From ca598e2a51fd80ed789e5fb4aa48816ccd84e374 Mon Sep 17 00:00:00 2001
From: Timo Teräs <timo.teras@iki.fi>
Date: Sun, 11 Apr 2021 15:21:42 +0300
Subject: io_archive: add bounds limit for uname and gname tar header fields
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.

==31584== Conditional jump or move depends on uninitialised value(s)
==31584==    at 0x5C8CA5: strlen (strlen.c:17)
==31584==    by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584==    by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584==    by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584==    by 0x4271BC: apk_pkg_read (package.c:929)
==31584==    by 0x402D75: add_main (app_add.c:163)
==31584==    by 0x40D5FF: main (apk-static.c:516)

Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.

Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
---
 src/io_archive.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/io_archive.c')

diff --git a/src/io_archive.c b/src/io_archive.c
index 79cfd74..1022e8f 100644
--- a/src/io_archive.c
+++ b/src/io_archive.c
@@ -49,6 +49,7 @@ struct tar_header {
 	char padding[12];   /* 500-511 */
 };
 
+#define TAR_BLOB(s)	APK_BLOB_PTR_LEN(s, strnlen(s, sizeof(s)))
 #define GET_OCTAL(s)	get_octal(s, sizeof(s))
 #define PUT_OCTAL(s,v)	put_octal(s, sizeof(s), v)
 
@@ -149,8 +150,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser,
 
 		entry = (struct apk_file_info){
 			.size  = GET_OCTAL(buf.size),
-			.uid   = apk_resolve_uid(idc, buf.uname, GET_OCTAL(buf.uid)),
-			.gid   = apk_resolve_gid(idc, buf.gname, GET_OCTAL(buf.gid)),
+			.uid   = apk_resolve_uid(idc, TAR_BLOB(buf.uname), GET_OCTAL(buf.uid)),
+			.gid   = apk_resolve_gid(idc, TAR_BLOB(buf.gname), GET_OCTAL(buf.gid)),
 			.mode  = GET_OCTAL(buf.mode) & 07777,
 			.mtime = GET_OCTAL(buf.mtime),
 			.name  = entry.name,
-- 
cgit v1.2.3-60-g2f50