[gutsy] cpio segs on bad input

Hm, I do not get a crash on my x86-64. Running under gdb:

$ gdb cpio
GNU gdb 6.6-debian
...
(gdb) run -i </boot/initrd.img-2.6.22-11-generic 2>/tmp/log
Starting program: /bin/cpio -i </boot/initrd.img-2.6.22-11-generic 2>/tmp/log
(no debugging symbols found)
(no debugging symbols found)

Program exited with code 01.
(gdb)

Hi Kees,
  Hmm that's unfortunate - try the attached initrd from my machine.

I know I'm not the only person to see it since the first time I tried this was after someone said they had seen cpio
seg on #ubuntu+1 and I concluded they forgot to de-gzip it.

Dave

OK, here is a backtrace from a gdb - rebuilt cpio with nostrip and debug in the DEB_BUILD_OPTIONS

Program received signal SIGSEGV, Segmentation fault.
read_in_binary (file_hdr=0x7fff141d36c0, short_hdr=0xff7f1d141033, in_des=0)
    at copyin.c:1272
1272 file_hdr->c_dev_maj = major (short_hdr->c_dev);
(gdb) where
#0 read_in_binary (file_hdr=0x7fff141d36c0, short_hdr=0xff7f1d141033,
    in_des=0) at copyin.c:1272
#1 0x0000000000405939 in read_for_checksum (in_file_des=4285691,
    file_size=<value optimized out>,
    file_name=0x8e81f6a54e6e08a3 <Address 0x8e81f6a54e6e08a3 out of bounds>)
    at copyout.c:51
#2 0x0000000000000000 in ?? ()
(gdb) list
1267 warned = 1;
1268 }
1269 swab_array ((char *) &short_hdr, 13);
1270 }
1271
1272 file_hdr->c_dev_maj = major (short_hdr->c_dev);
1273 file_hdr->c_dev_min = minor (short_hdr->c_dev);
1274 file_hdr->c_ino = short_hdr->c_ino;
1275 file_hdr->c_mode = short_hdr->c_mode;
1276 file_hdr->c_uid = short_hdr->c_uid;
(gdb) p short_hdr
$1 = (struct old_cpio_header *) 0xff7f1d141033
(gdb) p *short_hdr
Cannot access memory at address 0xff7f1d141033
(gdb)

OK - I think I've got it - that swab_array at line 1269 is wrong - it's byte swapping the pointer short_hdr rather than the data it points to - I think
you need to lose the &

Dave

I was able to reproduce this bug report with the file that you have provided and with initrd.img-2.6.20-8-generic from sometime in Feisty's development.

I can confirm the crash too, on x86-64.

Attached is a debdiff, with the fix proposed by Dave, confirmed to not cause a segfault with the test file.

Thanks; for reference here is the (2 entry) thread on bug-cpio which I posted and it got ack'd:

http://lists.gnu.org/archive/html/bug-cpio/2007-09/msg00006.html

I'm not sure your comment in the diff is actually correct; I think the case this fixes isn't actually
invalid data just an obscure header format that is actually valid.

Dave

Ok. I've changed the changelog entry.

This is ready for upload then.

Yes that looks great; thanks.

Dave

cpio (2.8-1ubuntu2) gutsy; urgency=low

  * src/copyin.c: Applied patch from Dave Gilbert inline to fix
    possible segfault when fixing headers, where the magic number
    is byte swapped (LP: #139928)

 -- dAniel hAhler <email address hidden> Tue, 02 Oct 2007 04:54:51 +0200