542389 – cpio crashes with buffer overflow when creating an ustar archive

Bug 542389 - cpio crashes with buffer overflow when creating an ustar archive

Summary: cpio crashes with buffer overflow when creating an ustar archive

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cpio
Sub Component:
Version:	11
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Ondrej Vasik
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-11-29 15:54 UTC by Cristian Ciupitu
Modified:	2009-12-02 04:25 UTC (History)
CC List:	2 users (show)
Fixed In Version:	2.9.90-6.fc11
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-12-02 04:25:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
backtrace (675 bytes, text/plain) 2009-11-30 21:35 UTC, Kamil Dudka	no flags	Details
View All

Description Cristian Ciupitu 2009-11-29 15:54:25 UTC

Description of problem:
cpio crashes with buffer overflow when creating an ustar archive.

Version-Release number of selected component (if applicable):
cpio-2.9.90-5.fc11.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. svn co http://svn.eionet.europa.eu/repositories/Naaya/trunk Naaya
2. cd Naaya
3. find -name .svn -prune -o -print0 | cpio -o -0 -H ustar | gzip > /dev/null

Actual results:
*** buffer overflow detected ***: cpio terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f1a6e141797]
/lib64/libc.so.6[0x7f1a6e13f7f0]
/lib64/libc.so.6(__strncpy_chk+0x17b)[0x7f1a6e13eaab]
cpio[0x409cf4]
cpio[0x405f7a]
cpio[0x4061be]
cpio[0x408a41]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f1a6e068a2d]
cpio[0x402659]
======= Memory map: ========
00400000-0041e000 r-xp 00000000 fd:00 4585                               /bin/cpio
0061e000-00620000 rw-p 0001e000 fd:00 4585                               /bin/cpio
01f3e000-01f5f000 rw-p 00000000 00:00 0                                  [heap]
7f1a68d5d000-7f1a68d76000 r-xp 00000000 fd:00 205877                     /lib64/libgcc_s-4.4.1-20090729.so.1
7f1a68d76000-7f1a68f76000 ---p 00019000 fd:00 205877                     /lib64/libgcc_s-4.4.1-20090729.so.1
7f1a68f76000-7f1a68f77000 rw-p 00019000 fd:00 205877                     /lib64/libgcc_s-4.4.1-20090729.so.1
7f1a68f77000-7f1a6e04a000 r--p 00000000 fd:00 43255                      /usr/lib/locale/locale-archive
7f1a6e04a000-7f1a6e1ae000 r-xp 00000000 fd:00 2805                       /lib64/libc-2.10.1.so
7f1a6e1ae000-7f1a6e3ae000 ---p 00164000 fd:00 2805                       /lib64/libc-2.10.1.so
7f1a6e3ae000-7f1a6e3b2000 r--p 00164000 fd:00 2805                       /lib64/libc-2.10.1.so
7f1a6e3b2000-7f1a6e3b3000 rw-p 00168000 fd:00 2805                       /lib64/libc-2.10.1.so
7f1a6e3b3000-7f1a6e3b8000 rw-p 00000000 00:00 0 
7f1a6e3b8000-7f1a6e3d7000 r-xp 00000000 fd:00 10150                      /lib64/ld-2.10.1.so
7f1a6e5b3000-7f1a6e5b5000 rw-p 00000000 00:00 0 
7f1a6e5d3000-7f1a6e5d6000 rw-p 00000000 00:00 0 
7f1a6e5d6000-7f1a6e5d7000 r--p 0001e000 fd:00 10150                      /lib64/ld-2.10.1.so
7f1a6e5d7000-7f1a6e5d8000 rw-p 0001f000 fd:00 10150                      /lib64/ld-2.10.1.so
7fff3a70e000-7fff3a723000 rw-p 00000000 00:00 0                          [stack]
7fff3a7e0000-7fff3a7e1000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Expected results:
No errors

Additional info:
"cpio -o -0 -H newc" works fine
I have glibc-2.10.1-5.x86_64 and libgcc-4.4.1-2.fc11.x86_64 my system.

Comment 1 Ondrej Vasik 2009-11-29 19:14:13 UTC

Thanks for report, will check it.

Comment 2 Ondrej Vasik 2009-11-30 14:11:53 UTC

Bad luck, doesn't crash on my machine, could you please install cpio debuginfo package and post the backtrace again? It would be good to have all the symbols... I'll try to reproduce it elsewhere, but this could take some time.

Comment 3 Kamil Dudka 2009-11-30 21:35:07 UTC

Created attachment 374886 [details]
backtrace

Backtrace of the crash is pretty useless since it's full of <value optimized out>. So I tried to recompile cpio with -O0, but then it was no longer possible to reproduce the crash.

So I rebuild the sources with original cflags and, to my surprise, it also seemed to work, running through valgrind without any memory error detected. This means only the rebuild of cpio has resolved the problem on my box. I'll try to investigate it further.

Comment 4 Kamil Dudka 2009-11-30 21:49:30 UTC

... and now yet another surprise. I tried to rebuild it on Koji with/without optimization:

http://koji.fedoraproject.org/koji/taskinfo?taskID=1839121
http://koji.fedoraproject.org/koji/taskinfo?taskID=1839139

And the results are following:
1) the -O0 build from Koji works (zero errors reported by valgrind)
2) the -O2 build from Koji causes the stack overflow

Not yet tested if the results are random or reproducible ... however this looks like gcc/glibc stack protection magic to me.

Comment 5 Cristian Ciupitu 2009-12-01 10:41:24 UTC

(In reply to comment #3)
> Backtrace of the crash is pretty useless since it's full of <value optimized
> out>. 

Indeed. Here's an analysis of the core dumped when archiving revision 13673 of the repository:

$ gdb /bin/cpio core.18274
GNU gdb (GDB) Fedora (6.8.50.20090302-39.fc11)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib64/libc-2.10.1.so...Reading symbols from /usr/lib/debug/lib64/libc-2.10.1.so.debug...done.
done.
Loaded symbols for /lib64/libc-2.10.1.so
Reading symbols from /lib64/ld-2.10.1.so...Reading symbols from /usr/lib/debug/lib64/ld-2.10.1.so.debug...done.
done.
Loaded symbols for /lib64/ld-2.10.1.so
Reading symbols from /lib64/libgcc_s-4.4.1-20090729.so.1...Reading symbols from /usr/lib/debug/lib64/libgcc_s-4.4.1-20090729.so.1.debug...done.
done.
Loaded symbols for /lib64/libgcc_s-4.4.1-20090729.so.1
Core was generated by `cpio -o -0 -H ustar'.
Program terminated with signal 6, Aborted.
#0  0x00007f6b746f02f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) thread apply all bt full

Thread 1 (Thread 18274):
#0  0x00007f6b746f02f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        pid = <value optimized out>
        selftid = <value optimized out>
#1  0x00007f6b746f1b20 in *__GI_abort () at abort.c:88
        act = {__sigaction_handler = {sa_handler = 0x300000009, sa_sigaction = 0x300000009}, sa_mask = {__val = {140733429945008, 140733429944864, 140733429945056, 140733429953195, 4, 140099492714028, 3, 140733429945066, 6,
              140099492714032, 2, 140733429945054, 2, 140099492705269, 1, 140099492714028}}, sa_flags = 3, sa_restorer = 0x7fff0e1992e4}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f6b7472d05d in __libc_message (do_abort=2,
    fmt=0x7fff0e199490 ' ' <repeats 11 times>, "/lib64/libc-2.10.1.so\n7f6b74a26000-7f6b74a2b000 rw-p 00000000 00:00 0 \n7f6b74a2b000-7f6b74a4a000 r-xp 00000000 fd:00 10150", ' ' <repeats 22 times>, "/lib64/ld-2.10.1.so\n7f6b74c26000-7f6b74c28000"...) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
        ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fff0e199bc0, reg_save_area = 0x7fff0e199ad0}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff0e199bc0, reg_save_area = 0x7fff0e199ad0}}
        fd = 3
        on_2 = <value optimized out>
        list = <value optimized out>
        nlist = <value optimized out>
        cp = <value optimized out>
        written = 6
#3  0x00007f6b747b4797 in *__GI___fortify_fail (msg=0x7f6b747f1633 "buffer overflow detected") at fortify_fail.c:32
No locals.
#4  0x00007f6b747b27f0 in *__GI___chk_fail () at chk_fail.c:29
No locals.
#5  0x00007f6b747b1aab in __strncpy_chk (s1=0x0, s2=0x4762 <Address 0x4762 out of bounds>, n=6, s1len=18446744073709551615) at strncpy_chk.c:34
        c = <value optimized out>
#6  0x0000000000409cf4 in strncpy (__len=<value optimized out>, __src=<value optimized out>, __dest=<value optimized out>) at /usr/include/bits/string3.h:122
No locals.
#7  write_out_tar_header (__len=<value optimized out>, __src=<value optimized out>, __dest=<value optimized out>) at tar.c:220
        name = <value optimized out>
        name_len = <value optimized out>
        tar_rec = {header = {name = "./", '\0' <repeats 97 times>, mode = "0000775", uid = "0000764", gid = "0000764", size = '0' <repeats 11 times>, mtime = "11305167750", chksum = "\0\0\0\0\0\0\0", typeflag = 53 '5',
            linkname = '\0' <repeats 99 times>, magic = "ustar", version = "\0", uname = '\0' <repeats 31 times>, gname = '\0' <repeats 31 times>, devmajor = "\0\0\0\0\0\0\0", devminor = "\0\0\0\0\0\0\0",
            prefix = '\0' <repeats 154 times>},
          buffer = "./", '\0' <repeats 98 times>, "0000775\0\60\60\60\60\67\66\64\0\60\60\60\60\67\66\64\0", '0' <repeats 11 times>, "\0\61\61\63\60\65\61\66\67\67\65\60\0\0\0\0\0\0\0\0\0\65", '\0' <repeats 100 times>, "ustar", '\0' <repeats 249 times>}
#8  0x0000000000405f7a in write_out_header (file_hdr=0x7fff0e199fc0, out_des=1) at copyout.c:565
        dev = <value optimized out>
        rdev = <value optimized out>
#9  0x00000000004061be in process_copy_out () at copyout.c:800
        input_name = {ds_length = 128, ds_string = 0x13a9450 "./"}
        file_stat = {st_dev = 64769, st_ino = 34466625, st_nlink = 5, st_mode = 16893, st_uid = 500, st_gid = 500, __pad0 = 0, st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1259663693,
            tv_nsec = 208719983}, st_mtim = {tv_sec = 1259663336, tv_nsec = 738722501}, st_ctim = {tv_sec = 1259663336, tv_nsec = 738722501}, __unused = {0, 0, 0}}
        file_hdr = {c_magic = 29127, c_ino = 34466625, c_mode = 16893, c_uid = 500, c_gid = 500, c_nlink = 5, c_mtime = 1259663336, c_filesize = 0, c_dev_maj = 253, c_dev_min = 1, c_rdev_maj = 0, c_rdev_min = 0, c_namesize = 3,
          c_chksum = 0, c_name = 0x13a9450 "./", c_tar_linkname = 0x0}
        in_file_des = <value optimized out>
        out_file_des = 1
        orig_file_name = 0x13a94e0 "./"
#10 0x0000000000408a41 in main (argc=5, argv=0x7fff0e19a188) at main.c:797
No locals.
Current language:  auto; currently minimal

Comment 6 Ondrej Vasik 2009-12-01 11:20:29 UTC

aaah... I see... great, thanks a lot, that should be easy to fix...

Comment 7 Fedora Update System 2009-12-01 11:54:59 UTC

cpio-2.9.90-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cpio-2.9.90-6.fc11

Comment 8 Cristian Ciupitu 2009-12-01 13:17:13 UTC

The new version works fine. Thank you.

Comment 9 Fedora Update System 2009-12-02 04:25:00 UTC

cpio-2.9.90-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.