[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    out-of-bounds read in get_header_ar()
From:       Christoph Biedl <busybox.cskc () manchmal ! in-ulm ! de>
Date:       2017-11-19 22:56:27
Message-ID: 1511132038 () msgid ! manchmal ! in-ulm ! de
[Download RAW message or body]

Hello,

the following issue was reported in Debian, I can conform this still
exists in the latest commit a07fead:

----- Forwarded message from Jakub Wilk <jwilk@jwilk.net> -----

Date: Sun, 19 Nov 2017 22:30:27 +0100
From: Jakub Wilk <jwilk@jwilk.net>
To: submit@bugs.debian.org
Subject: Bug#882175: busybox: out-of-bounds read in get_header_ar()

Package: busybox
Version: 1:1.27.2-1

Apparently an out-of-bounds read can happen when unpacking ar archives:

  $ valgrind -q -- busybox ar p oob.ar > /dev/null
  ==2180== Invalid read of size 1
  ==2180==    at 0x4831403: __GI_strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==2180==    by 0x48B9F5A: strdup (strdup.c:41)
  ==2180==    by 0x1108BC: xstrdup (xfuncs_printf.c:81)
  ==2180==    by 0x15C560: get_header_ar (get_header_ar.c:116)
  ==2180==    by 0x15C26F: unpack_ar_archive (unpack_ar_archive.c:20)
  ==2180==    by 0x14D956: ar_main (ar.c:291)
  ==2180==    by 0x10F788: run_applet_no_and_exit (appletlib.c:916)
  ==2180==    by 0x10FA50: run_applet_and_exit (appletlib.c:934)
  ==2180==    by 0x10FA38: busybox_main (appletlib.c:875)
  ==2180==    by 0x10FA38: run_applet_and_exit (appletlib.c:927)
  ==2180==    by 0x10FADC: main (appletlib.c:1032)
  ==2180==  Address 0x4a0715c is 0 bytes after a block of size 4 alloc'd
  ==2180==    at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==2180==    by 0x110847: xmalloc (xfuncs_printf.c:47)
  ==2180==    by 0x15C4A0: get_header_ar (get_header_ar.c:86)
  ==2180==    by 0x15C26F: unpack_ar_archive (unpack_ar_archive.c:20)
  ==2180==    by 0x14D956: ar_main (ar.c:291)
  ==2180==    by 0x10F788: run_applet_no_and_exit (appletlib.c:916)
  ==2180==    by 0x10FA50: run_applet_and_exit (appletlib.c:934)
  ==2180==    by 0x10FA38: busybox_main (appletlib.c:875)
  ==2180==    by 0x10FA38: run_applet_and_exit (appletlib.c:927)
  ==2180==    by 0x10FADC: main (appletlib.c:1032)
  ...

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Architecture: i386

Versions of packages busybox depends on:
ii  libc6  2.25-1

-- 
Jakub Wilk



----- End forwarded message -----


["oob.ar" (text/plain)]

!<arch>//00000000000000000000000000000000000000000000004 00000000`
00000000000000000000000000000000000000000000000000004 00000000`
0000/00000 000000000000000000000000000000000000000000000000000`


_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic