bin/49821: /bin/tar randomly coredumps when security.pax.aslr.enabled is set to 1

[alnsn%yandex.ru@localhost]

>Number:         49821
>Category:       bin
>Synopsis:       /bin/tar randomly coredumps when security.pax.aslr.enabled is set to 1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 06 20:00:00 +0000 2015
>Originator:     Alexander Nasonov
>Release:        amd64 7.99.9
>Organization:
>Environment:
NetBSD neva 7.99.9 NetBSD 7.99.9 (NODRM) #0: Mon Apr  6 18:29:57 BST 2015  alnsn@nebeda.localdomain:/home/alnsn/netbsd-current/src/sys/arch/amd64/compile/obj/NODRM amd64

>Description:
/bin/tar randomly fails to list files in a gzipped or bzip2ed modules.tar file:

$ tar ztpf modules.tar.gz |head 
tar: End of archive volume 1 reached
tar: Sorry, unable to determine archive format.

$ tar ztpf modules.tar.gz |head 
tar: End of archive volume 1 reached
tar: Sorry, unable to determine archive format.

$ tar ztpf modules.tar.gz |head 
tar: End of archive volume 1 reached
tar: Sorry, unable to determine archive format.

$ tar ztpf modules.tar.gz |head 
./etc/mtree/set.modules
./stand/amd64
./stand/amd64/7.99.9
./stand/amd64/7.99.9/modules
./stand/amd64/7.99.9/modules/accf_dataready
./stand/amd64/7.99.9/modules/accf_dataready/accf_dataready.kmod
./stand/amd64/7.99.9/modules/accf_httpready
./stand/amd64/7.99.9/modules/accf_httpready/accf_httpready.kmod
./stand/amd64/7.99.9/modules/acpiacad
./stand/amd64/7.99.9/modules/acpiacad/acpiacad.kmod
tar: Listing incomplete. (Broken pipe)
gzip: error writing to output: Broken pipe


It crashes after a fork:

 11945      1 tar      CALL  open(0x7f7fff7f5e51,0,0x1b6)
 11945      1 tar      NAMI  "modules.tar.gz"
 11945      1 tar      RET   open 5
 11945      1 tar      CALL  pipe
 11945      1 tar      RET   pipe 6, 7
 11945      1 tar      CALL  fork
 11945      1 tar      RET   fork 3441/0xd71
 11945      1 tar      CALL  dup2(6,5)
 11945      1 tar      RET   dup2 5
 11945      1 tar      CALL  close(6)
 11945      1 tar      RET   close 0
 11945      1 tar      CALL  close(7)
 11945      1 tar      RET   close 0
 11945      1 tar      CALL  __fstat50(5,0x61fb40)
 11945      1 tar      RET   __fstat50 0
 11945      1 tar      CALL  lseek(5,0,0,1)
 11945      1 tar      RET   lseek -1 errno 29 Illegal seek
 11945      1 tar      CALL  read(5,0x620440,0x7e00)
  3441      1 tar      EMUL  "netbsd"
  3441      1 tar      RET   fork 0
  3441      1 tar      PSIG  SIGSEGV SIG_DFL: code=SEGV_ACCERR, addr=0x7f7ff7c02d60, trap=6)
  3441      1 tar      NAMI  "/var/crash/alnsn/."
  3441      1 tar      NAMI  "/var/crash/alnsn/tar.core"


It's interesting that it crashed on a string containing "PQRVWAPAQARASH":

$ gdb - /var/crash/alnsn/tar.core  
[New process 1]
Core was generated by `tar'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f7ff7c02d60 in ?? ()
(gdb) x/s 0x00007f7ff7c02d60
0x7f7ff7c02d60: "\234PQRVWAPAQARASH\213|$PH\213t$X\350J\003"
(gdb) 


The files modules.tar.gz, ktrace.out and tar.core are available here:

http://www.netbsd.org/~alnsn/tar-aslr-bug/
>How-To-Repeat:
Download http://www.netbsd.org/~alnsn/tar-aslr-bug/modules.tar.gz
Enable ASLR: sysctl -w security.pax.aslr.enabled=1
Run 'tar ztpf modules.tar.gz' few times.
>Fix:
Not known.