Compare commits
No commits in common. "0772d23a374be432836f319ea40b63d77538f912" and "8d27a10528f5dba98f8fcc1f34fbd454509272a7" have entirely different histories.
0772d23a37
...
8d27a10528
@ -1,99 +0,0 @@
|
||||
From 056f9dbfe9e9c27452629ec48ef70686328e5a3c Mon Sep 17 00:00:00 2001
|
||||
From: shixuantong <shixuantong1@huawei.com>
|
||||
Date: Thu, 24 Nov 2022 21:28:49 +0800
|
||||
Subject: [PATCH] fix memory leak and use-after-free bugs of struct TAR
|
||||
*t
|
||||
|
||||
[1] fix CVE-2021-33640
|
||||
The error information is as fllows:
|
||||
Error: USE_AFTER_FREE (CWE-416):
|
||||
libtar-v1.2.20/libtar/libtar.c:220:freeed_arg: "tar_close" frees "t".
|
||||
libtar-v1.2.20/libtar/libtar.c:222:deref_after_free: Dereferencing freed
|
||||
pointer "t".
|
||||
# 220| if (tar_close(t) != 0)
|
||||
# 221| {
|
||||
# 222|-> free_longlink_longname(t->th_buf);
|
||||
# 223| fprintf(stderr, "tar_close: %s\n", strerror(errno));
|
||||
# 224| return -1;
|
||||
|
||||
Error: USE_AFTER_FREE(CWE-416):
|
||||
libtar-v1.2.20/libtar/libtar.c:220:freeed_arg:"tar_close" frees "t".
|
||||
libtar-v1.2.20/libtar/libtar.c:227:deref_after_free: Dereferencing freed
|
||||
pointer"t".
|
||||
# 225| }
|
||||
# 226|
|
||||
# 227|-> free_longlink_longname(t->th_buf);
|
||||
# 228| return 0;
|
||||
# 229|}
|
||||
|
||||
The pointer "t" is freed in tar_close() function, but the pointer "t" is
|
||||
still used after tar_close() is called in the list() function. Now, we put
|
||||
the free_longlink_longname() function in tar_close() function.
|
||||
|
||||
[2]fix one memory leak bug:
|
||||
Release the memory of variable "TAR *t" in lib/extract.c:list()
|
||||
---
|
||||
lib/handle.c | 1 +
|
||||
lib/util.c | 6 ++++++
|
||||
libtar/libtar.c | 4 +---
|
||||
3 files changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/handle.c b/lib/handle.c
|
||||
index 28a7dc2..ae829a9 100644
|
||||
--- a/lib/handle.c
|
||||
+++ b/lib/handle.c
|
||||
@@ -124,6 +124,7 @@ tar_close(TAR *t)
|
||||
: (libtar_freefunc_t)tar_dev_free));
|
||||
if (t->th_pathname != NULL)
|
||||
free(t->th_pathname);
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
free(t);
|
||||
|
||||
return i;
|
||||
diff --git a/lib/util.c b/lib/util.c
|
||||
index 8a42e62..108ce23 100644
|
||||
--- a/lib/util.c
|
||||
+++ b/lib/util.c
|
||||
@@ -164,7 +164,13 @@ int_to_oct_nonull(int num, char *oct, size_t octlen)
|
||||
void free_longlink_longname(struct tar_header th_buf)
|
||||
{
|
||||
if (th_buf.gnu_longname != NULL)
|
||||
+ {
|
||||
free(th_buf.gnu_longname);
|
||||
+ th_buf.gnu_longname = NULL;
|
||||
+ }
|
||||
if (th_buf.gnu_longlink !=NULL)
|
||||
+ {
|
||||
free(th_buf.gnu_longlink);
|
||||
+ th_buf.gnu_longlink = NULL;
|
||||
+ }
|
||||
}
|
||||
diff --git a/libtar/libtar.c b/libtar/libtar.c
|
||||
index 7e7354f..8c89211 100644
|
||||
--- a/libtar/libtar.c
|
||||
+++ b/libtar/libtar.c
|
||||
@@ -196,7 +196,7 @@ list(char *tarfile)
|
||||
{
|
||||
fprintf(stderr, "tar_skip_regfile(): %s\n",
|
||||
strerror(errno));
|
||||
- free_longlink_longname(t->th_buf);
|
||||
+ tar_close(t);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
@@ -218,12 +218,10 @@ list(char *tarfile)
|
||||
|
||||
if (tar_close(t) != 0)
|
||||
{
|
||||
- free_longlink_longname(t->th_buf);
|
||||
fprintf(stderr, "tar_close(): %s\n", strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
||||
- free_longlink_longname(t->th_buf);
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
||||
21
libtar.spec
21
libtar.spec
@ -1,6 +1,6 @@
|
||||
Name: libtar
|
||||
Version: 1.2.20
|
||||
Release: 22
|
||||
Release: 18
|
||||
Summary: Library for manipulating tar files from within C programs.
|
||||
License: BSD
|
||||
URL: http://repo.or.cz/libtar.git
|
||||
@ -12,12 +12,7 @@ Patch2: libtar-1.2.20-fix-resource-leaks.patch
|
||||
Patch3: libtar-1.2.11-bz729009.patch
|
||||
Patch4: libtar-1.2.20-no-static-buffer.patch
|
||||
Patch5: CVE-2013-4420.patch
|
||||
|
||||
Patch9000: openEuler-CVE-2021-33643-CVE-2021-33644.patch
|
||||
Patch9001: openEuler-CVE-2021-33645-CVE-2021-33646.patch
|
||||
Patch9002: CVE-2021-33640-fix-memory-leak-and-use-after-free-bugs.patch
|
||||
|
||||
BuildRequires: libtool git
|
||||
BuildRequires: libtool git gdb
|
||||
|
||||
%description
|
||||
Libtar is a C library for manipulating POSIX tar files. It handles adding
|
||||
@ -74,18 +69,6 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
%{_mandir}/man3/*.3*
|
||||
|
||||
%changelog
|
||||
* Thu Nov 24 2022 shixuantong <shixuantong1@huawei.com> - 1.2.20-22
|
||||
- fix memory leak and use-after-free bugs of struct TAR *t
|
||||
|
||||
* Fri Jul 29 2022 shixuantong <shixuantong@h-partners.com> - 1.2.20-21
|
||||
- fix CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646
|
||||
|
||||
* Mon Jun 20 2022 shixuantong <shixuantong@h-partners.com> - 1.2.20-20
|
||||
- fix memory leak and ensure that sz is greater than 0.
|
||||
|
||||
* Tue Jul 27 2021 yuanxin <yuanxin24@huawei.com> - 1.2.20-19
|
||||
- remove BuildRequires gdb
|
||||
|
||||
* Mon Sep 14 2020 shixuantong <shixuantong@huawei.com> - 1.2.20-18
|
||||
- fix CVE-2013-4420
|
||||
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From 6bacfdcb84a4b80c7c026e926b7e1f84d6eed26d Mon Sep 17 00:00:00 2001
|
||||
From: shixuantong <1726671442@qq.com>
|
||||
Date: Wed, 6 Apr 2022 17:40:57 +0800
|
||||
Subject: [PATCH] Ensure that sz is greater than 0.
|
||||
|
||||
---
|
||||
lib/block.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/lib/block.c b/lib/block.c
|
||||
index 092bc28..80b41ac 100644
|
||||
--- a/lib/block.c
|
||||
+++ b/lib/block.c
|
||||
@@ -118,6 +118,11 @@ th_read(TAR *t)
|
||||
if (TH_ISLONGLINK(t))
|
||||
{
|
||||
sz = th_get_size(t);
|
||||
+ if ((int)sz <= 0)
|
||||
+ {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
|
||||
if (blocks > ((size_t)-1 / T_BLOCKSIZE))
|
||||
{
|
||||
@@ -168,6 +173,11 @@ th_read(TAR *t)
|
||||
if (TH_ISLONGNAME(t))
|
||||
{
|
||||
sz = th_get_size(t);
|
||||
+ if ((int)sz <= 0)
|
||||
+ {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
|
||||
if (blocks > ((size_t)-1 / T_BLOCKSIZE))
|
||||
{
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,119 +0,0 @@
|
||||
From 8ba8e71a2b86d08ddd3478a4797170f95766c2af Mon Sep 17 00:00:00 2001
|
||||
From: shixuantong <shixuantong@h-partners.com>
|
||||
Date: Sat, 7 May 2022 17:04:46 +0800
|
||||
Subject: [PATCH] fix memory leak
|
||||
|
||||
---
|
||||
lib/libtar.h | 1 +
|
||||
lib/util.c | 9 ++++++++-
|
||||
lib/wrapper.c | 11 +++++++++++
|
||||
libtar/libtar.c | 3 +++
|
||||
4 files changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/libtar.h b/lib/libtar.h
|
||||
index 08a8e0f..8b00e93 100644
|
||||
--- a/lib/libtar.h
|
||||
+++ b/lib/libtar.h
|
||||
@@ -285,6 +285,7 @@ int oct_to_int(char *oct);
|
||||
/* integer to string-octal conversion, no NULL */
|
||||
void int_to_oct_nonull(int num, char *oct, size_t octlen);
|
||||
|
||||
+void free_longlink_longname(struct tar_header th_buf);
|
||||
|
||||
/***** wrapper.c **********************************************************/
|
||||
|
||||
diff --git a/lib/util.c b/lib/util.c
|
||||
index 11438ef..8a42e62 100644
|
||||
--- a/lib/util.c
|
||||
+++ b/lib/util.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <stdio.h>
|
||||
#include <sys/param.h>
|
||||
#include <errno.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#ifdef STDC_HEADERS
|
||||
# include <string.h>
|
||||
@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen)
|
||||
oct[octlen - 1] = ' ';
|
||||
}
|
||||
|
||||
-
|
||||
+void free_longlink_longname(struct tar_header th_buf)
|
||||
+{
|
||||
+ if (th_buf.gnu_longname != NULL)
|
||||
+ free(th_buf.gnu_longname);
|
||||
+ if (th_buf.gnu_longlink !=NULL)
|
||||
+ free(th_buf.gnu_longlink);
|
||||
+}
|
||||
diff --git a/lib/wrapper.c b/lib/wrapper.c
|
||||
index 44cc435..df6d617 100644
|
||||
--- a/lib/wrapper.c
|
||||
+++ b/lib/wrapper.c
|
||||
@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
|
||||
if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD))
|
||||
{
|
||||
if (TH_ISREG(t) && tar_skip_regfile(t))
|
||||
+ {
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
return -1;
|
||||
+ }
|
||||
continue;
|
||||
}
|
||||
if (t->options & TAR_VERBOSE)
|
||||
@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
|
||||
else
|
||||
strlcpy(buf, filename, sizeof(buf));
|
||||
if (tar_extract_file(t, buf) != 0)
|
||||
+ {
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
return -1;
|
||||
+ }
|
||||
}
|
||||
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
return (i == 1 ? 0 : -1);
|
||||
}
|
||||
|
||||
@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix)
|
||||
"\"%s\")\n", buf);
|
||||
#endif
|
||||
if (tar_extract_file(t, buf) != 0)
|
||||
+ {
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
return -1;
|
||||
+ }
|
||||
}
|
||||
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
return (i == 1 ? 0 : -1);
|
||||
}
|
||||
|
||||
diff --git a/libtar/libtar.c b/libtar/libtar.c
|
||||
index 23f8741..7e7354f 100644
|
||||
--- a/libtar/libtar.c
|
||||
+++ b/libtar/libtar.c
|
||||
@@ -196,6 +196,7 @@ list(char *tarfile)
|
||||
{
|
||||
fprintf(stderr, "tar_skip_regfile(): %s\n",
|
||||
strerror(errno));
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
@@ -217,10 +218,12 @@ list(char *tarfile)
|
||||
|
||||
if (tar_close(t) != 0)
|
||||
{
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
fprintf(stderr, "tar_close(): %s\n", strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ free_longlink_longname(t->th_buf);
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user