out-of-bounds read in get_header_ar()

Christoph Biedl busybox.cskc at manchmal.in-ulm.de
Sun Nov 19 22:56:27 UTC 2017 

Hello,

the following issue was reported in Debian, I can conform this still
exists in the latest commit a07fead:

----- Forwarded message from Jakub Wilk <jwilk at jwilk.net> -----

Date: Sun, 19 Nov 2017 22:30:27 +0100
From: Jakub Wilk <jwilk at jwilk.net>
To: submit at bugs.debian.org
Subject: Bug#882175: busybox: out-of-bounds read in get_header_ar()

Package: busybox
Version: 1:1.27.2-1

Apparently an out-of-bounds read can happen when unpacking ar archives:

  $ valgrind -q -- busybox ar p oob.ar > /dev/null
  ==2180== Invalid read of size 1
  ==2180==    at 0x4831403: __GI_strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==2180==    by 0x48B9F5A: strdup (strdup.c:41)
  ==2180==    by 0x1108BC: xstrdup (xfuncs_printf.c:81)
  ==2180==    by 0x15C560: get_header_ar (get_header_ar.c:116)
  ==2180==    by 0x15C26F: unpack_ar_archive (unpack_ar_archive.c:20)
  ==2180==    by 0x14D956: ar_main (ar.c:291)
  ==2180==    by 0x10F788: run_applet_no_and_exit (appletlib.c:916)
  ==2180==    by 0x10FA50: run_applet_and_exit (appletlib.c:934)
  ==2180==    by 0x10FA38: busybox_main (appletlib.c:875)
  ==2180==    by 0x10FA38: run_applet_and_exit (appletlib.c:927)
  ==2180==    by 0x10FADC: main (appletlib.c:1032)
  ==2180==  Address 0x4a0715c is 0 bytes after a block of size 4 alloc'd
  ==2180==    at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==2180==    by 0x110847: xmalloc (xfuncs_printf.c:47)
  ==2180==    by 0x15C4A0: get_header_ar (get_header_ar.c:86)
  ==2180==    by 0x15C26F: unpack_ar_archive (unpack_ar_archive.c:20)
  ==2180==    by 0x14D956: ar_main (ar.c:291)
  ==2180==    by 0x10F788: run_applet_no_and_exit (appletlib.c:916)
  ==2180==    by 0x10FA50: run_applet_and_exit (appletlib.c:934)
  ==2180==    by 0x10FA38: busybox_main (appletlib.c:875)
  ==2180==    by 0x10FA38: run_applet_and_exit (appletlib.c:927)
  ==2180==    by 0x10FADC: main (appletlib.c:1032)
  ...

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Architecture: i386

Versions of packages busybox depends on:
ii  libc6  2.25-1

-- 
Jakub Wilk



----- End forwarded message -----

-------------- next part --------------
!<arch>//00000000000000000000000000000000000000000000004 00000000`
00000000000000000000000000000000000000000000000000004 00000000`
0000/00000 000000000000000000000000000000000000000000000000000`

More information about the busybox mailing list