BSD Tar is allocating gigabytes to list files

Bug #1487020 reported by Gustavo on 2015-08-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libarchive (Ubuntu)
Low
Unassigned

Bug Description

Hello!

Our fuzzer found an interesting test case in which BSD tar allocates a few gigabytes just to show the filenames of a tar file. You can run check it using: ltrace -e malloc /usr/bin/bsdtar -tf buggy.bsd-out-of-memory.tar
In the ltrace output you can easily spot:

....
libarchive.so.13->malloc(5609768313)
....

We checked in the source code and we think it is not possible to perfom an integer overflow (but of course we are not completely sure). We email you this test case privately because of the possible security implications of it. This issue seems to be fixed in the last revisions of libarchive.

Thanks!

Gustavo (gustavo-grieco) wrote :
Tyler Hicks (tyhicks) wrote :

Hello - Thank you for the bug report. I've tried to reproduce the issue that you reported but I haven't been successful. What Ubuntu release were you using and what version of libarchive were you testing with? Also, what architecture? Thanks!

Changed in libarchive (Ubuntu):
status: New → Incomplete
Gustavo (gustavo-grieco) wrote :

This issue is present in a fully updated Ubuntu 14.04.2 LTS. It was tested in x86 (32-bit and 64-bit).

Tyler Hicks (tyhicks) wrote :

Thanks Gustavo! I was able to reproduce the bug. However, I'm not understanding the security impact. libarchive attempts to allocate the large amount of memory, the allocation fails, the failed allocation is handled correctly, and bsdtar exits. There's no segfault or anything along those lines. Am I missing anything?

Gustavo (gustavo-grieco) wrote :

Exactly. There is no crash. We just found very suspicious to libarchive allows to allocate memory before even ask to uncompress a file. Unfortunately, we didn't have time to verify in deep if there a integer overflow was happening or possible but we decided to report it privately just in case. If you think it is completely safe, remove the security tag. Sorry if it wasn't completely clear!

Regards,
Gustavo.

Tyler Hicks (tyhicks) wrote :

Thanks Gustavo - I don't see how an attacker could leverage this since it is seemingly harmless. I think we should treat it as a normal bug so I'm making this report public.

information type: Private Security → Public
Changed in libarchive (Ubuntu):
status: Incomplete → Confirmed
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers