fix(convert): prevent argv out-of-bounds write and use PID-specific workspace#842
fix(convert): prevent argv out-of-bounds write and use PID-specific workspace#842aki1770-del wants to merge 1 commit into
Conversation
…orkspace
Two security issues in dlt-convert's -t (tarball) mode:
1. ARGV OUT-OF-BOUNDS WRITE (CVE-class: CWE-131)
After extracting files to the workspace, argc was overwritten:
argc = optind + (n - 2); // n from scandir of /tmp workspace
A subsequent loop then wrote:
argv[index] = tmp_filename; // index may exceed original argc
If an attacker pre-populated /tmp/dlt_convert_workspace/ with
extra files before execution, 'n' would be inflated, argc
extended beyond the original argv array bounds, and subsequent
argv[index] writes would corrupt the stack.
Fix: introduce 'current_file' and set it to tmp_filename (tflag)
or argv[index] (no tflag) without ever writing back to argv[].
2. PREDICTABLE WORKSPACE PATH (CWE-377)
The fixed path /tmp/dlt_convert_workspace/ allowed any local user
to pre-create the directory with arbitrary files before execution,
triggering the overflow above or injecting unexpected .dlt files.
Fix: use a PID-specific path /tmp/dlt_convert_ws_<pid>/ which
is unique per invocation and not guessable by other processes.
Fixes COVESA#793
|
Closing this one. I opened a batch of PRs on this repo over a few days in early April without first doing the build-and-test verification a change in this codebase deserves, and they have been sitting in your queue since. Holding a review slot I didn't earn isn't fair to you, so I'm withdrawing them rather than leaving them open. The branch stays up. If any of the diff is useful, please take it freely — no attribution needed, and no need to reply here. Sorry for the noise. |
|
A subsequent loop then writes to argv[index] using the inflated argc:
Explain how these words relate to eachother?
…On Sun, 12 Jul 2026, 2.45 Akihiko Komada, ***@***.***> wrote:
*aki1770-del* left a comment (COVESA/dlt-daemon#842)
<#842 (comment)>
Closing this one.
I opened a batch of PRs on this repo over a few days in early April
without first doing the build-and-test verification a change in this
codebase deserves, and they have been sitting in your queue since. Holding
a review slot I didn't earn isn't fair to you, so I'm withdrawing them
rather than leaving them open.
The branch stays up. If any of the diff is useful, please take it freely —
no attribution needed, and no need to reply here.
Sorry for the noise.
—
Reply to this email directly, view it on GitHub
<#842?email_source=notifications&email_token=AAMEGNDBKL5EDKXXKFKN7XT5ELGSZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOJUHEZDANBXHA4KM4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4949204788>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMEGNHTLQD4BN7CDNUEKA35ELGSZAVCNFSNUABEKJSXA33TNF2G64TZHM3DQMZQGY2TQNR3JFZXG5LFHM2DEMBQGYYTSNJQGGQXMAQ>
.
Triage notifications, keep track of coding agent tasks and review pull
requests on the go with GitHub Mobile for iOS
<https://github.com/notifications/mobile/ios/AAMEGNFN3X2D6OXWWN6FCVD5ELGSZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOJUHEZDANBXHA4KM4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSVGM33PORSXEX3JN5ZQ>
and Android
<https://github.com/notifications/mobile/android/AAMEGNAQLKSQ5NUZAHXJF7D5ELGSZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOJUHEZDANBXHA4KM4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSXGM33PORSXEX3BNZSHE33JMQ>.
Download it today!
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
"Inflated argc" and "writes to argv[index]" connect through the argc reassignment. In the tar path argc is overwritten away from its real meaning: Then The underlying issue is reusing argc/argv as scratch storage for the unpacked-file list; the clean fix is a separate count and array, not patching the bound in place. That part isn't mine to write — I don't know this codebase well enough — and it's your call whether it warrants its own issue. |
Problem
dlt-convert -t <tarball>has two security issues:1. argv out-of-bounds write (CWE-131 / stack corruption)
After extracting files to the workspace directory, the code overwrites
argc:A subsequent loop then writes to
argv[index]using the inflatedargc:If a malicious local user pre-populates
/tmp/dlt_convert_workspace/with extra files before execution,nis inflated,argcis set beyond the original argv array bounds, andargv[index]writes corrupt the stack — leading to a stack overflow as demonstrated with AddressSanitizer in #793.2. Predictable workspace path (CWE-377)
The fixed path
/tmp/dlt_convert_workspace/is world-writable and predictable. Any local user can pre-create it with arbitrary contents beforedlt-convertis run, triggering the overflow or injecting unexpected.dltfiles.Fixes #793.
Fix
For (1): Introduce a
current_filepointer. In the processing loop, set it totmp_filenamein tarball mode orargv[index]otherwise. Removeargv[index] = tmp_filenameentirely — the originalargvarray is never written to.For (2): Use a PID-specific workspace path
/tmp/dlt_convert_ws_<pid>/(format stringDLT_CONVERT_WS_FMT). The path is unique per invocation and not guessable by other local processes.Testing
dlt-convert.c#793 (pre-populated/tmp/dlt_convert_ws_*/) — no stack overflow occurs-toperation with a valid tar file continues to work correctly