Date: Sun, 03 Mar 2024 15:05:37 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 277454] bsdtar can dereference NULL from localtime() Message-ID: <bug-277454-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277454 Bug ID: 277454 Summary: bsdtar can dereference NULL from localtime() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 248898 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D248898&action= =3Dedit a tar file that causes localtime() to return NULL In list_item_verbose() in src/contrib/libarchive/tar/util.c: ltime =3D localtime(&tim); strftime(tmp, sizeof(tmp), fmt, ltime); localtime() can return NULL, so there can be a crash in strftime(). I've attached a demo tar file: # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #18 main-n268497-3562b7b1eb80: Fri Feb 23 07:08:37 AST 2024=20=20=20=20 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # tar tvf tar5a.img Program received signal SIGSEGV, Segmentation fault. Address not mapped to object. _fmt (format=3D0x10267ab "b %e %Y", t=3Dt@entry=3D0x0,=20 pt=3Dpt@entry=3D0x7fffffffe620 "0", ptlim=3Dptlim@entry=3D0x7fffffffe68= 4 "",=20 warnp=3Dwarnp@entry=3D0x7fffffffe59c,=20 loc=3Dloc@entry=3D0x80132e998 <__xlocale_global_locale>) at /usr/src/lib/libc/stdtime/strftime.c:152 152 pt =3D _add((t->tm_mon < 0 || (gdb) where #0 _fmt (format=3D0x10267ab "b %e %Y", t=3Dt@entry=3D0x0,=20 pt=3Dpt@entry=3D0x7fffffffe620 "0", ptlim=3Dptlim@entry=3D0x7fffffffe68= 4 "",=20 warnp=3Dwarnp@entry=3D0x7fffffffe59c,=20 loc=3Dloc@entry=3D0x80132e998 <__xlocale_global_locale>) at /usr/src/lib/libc/stdtime/strftime.c:152 #1 0x00000008012810fb in strftime_l (s=3D0x7fffffffe620 "0",=20 maxsize=3D<optimized out>, format=3D0x10267aa "%b %e %Y", t=3D0x0,=20 loc=3D0x80132e998 <__xlocale_global_locale>) at /usr/src/lib/libc/stdtime/strftime.c:84 #2 0x0000000801282616 in strftime ( s=3D0x62 <error: Cannot access memory at address 0x62>,=20 s@entry=3D0x7fffffffe620 "0", maxsize=3D0, maxsize@entry=3D100, format= =3D0x0,=20 format@entry=3D0x10267aa "%b %e %Y", t=3D0x7fffffffe601) at /usr/src/lib/libc/stdtime/strftime.c:111 #3 0x000000000102e1a9 in list_item_verbose ( bsdtar=3Dbsdtar@entry=3D0x7fffffffe7c8, out=3Dout@entry=3D0x80132f078,= =20 entry=3D0x801e45000) at /usr/src/contrib/libarchive/tar/util.c:752 #4 0x000000000102c09e in read_archive (bsdtar=3Dbsdtar@entry=3D0x7fffffffe= 7c8,=20 mode=3Dmode@entry=3D116 't', writer=3Dwriter@entry=3D0x0) at /usr/src/contrib/libarchive/tar/read.c:323 #5 0x000000000102bbee in tar_mode_t (bsdtar=3D0x62, bsdtar@entry=3D0x7ffff= fffe7c8) at /usr/src/contrib/libarchive/tar/read.c:94 #6 0x000000000102a665 in main (argc=3D<optimized out>, argv=3D<optimized o= ut>) at /usr/src/contrib/libarchive/tar/bsdtar.c:942 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-277454-227>