Debian Bug report logs - #466771
busybox cpio: does not unpack hardlinks to empty files

version graph

Package: busybox; Maintainer for busybox is Debian Install System Team <debian-boot@lists.debian.org>; Source for busybox is src:busybox.

Reported by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Date: Wed, 20 Feb 2008 20:42:01 UTC

Severity: normal

Tags: fixed-upstream

Found in version busybox/1:1.1.3-5

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#466771; Package busybox. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>:
New Bug report received and forwarded. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: busybox cpio: double free or corruption during cpio extraction of hardlinks
Date: Wed, 20 Feb 2008 15:39:11 -0500
Package: busybox
Version: 1:1.1.3-5
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

busybox cpio seems to corrupt its memory (maybe with a double free?)
when extracting a hardlink.

Here's a transcript of a simple case to trigger the failure:

0 dkg@ape:/tmp$ mkdir tt
0 dkg@ape:/tmp$ touch tt/x
0 dkg@ape:/tmp$ ln tt/x tt/y
0 dkg@ape:/tmp$ mkdir xx
0 dkg@ape:/tmp$ find tt | cpio -H newc --create | (cd xx && busybox cpio -i)
1 block
1 blocks
cpio: TRAILER!!! not created: cannot resolve hardlink
cpio: (null) not created: cannot resolve hardlink
*** glibc detected *** busybox: double free or corruption (fasttop): 0x08178048 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7dd8915]
/lib/i686/cmov/libc.so.6(cfree+0x90)[0xb7ddc380]
busybox[0x805378b]
======= Memory map: ========
08048000-080ac000 r-xp 00000000 fd:0a 65545      /bin/busybox
080ac000-080ae000 rwxp 00064000 fd:0a 65545      /bin/busybox
080ae000-08199000 rwxp 080ae000 00:00 0          [heap]
b7c00000-b7c21000 rwxp b7c00000 00:00 0 
b7c21000-b7d00000 ---p b7c21000 00:00 0 
b7d6c000-b7d6d000 rwxp b7d6c000 00:00 0 
b7d6d000-b7eb4000 r-xp 00000000 fd:0a 114782     /lib/i686/cmov/libc-2.7.so
b7eb4000-b7eb5000 r-xp 00147000 fd:0a 114782     /lib/i686/cmov/libc-2.7.so
b7eb5000-b7eb7000 rwxp 00148000 fd:0a 114782     /lib/i686/cmov/libc-2.7.so
b7eb7000-b7eba000 rwxp b7eb7000 00:00 0 
b7eba000-b7edd000 r-xp 00000000 fd:0a 114787     /lib/i686/cmov/libm-2.7.so
b7edd000-b7edf000 rwxp 00023000 fd:0a 114787     /lib/i686/cmov/libm-2.7.so
b7edf000-b7ee8000 r-xp 00000000 fd:0a 114784     /lib/i686/cmov/libcrypt-2.7.so
b7ee8000-b7eea000 rwxp 00008000 fd:0a 114784     /lib/i686/cmov/libcrypt-2.7.so
b7eea000-b7f12000 rwxp b7eea000 00:00 0 
b7f1a000-b7f26000 r-xp 00000000 fd:0a 114764     /lib/libgcc_s.so.1
b7f26000-b7f27000 rwxp 0000b000 fd:0a 114764     /lib/libgcc_s.so.1
b7f27000-b7f29000 rwxp b7f27000 00:00 0 
b7f29000-b7f45000 r-xp 00000000 fd:0a 114725     /lib/ld-2.7.so
b7f45000-b7f47000 rwxp 0001b000 fd:0a 114725     /lib/ld-2.7.so
bffb3000-bffc8000 rw-p bffeb000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
134 dkg@ape:/tmp$ 

The standard cpio doesn't seem to have this problem:

0 dkg@ape:/tmp$ rm -rf xx
0 dkg@ape:/tmp$ mkdir xx
0 dkg@ape:/tmp$ find tt | cpio -H newc --create | (cd xx && cpio -i)
1 block
1 block
0 dkg@ape:/tmp$ ls -lR xx
xx:
total 0
drwxr-xr-x 2 wt215 wt215 80 2008-02-20 15:26 tt

xx/tt:
total 0
- -rw-r--r-- 2 wt215 wt215 0 2008-02-20 15:26 x
- -rw-r--r-- 2 wt215 wt215 0 2008-02-20 15:26 y
0 dkg@ape:/tmp$ 

This seems to happen with -t (list) the same as -i (extract), so i
expect it's a problem with parsing, not file creation.

fwiw, it doesn't seem to be a problem with busybox 1.9.1, as built
with waldi's debian packaging at:

 svn://svn.debian.org/d-i/people/waldi/packages/busybox/debian

With version 1.9.1, it still doesn't unpack the hardlinks, but it
doesn't double-free, at least:

0 dkg@ape:/tmp$ find tt | cpio -H newc --create | (cd xx && ~/src/busybox/busybox-1.9.1/debian/busybox/bin/busybox cpio -i)
1 block
1 blocks
cpio: tt/x not created: cannot resolve hardlink
cpio: tt/y not created: cannot resolve hardlink
0 dkg@ape:/tmp$ find xx
xx
xx/tt
0 dkg@ape:/tmp$ 

Thanks for maintaining busybox in debian!

       --dkg

- -- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages busybox depends on:
ii  libc6                         2.7-6      GNU C Library: Shared libraries

busybox recommends no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQIVAwUBR7yP7szS7ZTSFznpAQKKqw/+MzMP1qA+Ips+xfvshkybvzi436MaDdCM
byP3jbAK0JHvH4Yp4d80ZZD09S21LhlEIfMvPfrZmjmnrWw89QiTB61mNuJHq8xB
JmaHZku/5uXsM5xhk8aTv9xLWrC0R/6iUu3r+9sUwWKwcg3SwCeFeLitV08TYlgM
pO7Fr1uVpBd13A5JZiLvgoSEC6BIjR1ct3yzDbi7B1oOMwPQBF+BkSxUmOsEsQU1
C4VhS+kvQ6YLFqc07PlXbaGH78waWbo2z3Oacsn7gEVbbNKjTIorwcvlAu9fYPHy
MbufuWlVQyddJIwHj9b3Qtq28xHDDyZYn5pnSJ2xjl7Q4OZcbUCSUWnRjUp2SJGH
ZQJZpEBE7utYBDWYFsAuq8vGVziOk47/TZSgWqWvCxHt/ZqBrkGsAlrItL9Ies+C
VmQGU7yqbouRHovrc2vwDsB1j8MjUt2DfrHNt+7ElSBcGwKnhdkeK7gEfLFRuLUp
jvOAzFISdGurDEgkNkmZRKinS+/98xy4RvxKXkp4JpVXiF+SNMAwzsgivuYdYQ+g
/UKSLVHEgly4KogPYXwEAT7/GD6jkgZgmVnJycAdhXSMGyGWUF6AkAFfuqPHk8u3
d5tB72G8jhkVu9IPx/g2fhczu1BNKXllOQBpzGnYkMbUPSKj8xgvn761zZeYKaZM
9bihbCO4/mQ=
=vs9z
-----END PGP SIGNATURE-----




Severity set to `normal' from `important' Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Mon, 24 Mar 2008 13:24:20 GMT) Full text and rfc822 format available.

Changed Bug title to `busybox cpio: doesn't unpack hardlinks' from `busybox cpio: double free or corruption during cpio extraction of hardlinks'. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Mon, 24 Mar 2008 13:24:21 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#466771; Package busybox. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #14 received at 466771@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
To: 466771@bugs.debian.org
Cc: control@bugs.debian.org
Subject: version 1.9.2 does unpack hardlinks, but not for empty files
Date: Tue, 25 Mar 2008 17:31:26 -0400
[Message part 1 (text/plain, inline)]
retitle 466771 busybox cpio: does not unpack hardlinks to empty files
thanks

Testing this out with the new busybox-static 1.9.2-1 from unstable, it
appears that most hardlinks *are* actually unpacked, with the
exception of zero-byte files that are linked to more than once.

[0 dkg@squeak cdtemp.h29208]$ mkdir test
[0 dkg@squeak cdtemp.h29208]$ touch test/solo
[0 dkg@squeak cdtemp.h29208]$ touch test/empty
[0 dkg@squeak cdtemp.h29208]$ echo -n x >test/nonempty
[0 dkg@squeak cdtemp.h29208]$ ln test/empty test/empty1
[0 dkg@squeak cdtemp.h29208]$ ln test/nonempty test/nonempty1
[0 dkg@squeak cdtemp.h29208]$ mkdir z
[0 dkg@squeak cdtemp.h29208]$ find test | cpio -H newc --create | (cd z && ../bin/busybox cpio -i)
Using fallback suid method
2 blocks
2 blocks
cpio: test/empty not created: cannot resolve hardlink
cpio: test/empty1 not created: cannot resolve hardlink
[0 dkg@squeak cdtemp.h29208]$ 

This appears to be because archival/libunarchive/get_header_cpio.c:134
assumes that a zero-byte regular file with nlink > 1 must refer to the
contents of some other nonempty file yet to be extracted, which
clearly isn't the case if the original file itself was zero bytes in
length.

Thanks for busybox in debian!

         --dkg
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `busybox cpio: does not unpack hardlinks to empty files' from `busybox cpio: doesn't unpack hardlinks'. Request was from Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> to control@bugs.debian.org. (Tue, 25 Mar 2008 21:39:56 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#466771; Package busybox. Full text and rfc822 format available.

Acknowledgement sent to Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. Full text and rfc822 format available.

Message #21 received at 466771@bugs.debian.org (full text, mbox):

From: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
To: 466771@bugs.debian.org
Cc: control@bugs.debian.org, Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
Subject: Re: cpio: does not unpack hardlinks to empty files
Date: Fri, 5 Sep 2008 17:46:18 +0200
tag 466771 fixed-upstream
thanks

This was fix upstream and should work as expected with busybox-1.11.2
See also: http://busybox.net/lists/busybox/2008-July/032213.html




Tags added: fixed-upstream Request was from Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> to control@bugs.debian.org. (Fri, 05 Sep 2008 15:48:04 GMT) Full text and rfc822 format available.

Changed Bug submitter from Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> to Daniel Kahn Gillmor <dkg@fifthhorseman.net>. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Thu, 26 Mar 2009 13:42:22 GMT) Full text and rfc822 format available.

Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. (Sun, 12 Apr 2009 12:15:11 GMT) Full text and rfc822 format available.

Notification sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug acknowledged by developer. (Sun, 12 Apr 2009 12:15:11 GMT) Full text and rfc822 format available.

Message #30 received at 466771-done@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 466771-done@bugs.debian.org
Subject: fixed
Date: Sun, 12 Apr 2009 14:11:41 +0200
This was fixed some time ago.

Bastian

-- 
Conquest is easy. Control is not.
		-- Kirk, "Mirror, Mirror", stardate unknown




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 May 2009 07:30:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:08:28 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.