[klibc] [klibc:master] cpio: Fix possible crash on 64-bit systems
klibc-bot for Ben Hutchings
ben at decadent.org.uk
Thu Apr 29 17:00:22 PDT 2021
Commit-ID: 2e48a12ab1e30d43498c2d53e878a11a1b5102d5
Gitweb: http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=2e48a12ab1e30d43498c2d53e878a11a1b5102d5
Author: Ben Hutchings <ben at decadent.org.uk>
AuthorDate: Wed, 28 Apr 2021 19:46:47 +0200
Committer: Ben Hutchings <ben at decadent.org.uk>
CommitDate: Thu, 29 Apr 2021 16:03:19 +0200
[klibc] cpio: Fix possible crash on 64-bit systems
copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
null pointer and a subsequent SIGSEGV.
The previous commit made this impossible on 32-bit systems.
CVE-2021-31871
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
---
usr/utils/cpio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
index ac481310..9b0b6ae9 100644
--- a/usr/utils/cpio.c
+++ b/usr/utils/cpio.c
@@ -832,7 +832,7 @@ static void copyin_link(struct new_cpio_header *file_hdr, int in_file_des)
char *link_name = NULL; /* Name of hard and symbolic links. */
int res; /* Result of various function calls. */
- link_name = (char *)xmalloc((unsigned int)file_hdr->c_filesize + 1);
+ link_name = (char *)xmalloc(file_hdr->c_filesize + 1);
link_name[file_hdr->c_filesize] = '\0';
tape_buffered_read(link_name, in_file_des, file_hdr->c_filesize);
tape_skip_padding(in_file_des, file_hdr->c_filesize);
More information about the klibc
mailing list