Hi All,
I'd like to report a defect in tar v1.30.
Execution of the following command will cause a heap-based buffer overflow:
-- cut --
$ ~/tar-asan/src/tar -f .bz2 --one-top-level
=================================================================
==31469==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000066f at pc 0x7ff728412b44 bp 0x7ffff14312b0 sp
0x7ffff1430a60
READ of size 1 at 0x60200000066f thread T0
#0 0x7ff728412b43 in __interceptor_strncmp
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:407
#1 0x55aafb3f8e4a in strip_compression_suffix
/home/s1m0n/tar/tar-asan/src/suffix.c:105
#2 0x55aafb3238a5 in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2535
#3 0x55aafb3238a5 in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
#4 0x7ff7281c2b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
#5 0x55aafb329aa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
0x60200000066f is located 1 bytes to the left of 8-byte region
[0x602000000670,0x602000000678)
allocated by thread T0 here:
#0 0x7ff728445ed0 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:86
#1 0x7ff7284062ad in __interceptor_strndup
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:326
#2 0x55aafb4de7e0 in xstrndup /home/s1m0n/tar/tar-asan/gnu/xstrndup.c:32
#3 0x55aafb47782a in base_name /home/s1m0n/tar/tar-asan/gnu/basename.c:57
#4 0x55aafb32388e in decode_options /home/s1m0n/tar/tar-asan/src/tar.c:2534
#5 0x55aafb32388e in main /home/s1m0n/tar/tar-asan/src/tar.c:2698
#6 0x7ff7281c2b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:407
in __interceptor_strncmp
Shadow bytes around the buggy address:
0x0c047fff8070: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff8090: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80a0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80b0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
=>0x0c047fff80c0: fa fa 00 03 fa fa 04 fa fa fa 00 00 fa[fa]00 fa
0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31469==ABORTING
-- cut --
Please let me know if you have any questions.
Thanks,
Filip Palian
