| blob | 926bda1f40585a498d9d3d129a48762717be9f9c |
1 From 6777e08cc38bc780d27c69c1d8c272867b74524f Mon Sep 17 00:00:00 2001
2 From: Giancarlo Canales Barreto <gcanalesb@me.com>
3 Date: Wed, 17 Jun 2015 00:22:19 -0400
4 Subject: [PATCH] Update unsquash-4.c
6 There seems to be a stack overflow in read_fragment_table_4 at via what seems to be an integer overflow. Still looking into this problem, it seems like two or three different problems combined.
8 The first problem overflows the bytes variable, so that the allocation is enormous.
9 ```c
10 int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
11 ```
13 If we fix this by making the variable size_t, we run into an unrelated problem in which the stack VLA allocation of fragment_table_index can easily exceed RLIMIT_STACK.
14 ```c
15 long long fragment_table_index[indexes];
16 ```
18 In the case of my system, the RLIMIT_STACK is 8388608, and VLA is asking for 15728648. Plus the stack probably already has a bunch of other things. This is what I believe ultimately leads to the stack overflow.
20 Afterwards, the heap allocation seems to succeed, and the disastrous call to read_fs_bytes is made, which initiates transfer from the squashfs image to the stack. At this stage, a stack overflow appears to be in full effect.
22 ```c
23 res = read_fs_bytes(fd, sBlk.s.fragment_table_start,
24 SQUASHFS_FRAGMENT_INDEX_BYTES(sBlk.s.fragments),
25 fragment_table_index);
26 ```
27 This problem is also present in other read_fragment_table_N functions, and in the original squashfs-tools.
29 ```
30 Parallel unsquashfs: Using 8 processors
31 ASAN:SIGSEGV
32 =================================================================
33 ==8221==ERROR: AddressSanitizer: stack-overflow on address 0x7ffef3ae9608 (pc 0x000000559011 bp 0x7ffef49e9670 sp 0x7ffef3ae9610 T0)
34 #0 0x559010 in read_fragment_table_4 /home/septimus/vr/squashfs-vr/squashfs-tools/unsquash-4.c:40:9
35 #1 0x525073 in main /home/septimus/vr/squashfs-vr/squashfs-tools/unsquashfs.c:2763:5
36 #2 0x7fb56c533a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
37 #3 0x418468 in _start (/home/septimus/vr/squashfs-vr/squashfs-tools/unsquashfs+0x418468)
38 SUMMARY: AddressSanitizer: stack-overflow /home/septimus/vr/squashfs-vr/squashfs-tools/unsquash-4.c:40:9 in read_fragment_table_4
39 ==8221==ABORTING
40 ```
42 Perhaps we should avoid using VLA altogether, and allocate fragment_table_index to the heap?
43 This pull request is an example implementation of the fix for unsquash-4, but I don't have enough test vectors to verify it will not break anything.
44 ---
45 unsquash-4.c | 11 ++++++++---
46 1 file changed, 8 insertions(+), 3 deletions(-)
48 diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
49 index ecdaac7..2c0cf63 100644
50 --- a/squashfs-tools/unsquash-4.c
51 +++ b/squashfs-tools/unsquash-4.c
52 @@ -31,9 +31,9 @@ static unsigned int *id_table;
53 int read_fragment_table_4(long long *directory_table_end)
54 {
55 int res, i;
56 - int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
57 - int indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
58 - long long fragment_table_index[indexes];
59 + size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
60 + size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
61 + long long *fragment_table_index;
63 TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
64 "from 0x%llx\n", sBlk.s.fragments, indexes,
65 @@ -44,6 +44,11 @@ int read_fragment_table_4(long long *directory_table_end)
66 return TRUE;
67 }
69 + fragment_table_index = malloc(indexes*sizeof(long long));
70 + if(fragment_table_index == NULL)
71 + EXIT_UNSQUASH("read_fragment_table: failed to allocate "
72 + "fragment table index\n");
73 +
74 fragment_table = malloc(bytes);
75 if(fragment_table == NULL)
76 EXIT_UNSQUASH("read_fragment_table: failed to allocate "