Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 597154 - dereferencing invalid memory area
Summary: dereferencing invalid memory area
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libtar
Version: 6.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Alex Sersen
URL:
Whiteboard:
Depends On: 551415
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-28 09:19 UTC by Kamil Dudka
Modified: 2013-11-01 01:33 UTC (History)
5 users (show)

Fixed In Version: libtar-1.2.11-16.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 551415
Environment:
Last Closed: 2010-11-15 14:30:20 UTC
Target Upstream Version:


Attachments (Terms of Use)
revisited patch from Fedora (deleted)
2010-05-28 09:45 UTC, Kamil Dudka
huzaifas: review+
Details | Diff

Description Kamil Dudka 2010-05-28 09:19:11 UTC
+++ This bug was initially created as a clone of Bug #551415 +++

Created an attachment (id=380957)
testcase: libtar-main.c

Description of problem:
When executing a testcase for a toy app, I started to write, valgrind observed invalid memory access.

Version-Release number of selected component (if applicable):
$ rpm -q libtar{,-devel,-debuginfo} valgrind{,-devel}
libtar-1.2.11-15.fc12.i686
libtar-devel-1.2.11-15.fc12.i686
libtar-debuginfo-1.2.11-15.fc12.i686
valgrind-3.5.0-9.i686
valgrind-devel-3.5.0-9.i686

How reproducible:
Compile and valgrind the test case.

Steps to Reproduce:
1. gcc -o libtar-test libtar-main.c -ltar
2. valgrind --exit-errorcode=1 -q ./libtar-test
  
Actual results:
FAIL FOLLOWS:
==9338== Conditional jump or move depends on uninitialised value(s)
==9338==    at 0xBC3683: th_set_path (encode.c:85)
==9338==    by 0x8048890: main (libtar-main.c:60)
==9338== 

Expected results:
Silence and a happy valgrind.

Additional info:
This issue happens because of the TH_ISDIR() macro used in th_set_path(). It is defined like this:
> #define TH_ISDIR(t)     ((t)->th_buf.typeflag == DIRTYPE \
>                          || S_ISDIR((mode_t)oct_to_int((t)->th_buf.mode)) \
>                          || ((t)->th_buf.typeflag == AREGTYPE \
>                              && ((t)->th_buf.name[strlen((t)->th_buf.name) - 1] == '/')))

Now when we use an empty-initialized header, the name is an array of 100 '\0' bytes => strlen((t)->th_buf.name) == 0 => strlen((t)->th_buf.name) - 1 == -1 => (t)->th_buf.name[-1] == <last byte before the tar header>.

I'm not sure this behavior is an exploitable security issue. It's at least a major defect in that library preventing it from being used in properly valgrinded test cases.

Will provide a patch.

--- Additional comment from herzi@gnome-de.org on 2009-12-30 17:42:46 CET ---

Created an attachment (id=380965)
proposed patch v1

This patch fixes TH_ISDIR() and oct_to_int() to properly handle empty strings for "name" and "mode" respectively.

--- Additional comment from huzaifas@redhat.com on 2009-12-31 05:11:04 CET ---

https://admin.fedoraproject.org/updates/libtar-1.2.11-16.fc12 fixes this issue.

--- Additional comment from updates@fedoraproject.org on 2010-01-02 04:29:21 CET ---

libtar-1.2.11-16.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libtar'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0010

--- Additional comment from updates@fedoraproject.org on 2010-01-04 22:16:21 CET ---

libtar-1.2.11-16.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 1 RHEL Product and Program Management 2010-05-28 09:35:35 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 2 Kamil Dudka 2010-05-28 09:45:11 UTC
Created attachment 417531 [details]
revisited patch from Fedora

Comment 3 Kamil Dudka 2010-05-31 15:44:42 UTC
built as libtar-1.2.11-16.el6

Comment 7 releng-rhel@redhat.com 2010-11-15 14:30:20 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.