On Tuesday 02 of December 2014 11:39:30 Sergey Poznyakoff wrote:
> Pavel Raiskup <[email protected]> ha escrit:
>
> > Thanks for fixing! Just a nit:
>
> Yes, of course.
There is still one new NULL pointer dereference. Also, the get_link_name
does not guarantee the two possibilities only: "successful read of symlink
name and seek the archive properly OR exit_failure" so cpio is unable to
recovery, potentially.
See the bt:
(gdb) run -idv < lesspipe-cpio-bad-write.cpio
Starting program: /home/praiskup/cpio/src/cpio -idv <
lesspipe-cpio-bad-write.cpio
Missing separate debuginfos, use: debuginfo-install glibc-2.20-5.fc21.i686
/home/praiskup/cpio/src/cpio: hello: stored filename length is out of range
Program received signal SIGSEGV, Segmentation fault.
0x0805db58 in quotearg_buffer_restyled (buffer=0x806d040 <slot0> "",
buffersize=256, arg=0x0, argsize=4294967295,
quoting_style=literal_quoting_style, flags=1, quote_these_too=0xbffff378,
left_quote=0x0, right_quote=0x0)
at quotearg.c:345
345 for (i = 0; ! (argsize == SIZE_MAX ? arg[i] == '\0' : i ==
argsize); i++)
(gdb) bt
#0 0x0805db58 in quotearg_buffer_restyled (buffer=0x806d040 <slot0> "",
buffersize=256, arg=0x0, argsize=4294967295,
quoting_style=literal_quoting_style, flags=1, quote_these_too=0xbffff378,
left_quote=0x0, right_quote=0x0)
at quotearg.c:345
#1 0x0805df66 in quotearg_n_options (n=0, arg=0x0, argsize=4294967295,
options=0xbffff370) at quotearg.c:804
#2 0x0805e1ad in quotearg_char_mem (arg=0x0, argsize=4294967295, ch=58 ':')
at quotearg.c:884
#3 0x0805e1d0 in quotearg_char (arg=0x0, ch=58 ':') at quotearg.c:890
#4 0x0805e1e8 in quotearg_colon (arg=0x0) at quotearg.c:896
#5 0x0804b548 in copyin_link (file_hdr=0xbffff488, in_file_des=0) at
copyin.c:680
#6 0x0804b6da in copyin_file (file_hdr=0xbffff488, in_file_des=0) at
copyin.c:729
#7 0x0804ceeb in process_copy_in () at copyin.c:1480
#8 0x08051527 in main (argc=2, argv=0xbffff624) at main.c:788
Note also, that I had to install the attached fix for the testsuite - as
the actual CVE fix causes different errors among different architectures.
The tested scenario is too non-deterministic also.
Pavel
>From e022b387c573715869621480091262ef09a5a474 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <[email protected]>
Date: Thu, 11 Dec 2014 08:26:32 +0100
Subject: [PATCH] testsuite: cover architecture differences
* tests/symlink-bad-length.at: Handle timezone hard-wired in
archive. Cover all possible error outputs depending on
architecture, memory, etc.
---
tests/symlink-bad-length.at | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
index cbf4aa7..d8d250b 100644
--- a/tests/symlink-bad-length.at
+++ b/tests/symlink-bad-length.at
@@ -37,13 +37,20 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AT_CHECK([
base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
-cpio -ntv < ARCHIVE
-test $? -eq 2
+TZ=UTC cpio -ntv < ARCHIVE 2>stderr
+rc=$?
+cat stderr | grep -v \
+ -e 'stored filename length is out of range' \
+ -e 'premature end of file' \
+ -e 'archive header has reverse byte-order' \
+ -e 'memory exhausted' \
+ >&2
+echo >&2 STDERR
+test "$rc" -ne 0
],
[0],
-[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
-],[cpio: LINK: stored filename length is out of range
-cpio: premature end of file
+[-rw-rw-r-- 1 10029 10031 13 Nov 25 11:52 FILE
+],[STDERR
])
AT_CLEANUP
--
1.9.3
