[Bug 277454] bsdtar can dereference NULL from localtime()

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277454] bsdtar can dereference NULL from localtime()"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277454] bsdtar can dereference NULL from localtime()"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 03 Mar 2024 15:05:37 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277454

            Bug ID: 277454
           Summary: bsdtar can dereference NULL from localtime()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 248898
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=248898&action=edit
a tar file that causes localtime() to return NULL

In list_item_verbose() in src/contrib/libarchive/tar/util.c:

        ltime = localtime(&tim);
        strftime(tmp, sizeof(tmp), fmt, ltime);

localtime() can return NULL, so there can be a crash in strftime().

I've attached a demo tar file:

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #18
main-n268497-3562b7b1eb80: Fri Feb 23 07:08:37 AST 2024    
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

# tar tvf tar5a.img

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
_fmt (format=0x10267ab "b %e  %Y", t=t@entry=0x0, 
    pt=pt@entry=0x7fffffffe620 "0", ptlim=ptlim@entry=0x7fffffffe684 "", 
    warnp=warnp@entry=0x7fffffffe59c, 
    loc=loc@entry=0x80132e998 <__xlocale_global_locale>)
    at /usr/src/lib/libc/stdtime/strftime.c:152
152                                     pt = _add((t->tm_mon < 0 ||
(gdb) where
#0  _fmt (format=0x10267ab "b %e  %Y", t=t@entry=0x0, 
    pt=pt@entry=0x7fffffffe620 "0", ptlim=ptlim@entry=0x7fffffffe684 "", 
    warnp=warnp@entry=0x7fffffffe59c, 
    loc=loc@entry=0x80132e998 <__xlocale_global_locale>)
    at /usr/src/lib/libc/stdtime/strftime.c:152
#1  0x00000008012810fb in strftime_l (s=0x7fffffffe620 "0", 
    maxsize=<optimized out>, format=0x10267aa "%b %e  %Y", t=0x0, 
    loc=0x80132e998 <__xlocale_global_locale>)
    at /usr/src/lib/libc/stdtime/strftime.c:84
#2  0x0000000801282616 in strftime (
    s=0x62 <error: Cannot access memory at address 0x62>, 
    s@entry=0x7fffffffe620 "0", maxsize=0, maxsize@entry=100, format=0x0, 
    format@entry=0x10267aa "%b %e  %Y", t=0x7fffffffe601)
    at /usr/src/lib/libc/stdtime/strftime.c:111
#3  0x000000000102e1a9 in list_item_verbose (
    bsdtar=bsdtar@entry=0x7fffffffe7c8, out=out@entry=0x80132f078, 
    entry=0x801e45000) at /usr/src/contrib/libarchive/tar/util.c:752
#4  0x000000000102c09e in read_archive (bsdtar=bsdtar@entry=0x7fffffffe7c8, 
    mode=mode@entry=116 't', writer=writer@entry=0x0)
    at /usr/src/contrib/libarchive/tar/read.c:323
#5  0x000000000102bbee in tar_mode_t (bsdtar=0x62, bsdtar@entry=0x7fffffffe7c8)
    at /usr/src/contrib/libarchive/tar/read.c:94
#6  0x000000000102a665 in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/contrib/libarchive/tar/bsdtar.c:942

-- 
You are receiving this mail because:
You are the assignee for the bug.