[Toybox] [PATCH] tar: fix heap buffer overrun.

enh enh at google.com
Thu Oct 15 17:45:12 PDT 2020


On Thu, Oct 15, 2020 at 5:21 PM Rob Landley <rob at landley.net> wrote:
>
> On 10/14/20 3:21 PM, enh wrote:
> > i've sent a new fix that just touches dirtree_path() so that it always
> > honors the size request again.
>
> Applied, and then cosmetically fiddled with because I do that.
>
> >> but I leave for the airport to fly back to Japan in 2 hours. (Part of the
> >> reason I've been so distracted lately, it's not JUST focusing on sh.c. :)
> >>
> >>> Caught by ASan.
> >>
> >> Operating on what path?
> >
> > the new patch's commit message makes it clearer that you can reproduce
> > this with the existing tar tests, as long as you `export ASAN=1`.
> > (would we need extra docker dependencies, or should we just turn that
> > on for the github CI?)
>
> No idea.

yeah, i was hoping our github CI expert would chime in :-)

> I mentioned the ndk not working for this becuase of the need to build --static
> to run anything on a system that doesn't have bionic installed in /lib, and asan
> not working --static.
>
> I can install llvm 7 through the devuan apt-get (may 2019), but 11 just shipped
> and they don't have debian binaries, just ubuntu. MIGHT work? Not looking
> forward to trying to build that from source, it's really brittle last I
> checked... Ah, maybe I can follow:
>
>   http://www.linuxfromscratch.org/blfs/view/svn/general/llvm.html
>
> Um... is ninja part of cmake now? It lists cmake as a dependency but does not
> list ninja? Did they add ninja to the 10.x base?
>
>   http://www.linuxfromscratch.org/lfs/view/stable/chapter08/ninja.html
>
> yes they did. Lovely...
>
> Anyway, question: is llvm 7 likely to be enough, or should I try compiling llvm
> from source to poke at this asan stuff?

debian testing seems to have llvm 9 atm, and that's what i used, but,
yes, asan's been stable for a while now so i'd expect 7 should be
fine.

> Rob



More information about the Toybox mailing list