1GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted 2pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers 3an out-of-bounds heap write. 4 5CVE: CVE-2021-38185 6Upstream-Status: Backport 7Signed-off-by: Ross Burton <ross.burton@arm.com> 8 9From e494c68a3a0951b1eaba77e2db93f71a890e15d8 Mon Sep 17 00:00:00 2001 10From: Sergey Poznyakoff <gray@gnu.org> 11Date: Sat, 7 Aug 2021 12:52:21 +0300 12Subject: [PATCH 1/3] Rewrite dynamic string support. 13 14* src/dstring.c (ds_init): Take a single argument. 15(ds_free): New function. 16(ds_resize): Take a single argument. Use x2nrealloc to expand 17the storage. 18(ds_reset,ds_append,ds_concat,ds_endswith): New function. 19(ds_fgetstr): Rewrite. In particular, this fixes integer overflow. 20* src/dstring.h (dynamic_string): Keep both the allocated length 21(ds_size) and index of the next free byte in the string (ds_idx). 22(ds_init,ds_resize): Change signature. 23(ds_len): New macro. 24(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos. 25* src/copyin.c: Use new ds_ functions. 26* src/copyout.c: Likewise. 27* src/copypass.c: Likewise. 28* src/util.c: Likewise. 29--- 30 src/copyin.c | 40 +++++++++++------------ 31 src/copyout.c | 16 ++++----- 32 src/copypass.c | 34 +++++++++---------- 33 src/dstring.c | 88 ++++++++++++++++++++++++++++++++++++-------------- 34 src/dstring.h | 31 +++++++++--------- 35 src/util.c | 6 ++-- 36 6 files changed, 123 insertions(+), 92 deletions(-) 37 38diff --git a/src/copyin.c b/src/copyin.c 39index b29f348..37e503a 100644 40--- a/src/copyin.c 41+++ b/src/copyin.c 42@@ -55,11 +55,12 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, 43 char *str_res; /* Result for string function. */ 44 static dynamic_string new_name; /* New file name for rename option. */ 45 static int initialized_new_name = false; 46+ 47 if (!initialized_new_name) 48- { 49- ds_init (&new_name, 128); 50- initialized_new_name = true; 51- } 52+ { 53+ ds_init (&new_name); 54+ initialized_new_name = true; 55+ } 56 57 if (rename_flag) 58 { 59@@ -779,37 +780,36 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name) 60 already in `save_patterns' (from the command line) are preserved. */ 61 62 static void 63-read_pattern_file () 64+read_pattern_file (void) 65 { 66- int max_new_patterns; 67- char **new_save_patterns; 68- int new_num_patterns; 69+ char **new_save_patterns = NULL; 70+ size_t max_new_patterns; 71+ size_t new_num_patterns; 72 int i; 73- dynamic_string pattern_name; 74+ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER; 75 FILE *pattern_fp; 76 77 if (num_patterns < 0) 78 num_patterns = 0; 79- max_new_patterns = 1 + num_patterns; 80- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *)); 81 new_num_patterns = num_patterns; 82- ds_init (&pattern_name, 128); 83+ max_new_patterns = num_patterns; 84+ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0])); 85 86 pattern_fp = fopen (pattern_file_name, "r"); 87 if (pattern_fp == NULL) 88 open_fatal (pattern_file_name); 89 while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) 90 { 91- if (new_num_patterns >= max_new_patterns) 92- { 93- max_new_patterns += 1; 94- new_save_patterns = (char **) 95- xrealloc ((char *) new_save_patterns, 96- max_new_patterns * sizeof (char *)); 97- } 98+ if (new_num_patterns == max_new_patterns) 99+ new_save_patterns = x2nrealloc (new_save_patterns, 100+ &max_new_patterns, 101+ sizeof (new_save_patterns[0])); 102 new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); 103 ++new_num_patterns; 104 } 105+ 106+ ds_free (&pattern_name); 107+ 108 if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) 109 close_error (pattern_file_name); 110 111@@ -1196,7 +1196,7 @@ swab_array (char *ptr, int count) 112 in the file system. */ 113 114 void 115-process_copy_in () 116+process_copy_in (void) 117 { 118 char done = false; /* True if trailer reached. */ 119 FILE *tty_in = NULL; /* Interactive file for rename option. */ 120diff --git a/src/copyout.c b/src/copyout.c 121index 8b0beb6..26e3dda 100644 122--- a/src/copyout.c 123+++ b/src/copyout.c 124@@ -594,9 +594,10 @@ assign_string (char **pvar, char *value) 125 The format of the header depends on the compatibility (-c) flag. */ 126 127 void 128-process_copy_out () 129+process_copy_out (void) 130 { 131- dynamic_string input_name; /* Name of file read from stdin. */ 132+ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; 133+ /* Name of file read from stdin. */ 134 struct stat file_stat; /* Stat record for file. */ 135 struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER; 136 /* Output header information. */ 137@@ -605,7 +606,6 @@ process_copy_out () 138 char *orig_file_name = NULL; 139 140 /* Initialize the copy out. */ 141- ds_init (&input_name, 128); 142 file_hdr.c_magic = 070707; 143 144 /* Check whether the output file might be a tape. */ 145@@ -657,14 +657,9 @@ process_copy_out () 146 { 147 if (file_hdr.c_mode & CP_IFDIR) 148 { 149- int len = strlen (input_name.ds_string); 150 /* Make sure the name ends with a slash */ 151- if (input_name.ds_string[len-1] != '/') 152- { 153- ds_resize (&input_name, len + 2); 154- input_name.ds_string[len] = '/'; 155- input_name.ds_string[len+1] = 0; 156- } 157+ if (!ds_endswith (&input_name, '/')) 158+ ds_append (&input_name, '/'); 159 } 160 } 161 162@@ -875,6 +870,7 @@ process_copy_out () 163 (unsigned long) blocks), (unsigned long) blocks); 164 } 165 cpio_file_stat_free (&file_hdr); 166+ ds_free (&input_name); 167 } 168 169 170diff --git a/src/copypass.c b/src/copypass.c 171index dc13b5b..62f31c6 100644 172--- a/src/copypass.c 173+++ b/src/copypass.c 174@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st) 175 If `link_flag', link instead of copying. */ 176 177 void 178-process_copy_pass () 179+process_copy_pass (void) 180 { 181- dynamic_string input_name; /* Name of file from stdin. */ 182- dynamic_string output_name; /* Name of new file. */ 183+ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; 184+ /* Name of file from stdin. */ 185+ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER; 186+ /* Name of new file. */ 187 size_t dirname_len; /* Length of `directory_name'. */ 188 int res; /* Result of functions. */ 189 char *slash; /* For moving past slashes in input name. */ 190@@ -65,25 +67,18 @@ process_copy_pass () 191 created files */ 192 193 /* Initialize the copy pass. */ 194- ds_init (&input_name, 128); 195 196 dirname_len = strlen (directory_name); 197 if (change_directory_option && !ISSLASH (directory_name[0])) 198 { 199 char *pwd = xgetcwd (); 200- 201- dirname_len += strlen (pwd) + 1; 202- ds_init (&output_name, dirname_len + 2); 203- strcpy (output_name.ds_string, pwd); 204- strcat (output_name.ds_string, "/"); 205- strcat (output_name.ds_string, directory_name); 206+ 207+ ds_concat (&output_name, pwd); 208+ ds_append (&output_name, '/'); 209 } 210- else 211- { 212- ds_init (&output_name, dirname_len + 2); 213- strcpy (output_name.ds_string, directory_name); 214- } 215- output_name.ds_string[dirname_len] = '/'; 216+ ds_concat (&output_name, directory_name); 217+ ds_append (&output_name, '/'); 218+ dirname_len = ds_len (&output_name); 219 output_is_seekable = true; 220 221 change_dir (); 222@@ -116,8 +111,8 @@ process_copy_pass () 223 /* Make the name of the new file. */ 224 for (slash = input_name.ds_string; *slash == '/'; ++slash) 225 ; 226- ds_resize (&output_name, dirname_len + strlen (slash) + 2); 227- strcpy (output_name.ds_string + dirname_len + 1, slash); 228+ ds_reset (&output_name, dirname_len); 229+ ds_concat (&output_name, slash); 230 231 existing_dir = false; 232 if (lstat (output_name.ds_string, &out_file_stat) == 0) 233@@ -333,6 +328,9 @@ process_copy_pass () 234 (unsigned long) blocks), 235 (unsigned long) blocks); 236 } 237+ 238+ ds_free (&input_name); 239+ ds_free (&output_name); 240 } 241 242 /* Try and create a hard link from FILE_NAME to another file 243diff --git a/src/dstring.c b/src/dstring.c 244index e9c063f..358f356 100644 245--- a/src/dstring.c 246+++ b/src/dstring.c 247@@ -20,8 +20,8 @@ 248 #if defined(HAVE_CONFIG_H) 249 # include <config.h> 250 #endif 251- 252 #include <stdio.h> 253+#include <stdlib.h> 254 #if defined(HAVE_STRING_H) || defined(STDC_HEADERS) 255 #include <string.h> 256 #else 257@@ -33,24 +33,41 @@ 258 /* Initialiaze dynamic string STRING with space for SIZE characters. */ 259 260 void 261-ds_init (dynamic_string *string, int size) 262+ds_init (dynamic_string *string) 263+{ 264+ memset (string, 0, sizeof *string); 265+} 266+ 267+/* Free the dynamic string storage. */ 268+ 269+void 270+ds_free (dynamic_string *string) 271 { 272- string->ds_length = size; 273- string->ds_string = (char *) xmalloc (size); 274+ free (string->ds_string); 275 } 276 277-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */ 278+/* Expand dynamic string STRING, if necessary. */ 279 280 void 281-ds_resize (dynamic_string *string, int size) 282+ds_resize (dynamic_string *string) 283 { 284- if (size > string->ds_length) 285+ if (string->ds_idx == string->ds_size) 286 { 287- string->ds_length = size; 288- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size); 289+ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, 290+ 1); 291 } 292 } 293 294+/* Reset the index of the dynamic string S to LEN. */ 295+ 296+void 297+ds_reset (dynamic_string *s, size_t len) 298+{ 299+ while (len > s->ds_size) 300+ ds_resize (s); 301+ s->ds_idx = len; 302+} 303+ 304 /* Dynamic string S gets a string terminated by the EOS character 305 (which is removed) from file F. S will increase 306 in size during the function if the string from F is longer than 307@@ -61,34 +78,50 @@ ds_resize (dynamic_string *string, int size) 308 char * 309 ds_fgetstr (FILE *f, dynamic_string *s, char eos) 310 { 311- int insize; /* Amount needed for line. */ 312- int strsize; /* Amount allocated for S. */ 313 int next_ch; 314 315 /* Initialize. */ 316- insize = 0; 317- strsize = s->ds_length; 318+ s->ds_idx = 0; 319 320 /* Read the input string. */ 321- next_ch = getc (f); 322- while (next_ch != eos && next_ch != EOF) 323+ while ((next_ch = getc (f)) != eos && next_ch != EOF) 324 { 325- if (insize >= strsize - 1) 326- { 327- ds_resize (s, strsize * 2 + 2); 328- strsize = s->ds_length; 329- } 330- s->ds_string[insize++] = next_ch; 331- next_ch = getc (f); 332+ ds_resize (s); 333+ s->ds_string[s->ds_idx++] = next_ch; 334 } 335- s->ds_string[insize++] = '\0'; 336+ ds_resize (s); 337+ s->ds_string[s->ds_idx] = '\0'; 338 339- if (insize == 1 && next_ch == EOF) 340+ if (s->ds_idx == 0 && next_ch == EOF) 341 return NULL; 342 else 343 return s->ds_string; 344 } 345 346+void 347+ds_append (dynamic_string *s, int c) 348+{ 349+ ds_resize (s); 350+ s->ds_string[s->ds_idx] = c; 351+ if (c) 352+ { 353+ s->ds_idx++; 354+ ds_resize (s); 355+ s->ds_string[s->ds_idx] = 0; 356+ } 357+} 358+ 359+void 360+ds_concat (dynamic_string *s, char const *str) 361+{ 362+ size_t len = strlen (str); 363+ while (len + 1 > s->ds_size) 364+ ds_resize (s); 365+ memcpy (s->ds_string + s->ds_idx, str, len); 366+ s->ds_idx += len; 367+ s->ds_string[s->ds_idx] = 0; 368+} 369+ 370 char * 371 ds_fgets (FILE *f, dynamic_string *s) 372 { 373@@ -100,3 +133,10 @@ ds_fgetname (FILE *f, dynamic_string *s) 374 { 375 return ds_fgetstr (f, s, '\0'); 376 } 377+ 378+/* Return true if the dynamic string S ends with character C. */ 379+int 380+ds_endswith (dynamic_string *s, int c) 381+{ 382+ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c); 383+} 384diff --git a/src/dstring.h b/src/dstring.h 385index b5135fe..f5b04ef 100644 386--- a/src/dstring.h 387+++ b/src/dstring.h 388@@ -17,10 +17,6 @@ 389 Software Foundation, Inc., 51 Franklin Street, Fifth Floor, 390 Boston, MA 02110-1301 USA. */ 391 392-#ifndef NULL 393-#define NULL 0 394-#endif 395- 396 /* A dynamic string consists of record that records the size of an 397 allocated string and the pointer to that string. The actual string 398 is a normal zero byte terminated string that can be used with the 399@@ -30,22 +26,25 @@ 400 401 typedef struct 402 { 403- int ds_length; /* Actual amount of storage allocated. */ 404- char *ds_string; /* String. */ 405+ size_t ds_size; /* Actual amount of storage allocated. */ 406+ size_t ds_idx; /* Index of the next free byte in the string. */ 407+ char *ds_string; /* String storage. */ 408 } dynamic_string; 409 410+#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL } 411 412-/* Macros that look similar to the original string functions. 413- WARNING: These macros work only on pointers to dynamic string records. 414- If used with a real record, an "&" must be used to get the pointer. */ 415-#define ds_strlen(s) strlen ((s)->ds_string) 416-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string) 417-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n) 418-#define ds_index(s, c) index ((s)->ds_string, c) 419-#define ds_rindex(s, c) rindex ((s)->ds_string, c) 420+void ds_init (dynamic_string *string); 421+void ds_free (dynamic_string *string); 422+void ds_reset (dynamic_string *s, size_t len); 423 424-void ds_init (dynamic_string *string, int size); 425-void ds_resize (dynamic_string *string, int size); 426+/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */ 427 char *ds_fgetname (FILE *f, dynamic_string *s); 428 char *ds_fgets (FILE *f, dynamic_string *s); 429 char *ds_fgetstr (FILE *f, dynamic_string *s, char eos); 430+void ds_append (dynamic_string *s, int c); 431+void ds_concat (dynamic_string *s, char const *str); 432+ 433+#define ds_len(s) ((s)->ds_idx) 434+ 435+int ds_endswith (dynamic_string *s, int c); 436+ 437diff --git a/src/util.c b/src/util.c 438index 4421b20..6d6bbaa 100644 439--- a/src/util.c 440+++ b/src/util.c 441@@ -846,11 +846,9 @@ get_next_reel (int tape_des) 442 FILE *tty_out; /* File for interacting with user. */ 443 int old_tape_des; 444 char *next_archive_name; 445- dynamic_string new_name; 446+ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER; 447 char *str_res; 448 449- ds_init (&new_name, 128); 450- 451 /* Open files for interactive communication. */ 452 tty_in = fopen (TTY_NAME, "r"); 453 if (tty_in == NULL) 454@@ -925,7 +923,7 @@ get_next_reel (int tape_des) 455 error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"), 456 old_tape_des, tape_des); 457 458- free (new_name.ds_string); 459+ ds_free (&new_name); 460 fclose (tty_in); 461 fclose (tty_out); 462 } 463-- 4642.25.1 465 466 467From fb7a51bf85b8e6f045cacb4fb783db4a414741bf Mon Sep 17 00:00:00 2001 468From: Sergey Poznyakoff <gray@gnu.org> 469Date: Wed, 11 Aug 2021 18:10:38 +0300 470Subject: [PATCH 2/3] Fix previous commit 471 472* src/dstring.c (ds_reset,ds_concat): Don't call ds_resize in a 473loop. 474--- 475 src/dstring.c | 4 ++-- 476 1 file changed, 2 insertions(+), 2 deletions(-) 477 478diff --git a/src/dstring.c b/src/dstring.c 479index 358f356..90c691c 100644 480--- a/src/dstring.c 481+++ b/src/dstring.c 482@@ -64,7 +64,7 @@ void 483 ds_reset (dynamic_string *s, size_t len) 484 { 485 while (len > s->ds_size) 486- ds_resize (s); 487+ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); 488 s->ds_idx = len; 489 } 490 491@@ -116,7 +116,7 @@ ds_concat (dynamic_string *s, char const *str) 492 { 493 size_t len = strlen (str); 494 while (len + 1 > s->ds_size) 495- ds_resize (s); 496+ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); 497 memcpy (s->ds_string + s->ds_idx, str, len); 498 s->ds_idx += len; 499 s->ds_string[s->ds_idx] = 0; 500-- 5012.25.1 502 503 504From 86b37d74b15f9bb5fe62fd1642cc126d3ace0189 Mon Sep 17 00:00:00 2001 505From: Sergey Poznyakoff <gray@gnu.org> 506Date: Wed, 18 Aug 2021 09:41:39 +0300 507Subject: [PATCH 3/3] Fix dynamic string reallocations 508 509* src/dstring.c (ds_resize): Take additional argument: number of 510bytes to leave available after ds_idx. All uses changed. 511--- 512 src/dstring.c | 18 ++++++++---------- 513 1 file changed, 8 insertions(+), 10 deletions(-) 514 515diff --git a/src/dstring.c b/src/dstring.c 516index 90c691c..0f597cc 100644 517--- a/src/dstring.c 518+++ b/src/dstring.c 519@@ -49,9 +49,9 @@ ds_free (dynamic_string *string) 520 /* Expand dynamic string STRING, if necessary. */ 521 522 void 523-ds_resize (dynamic_string *string) 524+ds_resize (dynamic_string *string, size_t len) 525 { 526- if (string->ds_idx == string->ds_size) 527+ while (len + string->ds_idx >= string->ds_size) 528 { 529 string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, 530 1); 531@@ -63,8 +63,7 @@ ds_resize (dynamic_string *string) 532 void 533 ds_reset (dynamic_string *s, size_t len) 534 { 535- while (len > s->ds_size) 536- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); 537+ ds_resize (s, len); 538 s->ds_idx = len; 539 } 540 541@@ -86,10 +85,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) 542 /* Read the input string. */ 543 while ((next_ch = getc (f)) != eos && next_ch != EOF) 544 { 545- ds_resize (s); 546+ ds_resize (s, 0); 547 s->ds_string[s->ds_idx++] = next_ch; 548 } 549- ds_resize (s); 550+ ds_resize (s, 0); 551 s->ds_string[s->ds_idx] = '\0'; 552 553 if (s->ds_idx == 0 && next_ch == EOF) 554@@ -101,12 +100,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) 555 void 556 ds_append (dynamic_string *s, int c) 557 { 558- ds_resize (s); 559+ ds_resize (s, 0); 560 s->ds_string[s->ds_idx] = c; 561 if (c) 562 { 563 s->ds_idx++; 564- ds_resize (s); 565+ ds_resize (s, 0); 566 s->ds_string[s->ds_idx] = 0; 567 } 568 } 569@@ -115,8 +114,7 @@ void 570 ds_concat (dynamic_string *s, char const *str) 571 { 572 size_t len = strlen (str); 573- while (len + 1 > s->ds_size) 574- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); 575+ ds_resize (s, len); 576 memcpy (s->ds_string + s->ds_idx, str, len); 577 s->ds_idx += len; 578 s->ds_string[s->ds_idx] = 0; 579-- 5802.25.1 581 582