Crash on malformed archive

Thu, 27 Oct 2022 05:52:09 -0700 

Hello,

I've been playing a bit with fuzzers and tar 1.34 compiled with ASAN, and
found the following non-exploitable crash:

```
$ ./src/tar -G -g -S --acls --selinux --xattrs -x -O --ignore-failed-read
--ignore-command-error -B --warning=none -f ./id:000001*
./src/tar: Archive contains ‘\0appe’ where numeric mode_t value expected
=================================================================
==1019456==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on
address 0x7ffc9fbc33ad at pc 0x561989b22bc6 bp 0x7ffc9fbc32d0 sp
0x7ffc9fbc2a98
READ of size 2 at 0x7ffc9fbc33ad thread T0
    #0 0x561989b22bc5 in strlen
(/usr/local/google/home/jvoisin/dev/tar-1.34/src/tar+0x7ebc5) (BuildId:
8e7b576278e0e89042782b10c994241dd79d1c4a)
    #1 0x561989bfe09b in xheader_xattr_add
/usr/local/google/home/jvoisin/dev/tar-1.34/src/xheader.c:580:17
    #2 0x561989c0656b in xattr_decoder
/usr/local/google/home/jvoisin/dev/tar-1.34/src/xheader.c:1732:3
    #3 0x561989bfef8c in decode_record
/usr/local/google/home/jvoisin/dev/tar-1.34/src/xheader.c:743:3
    #4 0x561989bfe6c0 in xheader_decode
/usr/local/google/home/jvoisin/dev/tar-1.34/src/xheader.c:789:14
    #5 0x561989c17831 in decode_header
/usr/local/google/home/jvoisin/dev/tar-1.34/src/list.c:711:3
    #6 0x561989c152fe in read_and
/usr/local/google/home/jvoisin/dev/tar-1.34/src/list.c:194:4
    #7 0x561989c4308b in main
/usr/local/google/home/jvoisin/dev/tar-1.34/src/tar.c:2806:7
    #8 0x7f62b3e29209 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f62b3e292bb in __libc_start_main csu/../csu/libc-start.c:389:3
    #10 0x561989b0ca80 in _start
(/usr/local/google/home/jvoisin/dev/tar-1.34/src/tar+0x68a80) (BuildId:
8e7b576278e0e89042782b10c994241dd79d1c4a)

Address 0x7ffc9fbc33ad is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
(/usr/local/google/home/jvoisin/dev/tar-1.34/src/tar+0x7ebc5) (BuildId:
8e7b576278e0e89042782b10c994241dd79d1c4a) in strlen
Shadow bytes around the buggy address:
  0x100013f70620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013f70630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013f70640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013f70650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013f70660: 00 00 00 00 ca ca ca ca 00 00 00 02 cb cb cb cb
=>0x100013f70670: ca ca ca ca 00[05]cb cb cb cb cb cb 00 00 00 00
  0x100013f70680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013f70690: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100013f706a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013f706b0: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100013f706c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1019456==ABORTING
$
```

The reproducer is attached, and you may want to remove the checksum check
from tar to reproduce the crash locally.

Cheers,


-- 
Julien Voisin | ISE - TPS | jvoi...@google.com |

Attachment: id:000000,sig:06,src:000120+000989,time:3630314,execs:1035790,op:splice,rep:16
Description: Binary data

Reply via email to