Heap-buffer-overflow in main.c

Fri, 16 May 2025 09:43:48 -0700 

Hello, Using cpio and building it with ASAN sanitizer
I have found a bug in main.c. If we run cpio with
-A (append) flag on a file containing more than 512 bytes, and -B flag
which increases io_block_size up to 5120 bytes we get a
heap-buffer-overflow(write) in the tape_fill_input_buffer function.
Here is the stacktrace:
==2447234==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x515000000280 at pc 0x5af9265863c9 bp 0x7ffd91e8b7f0 sp 0x7ffd91e8afc0 
WRITE of size 531 at 0x515000000280 thread T0
#0 0x5af9265863c8 in read (/cpio/src/cpio+0xa33c8) (BuildId: b91b1f1caac2221373d3f91fe0d9a37f5baeac45) 
#1 0x5af9266d7a46 in safe_read /cpio/gnu/safe-read.c:60:24
#2 0x5af9266839eb in tape_fill_input_buffer /cpio/src/util.c:200:16
#3 0x5af926683472 in tape_buffered_read /cpio/src/util.c:302:2
#4 0x5af92664c114 in read_in_header /cpio/src/copyin.c:1114:3
#5 0x5af92665279c in process_copy_in /cpio/src/copyin.c:1454:7
#6 0x5af926665adf in process_copy_out /cpio/src/copyout.c:628:7
#7 0x5af92667ab27 in main /cpio/src/main.c:800:3
#8 0x76e8e721809a in __libc_start_main /opt/build/glibc-2.28/csu/../csu/libc-start.c:308:16 #9 0x5af926568379 in _start (/cpio/src/cpio+0x85379) (BuildId: b91b1f1caac2221373d3f91fe0d9a37f5baeac45) SUMMARY: AddressSanitizer: heap-buffer-overflow (/cpio/src/cpio+0xa33c8) (BuildId: b91b1f1caac2221373d3f91fe0d9a37f5baeac45) in read 
Steps to reproduce this error:
1.Build the project with AddressSanitizer
2.Create a file, that contains more than 513 random characters,
like this:
python3 -c 'print("a"*513)' > crash.file
3.Run cpio as follows:
./cpio -oO ./crash.file -AB
4.You will get an ASAN report
Here is the diff, that fixes the error:
diff --git a/src/main.c b/src/main.c
index 5e79ce5..657febf 100644
--- a/src/main.c
+++ b/src/main.c
@@ -760,7 +760,10 @@ initialize_buffers ()
}
else if (copy_function == process_copy_out)
{
-in_buf_size = DISK_IO_BLOCK_SIZE;
+if (!append_flag)
+in_buf_size = DISK_IO_BLOCK_SIZE;
+else
+in_buf_size = io_block_size;
out_buf_size = io_block_size;
}
else
Idk, is this correct fix or not, but it works for me.

Reply via email to