tar segfaults (busybox 1.8.1)
Denys Vlasenko
vda.linux at googlemail.com
Fri Nov 16 18:48:08 UTC 2007
On Friday 16 November 2007 05:19, Tito wrote:
> On Friday 16 November 2007 13:34:25 Alexander Griesser wrote:
> > tuxx at vi-edv003:~/busybox/busybox-1.8.1$ ./busybox tar cf test.tar a s d
> > *** buffer overflow detected ***: ./busybox terminated
> Hi,
> by compiling the latest svn i get this warning:
>
> CC archival/tar.o
> archival/tar.c: In function ‘writeFileToTarball’:
> archival/tar.c:183: warning: call to __builtin___strcpy_chk will always
> overflow destination buffer AR archival/lib.a
> LINK busybox_unstripped
> Trying libraries: crypt m
> Library crypt is needed
> Library m is needed
> Final link with: crypt m
>
>
> and after changing the line 183 of tar.c
>
> - strcpy(hp->magic, "ustar ");
> + strcpy(hp->magic, "ustar");
This was intended:
http://en.wikipedia.org/wiki/Tar_(file_format)
USTAR format
Most modern tar programs read and write archives in the new USTAR (Uniform
Standard Tape Archive) format...
Field Offset Field Size Field
0 156 (as in old format)
156 1 Type flag
157 100 (as in old format)
257 6 USTAR indicator "ustar"
263 2 USTAR version "00"
265 32 Owner user name
297 32 Owner group name
329 8 Device major number
337 8 Device minor number
345 155 Filename prefix
Example
The example below shows the ASCII dump of a header block from a tar file
created using the GNU tar program. It was dumped with the od program.
The "ustar" magic string followed by two spaces can be seen, meaning that the
tar file is in GNU format, partially incompatible with the true USTAR
standard (in POSIX.1-1988), which has the signature "ustar" followed by a NUL
character.
0000000 e t c / p a s s w d nul nul nul nul nul nul
0000020 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
*
0000140 nul nul nul nul 0 1 0 0 6 4 4 nul 0 0 0 0
0000160 0 0 0 nul 0 0 0 0 0 0 0 nul 0 0 0 0
0000200 0 0 4 1 3 5 5 nul 1 0 1 5 5 0 6 1
0000220 1 0 5 nul 0 1 1 5 5 6 nul sp 0 nul nul nul
0000240 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
*
0000400 nul u s t a r sp sp nul r o o t nul nul nul
0000420 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
0000440 nul nul nul nul nul nul nul nul nul r o o t nul nul nul
0000460 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
*
0001000
> there is no segfault due to the fact
Well, it's not a segfault, it's some kind of glibc buffer overflow check
> that the size of hp->magic is
>
> char magic[6]; /* 257-262 */
it is immediately followed by char version[2].
I cannot imagine how in hell glibc detects "buffer overflow" which is not
really there.
> root at localhost:~/Desktop/busybox# touch a s d
> root at localhost:~/Desktop/busybox# ./busybox tar cf test.tar a s d
> root at localhost:~/Desktop/busybox# ls -la test.tar
> -rw-r--r-- 1 root root 2560 2007-11-16 14:15 test.tar
>
>
> I cannot say if this fix is correct or if maybe it should be
> done the other way by increasing the size of char magic
> to 8.
Yes, I think we can get rid of char version[2] and grow magic to 8 bytes
But, Alexander, can you confirm that replacing "ustar " with "ustar"
*really* makes it go away? This is unbelievable.
--
vda
More information about the busybox
mailing list