Ubuntu
libarchive package

BSD Tar is allocating gigabytes to list files

Bug #1487020 reported by Gustavo on 2015-08-20

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libarchive (Ubuntu)	Confirmed	Low	Unassigned

Bug Description

Hello!

Our fuzzer found an interesting test case in which BSD tar allocates a few gigabytes just to show the filenames of a tar file. You can run check it using: ltrace -e malloc /usr/bin/bsdtar -tf buggy.bsd-out-of-memory.tar
In the ltrace output you can easily spot:

....
libarchive.so.13->malloc(5609768313)
....

We checked in the source code and we think it is not possible to perfom an integer overflow (but of course we are not completely sure). We email you this test case privately because of the possible security implications of it. This issue seems to be fixed in the last revisions of libarchive.

Thanks!

Tags:

Revision history for this message

Gustavo (gustavo-grieco) wrote on 2015-08-20:

#1

buggy.bsd-out-of-memory.tar Edit (3.0 KiB, application/x-tar)

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-08-28:

#2

Hello - Thank you for the bug report. I've tried to reproduce the issue that you reported but I haven't been successful. What Ubuntu release were you using and what version of libarchive were you testing with? Also, what architecture? Thanks!

Changed in libarchive (Ubuntu):
status:	New → Incomplete

Revision history for this message

Gustavo (gustavo-grieco) wrote on 2015-08-28:

#3

This issue is present in a fully updated Ubuntu 14.04.2 LTS. It was tested in x86 (32-bit and 64-bit).

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-08-28:

#4

Thanks Gustavo! I was able to reproduce the bug. However, I'm not understanding the security impact. libarchive attempts to allocate the large amount of memory, the allocation fails, the failed allocation is handled correctly, and bsdtar exits. There's no segfault or anything along those lines. Am I missing anything?

Revision history for this message

Gustavo (gustavo-grieco) wrote on 2015-08-29:

#5

Exactly. There is no crash. We just found very suspicious to libarchive allows to allocate memory before even ask to uncompress a file. Unfortunately, we didn't have time to verify in deep if there a integer overflow was happening or possible but we decided to report it privately just in case. If you think it is completely safe, remove the security tag. Sorry if it wasn't completely clear!

Regards,
Gustavo.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-08-31:

#6

Thanks Gustavo - I don't see how an attacker could leverage this since it is seemingly harmless. I think we should treat it as a normal bug so I'm making this report public.

information type:	Private Security → Public
Changed in libarchive (Ubuntu):
status:	Incomplete → Confirmed
importance:	Undecided → Low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

buggy.bsd-out-of-memory.tar Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.