Full Disclosure mailing list archives

libarchive - Out of bounds read using malformed cpio archive


From: Paris Zoumpouloglou <pariszoump () gmail com>
Date: Tue, 28 Apr 2015 14:07:20 +0300

== Background ==

libarchive is a library for manipulating different streaming archive
formats, including certain tar variants, several cpio formats, and both
BSD and GNU ar variants.

== Affected software ==

bsdtar

== Version ==

All tests were performed using commit
296efb3db188fa4bf7b0e7b5c61d404f9145f0ab

== Description ==

Initial fuzzing was performed using afl-fuzzer

Using a crafted tar file bsdtar can perform an out-of-bounds memory read
which will lead to a SEGFAULT. The issue exists when the executable
skips data in the archive. The amount of data to skip is defined in byte
offset [16-19] If ASLR is disabled, the issue can lead to high CPU load,
and potential CPU exhaustion in single-core hosts.

The issue turned out to be a problem with the cpio reader:  Libarchive
identifies the constructed file as a big-endian binary cpio format with
a very large (>2GB) size.  An overflow in parsing the size field caused
libarchive to treat this size as a negative value and lead to an attempt
to skip the file position forward by a negative number of bytes.

== PoC ==

Additional information and PoC archive can be found here
https://github.com/libarchive/libarchive/issues/502

== Solution ==

The issue was fixed in commit e6c9668f3202215ddb71617b41c19b6f05acf008.

== Timeline ==

2015-01-29 - Initial report
2015-02-02 - Response with proposed fix
2015-02-02 - Fix was confirmed to resolve the issue

== Credits ==

Reported by Paris Zoumpouloglou of Project Zero labs
(https://projectzero.gr)

-- 
Paris Zoumpouloglou
@pzmini0n

https://projectzero.gr


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Current thread: