Hi All,
I'd like to report a defect in tar v1.30.
Execution of the following commands will cause a heap-based buffer overflows:
-- cut --
$ ~/tar-asan/src/tar -c -f none
--pax-option=globexthdr.name="%%%%%%",listopt="" none
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:316 in xheader_format_name
$ ~/tar-asan/src/tar -c -f none
--pax-option=globexthdr.name="%%%%%",listopt="" none
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:344 in xheader_format_name
$ ~/tar-asan/src/tar -c -f none
--pax-option=globexthdr.name="%%%",listopt="" none
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:358 in xheader_format_name
--
=================================================================
==12460==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000692 at pc 0x55f10f33bc91 bp 0x7ffdbeab0150 sp
0x7ffdbeab0148
WRITE of size 1 at 0x602000000692 thread T0
#0 0x55f10f33bc90 in xheader_format_name
/home/s1m0n/tar/tar-asan/src/xheader.c:316
#1 0x55f10f33bdf7 in xheader_ghdr_name
/home/s1m0n/tar/tar-asan/src/xheader.c:387
#2 0x55f10f34183d in xheader_write_global
/home/s1m0n/tar/tar-asan/src/xheader.c:455
#3 0x55f10f2dc02f in buffer_write_global_xheader
/home/s1m0n/tar/tar-asan/src/buffer.c:209
#4 0x55f10f31184e in create_archive
/home/s1m0n/tar/tar-asan/src/create.c:1355
#5 0x55f10f2d42b0 in main /home/s1m0n/tar/tar-asan/src/tar.c:2724
#6 0x7f7968be5b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
#7 0x55f10f2d9aa9 in _start (/home/s1m0n/tar/tar-asan/src/tar+0x9eaa9)
0x602000000692 is located 0 bytes to the right of 2-byte region
[0x602000000690,0x602000000692)
allocated by thread T0 here:
#0 0x7f7968e68ed0 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:86
#1 0x55f10f48d5f8 in xmalloc /home/s1m0n/tar/tar-asan/gnu/xmalloc.c:41
#2 0x55f10f33aaa7 in xheader_format_name
/home/s1m0n/tar/tar-asan/src/xheader.c:308
#3 0x55f10f33bdf7 in xheader_ghdr_name
/home/s1m0n/tar/tar-asan/src/xheader.c:387
#4 0x55f10f34183d in xheader_write_global
/home/s1m0n/tar/tar-asan/src/xheader.c:455
#5 0x55f10f2dc02f in buffer_write_global_xheader
/home/s1m0n/tar/tar-asan/src/buffer.c:209
#6 0x55f10f31184e in create_archive
/home/s1m0n/tar/tar-asan/src/create.c:1355
#7 0x55f10f2d42b0 in main /home/s1m0n/tar/tar-asan/src/tar.c:2724
#8 0x7f7968be5b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/s1m0n/tar/tar-asan/src/xheader.c:316 in xheader_format_name
Shadow bytes around the buggy address:
0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff8090: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80a0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80b0: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa 00 03
0x0c047fff80c0: fa fa 00 03 fa fa 04 fa fa fa 00 00 fa fa 00 fa
=>0x0c047fff80d0: fa fa[02]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12460==ABORTING
-- cut --
Please let me know if you have any questions.
Thanks,
Filip Palian
