From 9d339f1d0f53c4116a7cb4acfa895f31a07212ee Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Fri, 2 Sep 2022 20:45:18 -0700 Subject: [PATCH] archive/tar: limit size of headers Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates #54853 Fixes #55926 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley Run-TryBot: Roland Shoemaker Reviewed-by: Roland Shoemaker (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053 Reviewed-by: Julie Qiu Reviewed-by: Damien Neil Reviewed-on: https://go-review.googlesource.com/c/go/+/438498 TryBot-Result: Gopher Robot Reviewed-by: Dmitri Shuralyov Reviewed-by: Carlos Amedee Reviewed-by: Dmitri Shuralyov Run-TryBot: Carlos Amedee Upstream-Status: Backport [https://github.com/golang/go/commit/0a723816cd2] CVE: CVE-2022-2879 Signed-off-by: Sunil Kumar --- src/archive/tar/format.go | 4 ++++ src/archive/tar/reader.go | 14 ++++++++++++-- src/archive/tar/writer.go | 3 +++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go index cfe24a5..6642364 100644 --- a/src/archive/tar/format.go +++ b/src/archive/tar/format.go @@ -143,6 +143,10 @@ const ( blockSize = 512 // Size of each block in a tar stream nameSize = 100 // Max length of the name field in USTAR format prefixSize = 155 // Max length of the prefix field in USTAR format + + // Max length of a special file (PAX header, GNU long name or link). + // This matches the limit used by libarchive. + maxSpecialFileSize = 1 << 20 ) // blockPadding computes the number of bytes needed to pad offset up to the diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go index 4f9135b..e996595 100644 --- a/src/archive/tar/reader.go +++ b/src/archive/tar/reader.go @@ -104,7 +104,7 @@ func (tr *Reader) next() (*Header, error) { continue // This is a meta header affecting the next header case TypeGNULongName, TypeGNULongLink: format.mayOnlyBe(FormatGNU) - realname, err := ioutil.ReadAll(tr) + realname, err := readSpecialFile(tr) if err != nil { return nil, err } @@ -294,7 +294,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) { // parsePAX parses PAX headers. // If an extended header (type 'x') is invalid, ErrHeader is returned func parsePAX(r io.Reader) (map[string]string, error) { - buf, err := ioutil.ReadAll(r) + buf, err := readSpecialFile(r) if err != nil { return nil, err } @@ -827,6 +827,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) { return n, err } +// readSpecialFile is like ioutil.ReadAll except it returns +// ErrFieldTooLong if more than maxSpecialFileSize is read. +func readSpecialFile(r io.Reader) ([]byte, error) { + buf, err := ioutil.ReadAll(io.LimitReader(r, maxSpecialFileSize+1)) + if len(buf) > maxSpecialFileSize { + return nil, ErrFieldTooLong + } + return buf, err +} + // discard skips n bytes in r, reporting an error if unable to do so. func discard(r io.Reader, n int64) error { // If possible, Seek to the last byte before the end of the data section. diff --git a/src/archive/tar/writer.go b/src/archive/tar/writer.go index e80498d..893eac0 100644 --- a/src/archive/tar/writer.go +++ b/src/archive/tar/writer.go @@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error { flag = TypeXHeader } data := buf.String() + if len(data) > maxSpecialFileSize { + return ErrFieldTooLong + } if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal { return err // Global headers return here } -- 2.7.4