LibArchive: Fix fixed-width fields unbounded reads and PAX size OOM#26796
LibArchive: Fix fixed-width fields unbounded reads and PAX size OOM#26796Miriam-R-coder wants to merge 2 commits into
Conversation
|
Hello! One or more of the commit messages in this PR do not match the SerenityOS code submission policy, please check the |
Hendiadyoin1
left a comment
There was a problem hiding this comment.
As the Commit linter suggests, please use namespaced and imperative commit titles, like:
LibArchive: Use strnlen for bounded strings in tar archives
or
LibArchive/Tar: Validate the PAX header
changes look good otherwise
| if (header_size > 1024 * 1024) | ||
| return Error::from_string_literal("PAX extended header size exceeds maximum allowed limit"); |
There was a problem hiding this comment.
Is there an easy way to test this?
if so please add a test
|
To change the commit titles after the fact you can use |
| if (header_size > 1024 * 1024) | ||
| return Error::from_string_literal("PAX extended header size exceeds maximum allowed limit"); |
There was a problem hiding this comment.
It's been some time since I wrote this, could we stream in the PAX content instead and then (maybe) enforce an arbitrary size limit on the individual entry instead?
|
Thanks @timschumi! Streaming the PAX content definitely sounds like the right long-term fix to avoid loading everything into memory. However, that might require a larger refactor of TarStream. Would it be acceptable to keep this 1 MiB threshold as a quick, temporary safety guard for now, and open a separate issue to track the refactoring of PAX parsing into a stream? |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions! |
|
@timschumi Hi, just the issue reporter here, noticed this went stale. Is the 1 MiB cap fine as a stopgap (with the streaming refactor as a follow-up issue), or what would be needed for this to land? |
Description
This PR addresses two security-relevant findings in LibArchive's tar parser reported in #26773:
__builtin_strlenwithstrnleninsideget_field_as_string_viewto prevent out-of-bounds memory reads on non-NUL terminated fields (such asm_link_name,m_magic,m_version, andm_prefix).ByteBuffer::create_zeroed(), mitigating potential Out-Of-Memory (OOM) amplification attacks.Fixes #26773