Invalid Address Dereference was discovered in lzo_decompress_buf function in /lrzip/stream.c, as distributed in master branch of lrzip. A crafted compressed file can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./lrzip -t $POC" to reproduce the error.
POC.zip
git log
commit 79f505165be5524a52fcaaada7aee8a62978fbf9
Merge: 9819e86 c2714b9
Author: Con Kolivas <kernel@kolivas.org>
Date: Sun Feb 24 17:14:54 2019 +1100
Merge pull request #106 from areading/ar/thread_race_segfault
Fix thread race causing segfault during decompression
The ASAN dumps the stack trace as follows:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==153830==ERROR: AddressSanitizer: SEGV on unknown address 0x620ffffffc12 (pc 0x7fbea844f26e bp 0x621000000416 sp 0x7fbea46fec60 T1)
==153830==The signal is caused by a READ memory access.
#0 0x7fbea844f26d in lzo1x_decompress (/lib/x86_64-linux-gnu/liblzo2.so.2+0x1326d)
#1 0x57203d in lzo_decompress_buf /lrzip/stream.c:588:10
#2 0x57203d in ucompthread /lrzip/stream.c:1525
#3 0x4e930e in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) /llvm-6.0.1/projects/compiler-rt/lib/asan/asan_thread.cc:259
#4 0x7fbea7af36b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#5 0x7fbea6e7941c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/liblzo2.so.2+0x1326d) in lzo1x_decompress
Thread T1 created by T0 here:
#0 0x4348a0 in pthread_create /llvm-6.0.1/projects/compiler-rt/lib/asan/asan_interceptors.cc:204
#1 0x561d76 in create_pthread /lrzip/stream.c:133:6
#2 0x561d76 in fill_buffer /lrzip/stream.c:1682
#3 0x561d76 in read_stream /lrzip/stream.c:1769
#4 0x54b887 in read_u8 /lrzip/runzip.c:55:6
#5 0x54b887 in read_header /lrzip/runzip.c:144
#6 0x54b887 in runzip_chunk /lrzip/runzip.c:316
#7 0x54b887 in runzip_fd /lrzip/runzip.c:384
#8 0x527dad in decompress_file /lrzip/lrzip.c:840:6
#9 0x51b541 in main /lrzip/main.c:675:4
#10 0x7fbea6d9282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
==153830==ABORTING
ckolivas
commented
3 years ago
Hi, there.
Invalid Address Dereference was discovered in lzo_decompress_buf function in /lrzip/stream.c, as distributed in master branch of lrzip. A crafted compressed file can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./lrzip -t $POC" to reproduce the error. POC.zip
git log
The ASAN dumps the stack trace as follows: