tar segfaults (busybox 1.8.1)
Tito
farmatito at tiscali.it
Fri Nov 16 19:38:10 UTC 2007
On Friday 16 November 2007 19:48:08 Denys Vlasenko wrote:
> On Friday 16 November 2007 05:19, Tito wrote:
> > On Friday 16 November 2007 13:34:25 Alexander Griesser wrote:
> > > tuxx at vi-edv003:~/busybox/busybox-1.8.1$ ./busybox tar cf test.tar a s d
> > > *** buffer overflow detected ***: ./busybox terminated
> > Hi,
> > by compiling the latest svn i get this warning:
> >
> > CC archival/tar.o
> > archival/tar.c: In function ‘writeFileToTarball’:
> > archival/tar.c:183: warning: call to __builtin___strcpy_chk will always
> > overflow destination buffer AR archival/lib.a
> > LINK busybox_unstripped
> > Trying libraries: crypt m
> > Library crypt is needed
> > Library m is needed
> > Final link with: crypt m
> >
> >
> > and after changing the line 183 of tar.c
> >
> > - strcpy(hp->magic, "ustar ");
> > + strcpy(hp->magic, "ustar");
>
> This was intended:
>
> http://en.wikipedia.org/wiki/Tar_(file_format)
>
> USTAR format
>
> Most modern tar programs read and write archives in the new USTAR (Uniform
> Standard Tape Archive) format...
>
> Field Offset Field Size Field
> 0 156 (as in old format)
> 156 1 Type flag
> 157 100 (as in old format)
> 257 6 USTAR indicator "ustar"
> 263 2 USTAR version "00"
> 265 32 Owner user name
> 297 32 Owner group name
> 329 8 Device major number
> 337 8 Device minor number
> 345 155 Filename prefix
>
> Example
>
> The example below shows the ASCII dump of a header block from a tar file
> created using the GNU tar program. It was dumped with the od program.
> The "ustar" magic string followed by two spaces can be seen, meaning that the
> tar file is in GNU format, partially incompatible with the true USTAR
> standard (in POSIX.1-1988), which has the signature "ustar" followed by a NUL
> character.
>
> 0000000 e t c / p a s s w d nul nul nul nul nul nul
> 0000020 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
> *
> 0000140 nul nul nul nul 0 1 0 0 6 4 4 nul 0 0 0 0
> 0000160 0 0 0 nul 0 0 0 0 0 0 0 nul 0 0 0 0
> 0000200 0 0 4 1 3 5 5 nul 1 0 1 5 5 0 6 1
> 0000220 1 0 5 nul 0 1 1 5 5 6 nul sp 0 nul nul nul
> 0000240 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
> *
> 0000400 nul u s t a r sp sp nul r o o t nul nul nul
> 0000420 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
> 0000440 nul nul nul nul nul nul nul nul nul r o o t nul nul nul
> 0000460 nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul nul
> *
> 0001000
>
>
> > there is no segfault due to the fact
>
> Well, it's not a segfault, it's some kind of glibc buffer overflow check
>
> > that the size of hp->magic is
> >
> > char magic[6]; /* 257-262 */
>
> it is immediately followed by char version[2].
> I cannot imagine how in hell glibc detects "buffer overflow" which is not
> really there.
>
> > root at localhost:~/Desktop/busybox# touch a s d
> > root at localhost:~/Desktop/busybox# ./busybox tar cf test.tar a s d
> > root at localhost:~/Desktop/busybox# ls -la test.tar
> > -rw-r--r-- 1 root root 2560 2007-11-16 14:15 test.tar
> >
> >
> > I cannot say if this fix is correct or if maybe it should be
> > done the other way by increasing the size of char magic
> > to 8.
>
> Yes, I think we can get rid of char version[2] and grow magic to 8 bytes
>
> But, Alexander, can you confirm that replacing "ustar " with "ustar"
> *really* makes it go away? This is unbelievable.
> --
> vda
>
Hi,
maybe then:
strcpy(hp->magic, "ustar");
strcpy(hp->version, " ");
could be a more pragmatic solution?
Ciao,
Tito
More information about the busybox
mailing list