file
/home/s1m0n/tar/tar-asan/src/incremen.c:1385
#3 0x55980160084a in diff_init /home/s1m0n/tar/tar-asan/src/compare.c:51
#4 0x5598015e0268 in main /home/s1m0n/tar/tar-asan/src/tar.c:2742
#5 0x7fd4033ccb16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
#6 0x5598015e5aa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
0x602000000670 is located 0 bytes inside of 7-byte region
[0x602000000670,0x602000000677)
freed by thread T0 here:
#0 0x7fd4036502c0 in __interceptor_realloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:105
#1 0x7fd403419967 in getdelim (/lib/x86_64-linux-gnu/libc.so.6+0x6f967)
#2 0x2000201fffffffff (<unknown module>)
previously allocated by thread T0 here:
#0 0x7fd4035a17e0 in __interceptor_strdup
../../../../src/libsanitizer/asan/asan_interceptors.cc:405
#1 0x55980165de0e in read_incr_db_01
/home/s1m0n/tar/tar-asan/src/incremen.c:993
#2 0x55980165de0e in read_directory_file
/home/s1m0n/tar/tar-asan/src/incremen.c:1385
#3 0x55980160084a in diff_init /home/s1m0n/tar/tar-asan/src/compare.c:51
#4 0x5598015e0268 in main /home/s1m0n/tar/tar-asan/src/tar.c:2742
#5 0x7fd4033ccb16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/s1m0n/tar/tar-asan/src/misc.c:399 in strtosysint
Shadow bytes around the buggy address:
0x0c047fff8070: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff8090: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80a0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80b0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
=>0x0c047fff80c0: fa fa 00 03 fa fa 04 fa fa fa 00 00 fa fa[fd]fa
0x0c047fff80d0: fa fa fd fa fa fa fd fa fa fa fa fa fa fa fa fa
0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11565==ABORTING
-- cut --
The defect can be triggered and captured on the non-ASAN builds in the
following way:
-- cut --
$ ulimit -c unlimited
$ sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t
$ cp uaf_2.tar bla.tar
$ while true; do ~/tar/tar-1.30/src/tar -d -f bla.tar -g ./uaf_2.tar ; done
$ dmesg|tail
[38236.022756] tar[28459]: segfault at 55bc03b360 ip 00007f630784c717
sp 00007ffc99c5ce40 error 4 in libc-2.27.so[7f63077eb000+146000]
[38236.022761] Code: 64 48 8b 4d 00 48 85 c9 0f 84 31 ff ff ff 0f 1f
44 00 00 48 8d 34 c1 48 8b 56 40 48 85 d2 0f 84 1b ff ff ff 48 83 f8
3f 77 19 <48> 8b 3a 48 89 7e 40 80 2c 01 01 48 83 c4 18 48 89 d0 5b 5d
c3 0f
$ gdb -c core-tar.28459.none.1543928071 ~/tar-1.30/src/tar
...
Core was generated by `/home/s1m0n/tar/tar-1.30/src/tar -d -f bla.tar
-g ./uaf_2.tar'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f630784c717 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
gdb-peda$ where
#0 0x00007f630784c717 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x000055bc31b48c71 in xmalloc (n=0x8) at xmalloc.c:41
#2 0x000055bc31a1e0d9 in make_directory
(name=name@entry=0x55bc335cb301 "tmp/tmp", caname=0x55bc335cb300
"/tmp/tmp") at incremen.c:264
#3 0x000055bc31a211dc in attach_directory (name=0x55bc335cb301
"tmp/tmp") at incremen.c:284
#4 note_directory (name=name@entry=0x55bc335cb301 "tmp/tmp",
mtime=..., dev=dev@entry=0x0, ino=ino@entry=0x0, nfs=nfs@entry=0x0,
contents=0x0, found=0x0) at incremen.c:331
#5 0x000055bc31a2771d in read_incr_db_01 (initbuf=<optimized out>,
version=<optimized out>) at incremen.c:1085
#6 read_directory_file () at incremen.c:1385
#7 0x000055bc319e0651 in diff_init () at compare.c:51
#8 0x000055bc319c4a55 in main (argc=<optimized out>, argv=<optimized
out>) at tar.c:2742
#9 0x00007f63077ebb17 in __libc_start_main () from
/lib/x86_64-linux-gnu/libc.so.6
#10 0x000055bc319c853a in _start () at tar.c:2596
gdb-peda$ bt full
#0 0x00007f630784c717 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1 0x000055bc31b48c71 in xmalloc (n=0x8) at xmalloc.c:41
p = <optimized out>
#2 0x000055bc31a1e0d9 in make_directory
(name=name@entry=0x55bc335cb301 "tmp/tmp", caname=0x55bc335cb300
"/tmp/tmp") at incremen.c:264
namelen = 0x7
directory = 0x55bc335cb870
#3 0x000055bc31a211dc in attach_directory (name=0x55bc335cb301
"tmp/tmp") at incremen.c:284
cname = <optimized out>
dir = <optimized out>
cname = <optimized out>
dir = <optimized out>
#4 note_directory (name=name@entry=0x55bc335cb301 "tmp/tmp",
mtime=..., dev=dev@entry=0x0, ino=ino@entry=0x0, nfs=nfs@entry=0x0,
contents=0x0, found=0x0) at incremen.c:331
directory = <optimized out>
#5 0x000055bc31a2771d in read_incr_db_01 (initbuf=<optimized out>,
version=<optimized out>) at incremen.c:1085
dev = 0x0
nfs = 0x0
ino = 0x0
strp = 0x55bc335cb301 "tmp/tmp"
mtime = {
tv_sec = <optimized out>,
tv_nsec = 0x0
}
u = <optimized out>
buf = 0x55bc335cf220 ""
ebuf = 0x55bc335cb300 "/tmp/tmp"
n = <optimized out>
bufsize = 0x6858
lineno = 0x2
n = <optimized out>
u = <optimized out>
buf = <optimized out>
bufsize = <optimized out>
ebuf = <optimized out>
lineno = <optimized out>
buf_ns = <optimized out>
dev = <optimized out>
ino = <optimized out>
nfs = <optimized out>
strp = <optimized out>
mtime = <optimized out>
#6 read_directory_file () at incremen.c:1385
ebuf = <optimized out>
incremental_version = <optimized out>
fd = <optimized out>
buf = 0x55bc335cad00 "uaf_2/"
bufsize = 0x5ec
flags = <optimized out>
#7 0x000055bc319e0651 in diff_init () at compare.c:51
ptr = 0x55bc335cba10
#8 0x000055bc319c4a55 in main (argc=<optimized out>, argv=<optimized
out>) at tar.c:2742
No locals.
#9 0x00007f63077ebb17 in __libc_start_main () from
/lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#10 0x000055bc319c853a in _start () at tar.c:2596
No symbol table info available.
gdb-peda$ i r
rax 0x0 0x0
rbx 0x8 0x8
rcx 0x55bc335c6010 0x55bc335c6010
rdx 0x55bc03b360 0x55bc03b360
rsi 0x55bc335c6010 0x55bc335c6010
rdi 0x8 0x8
rbp 0xffffffffffffffb0 0xffffffffffffffb0
rsp 0x7ffc99c5ce40 0x7ffc99c5ce40
r8 0x171 0x171
r9 0x55bc335cb30a 0x55bc335cb30a
r10 0x0 0x0
r11 0x0 0x0
r12 0x55bc335cb301 0x55bc335cb301
r13 0x55bc335cb300 0x55bc335cb300
r14 0x0 0x0
r15 0x0 0x0
rip 0x7f630784c717 0x7f630784c717 <malloc+343>
eflags 0x10293 [ CF AF SF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
gdb-peda$ x/i $rip
=> 0x7f630784c717 <malloc+343>: mov (%rdx),%rdi
-- cut --
Please let me know if you have any questions.
Thanks,
Filip Palian
uaf_2.tar
Description: Unix tar archive
