possible memory corruption bug

Tue, 19 May 2020 06:52:21 -0700 

Hi,

I think I've found a bug in tar-1.32 (also present in 1.29). If I run

$ ./tar tG --tra=s
./tar: Unknown flag in transform expression: X
Try './tar --help' or './tar --usage' for more information.

However if I run

$ RND_ENV=irrelevant ./tar tG --tra=s
./tar: Unknown flag in transform expression: M
Try './tar --help' or './tar --usage' for more information.

Valgrind and ASan are happy, so I tried debugging a bit with gdb. The X in the 
first case is printed on transform.c:254 , where pointer p points to

(gdb) print p
$5 = 0x7fffffffe873 "XDG_SESSION_ID=292"

So I'm pretty sure p starts pointing at environment variables and that this 
shouldn't be the case. I also have a stack trace from the tool that found this, 
which you might find helpful:


Error: memory error: out of bound pointer
File: transform.c
Line: 213
assembly.ll line: 100309
Stack:
        #000100309 in parse_transform_expr (expr) at transform.c:213
        #100099974 in set_transform_expr (expr) at transform.c:413
        #200095813 in parse_opt (key=200, arg, state=143966064) at tar.c:1950
        #300090246 in group_parse (group=135938048, state=143966064, key=200, 
arg) at argp-parse.c:233
        #400090706 in parser_parse_opt (parser=143965952, opt=16777416, val) at 
argp-parse.c:745
        #500089825 in parser_parse_next (parser=143965952, 
arg_ebadkey=139413200) at argp-parse.c:856
        #600081596 in argp_parse (argp=28822208, argc=4, argv=135839104, 
flags=8, end_index=134188176, input=134134912) at argp-parse.c:924
        #700129430 in decode_options (argc=3, argv=135463200) at tar.c:2314
        #800128994 in __klee_posix_wrapped_main (argc=3, argv=135463200) at 
tar.c:2703
        #900009370 in __user_main (argcPtr=5, argvPtr=72146400, envp=72146448) 
at /data/klee/runtime/POSIX/klee_init_env.c:245
        #1000002742 in __uClibc_main (main=38907656, argc=5, argv=72146400, 
app_init=0, app_fini=0, rtld_fini=0, stack_end=0) at 
libc/misc/internals/__uClibc_main.c:401
        #1100002913 in main (=5, =72146400)
Info:
        address: (Add w64 134187439
          (SExt w64 (ZExt w32 (Eq 45 (Read w8 1 arg01)))))
        example: 134187440
        range: [134187440, 134187440]
        next: object at 134187840 of size 4
                MO7628[4] allocated at decode_options():  %new_argc = alloca 
i32, align 4
        prev: object at 134187432 of size 8
                MO5979[8] allocated at __get_sym_str():  %call = call noalias 
i8* @malloc(i64 %conv) #8, !dbg !7385

(note that this is for version 1.29, so line numbers might be slightly 
different)

Cheers,
Timotej

Reply via email to