NULL pointer dereference in join_pthread (stream.c) incomplete fix for CVE-2017-8843

[asarubbo]

On master:

lrzip -t $FILE
Decompressing...
100%       2.00 /      2.00 ^MAddressSanitizer:DEADLYSIGNAL
=================================================================
==3799==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002d0 (pc 0x7efef590e720 bp 0x7ffdf09c1fb0 sp 0x7ffdf09c1d58 T0)
==3799==The signal is caused by a READ memory access.
==3799==Hint: address points to the zero page.
    #0 0x7efef590e71f  /var/tmp/portage/sys-libs/glibc-2.27-r6/work/glibc-2.27/nptl/pthread_join_common.c:31:1
    #1 0x52ebd6 in join_pthread /var/tmp/portage/app-arch/lrzip-9999/work/lrzip-9999/stream.c:147:6
    #2 0x52ebd6 in fill_buffer /var/tmp/portage/app-arch/lrzip-9999/work/lrzip-9999/stream.c:1707
    #3 0x52ebd6 in read_stream /var/tmp/portage/app-arch/lrzip-9999/work/lrzip-9999/stream.c:1769
    #4 0x520f3b in unzip_literal /var/tmp/portage/app-arch/lrzip-9999/work/lrzip-9999/runzip.c:162:16
    #5 0x520f3b in runzip_chunk /var/tmp/portage/app-arch/lrzip-9999/work/lrzip-9999/runzip.c:322
    #6 0x520f3b in runzip_fd /var/tmp/portage/app-arch/lrzip-9999/work/lrzip-9999/runzip.c:384
    #7 0x506b21 in decompress_file /var/tmp/portage/app-arch/lrzip-9999/work/lrzip-9999/lrzip.c:840:6
    #8 0x4fd54e in main /var/tmp/portage/app-arch/lrzip-9999/work/lrzip-9999/main.c:675:4
    #9 0x7efef4b5a2aa in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.27-r6/work/glibc-2.27/csu/../csu/libc-start.c:308:16
    #10 0x41c389 in _init (/usr/bin/lrzip+0x41c389)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.27-r6/work/glibc-2.27/nptl/pthread_join_common.c:31:1
==3799==ABORTING

Testcase: 1000.crashes.zip

[ariccio]

Is threads supposed to be ucthread?

[tansy]

Maybe you're using pre-patched < 0.631 version. There is one patch that addresses similar or the same issue. Just tested your file and that's my results:

$ lrzip-0.631 -d 1000.crashes.lrz 
Output filename is: 1000.crashes
Decompressing...
Segmentation fault     2.00 

$ lrzip-0.631-CVE-2017-8843 -d 1000.crashes.lrz 
Output filename is: 1000.crashes
Decompressing...
Trying to seek outside tmpoutbuf to -154 in seekto_fdhist
Seek failed by 156 from 0 on history file in unzip_match
No such file or directory
Fatal error - exiting

Seems that's the problem.

[asarubbo]

@tansy thanks for your pointless comment, but I clearly state "ON MASTER" Anyway, to be sure I compiled again few seconds ago, let me attach a screenshot that shows at which commit ID I'm fetching.

[tansy]

Result I shown you was done with 0.631 version patched with mentioned patch. That's it. And it works. Why it doesn't on master? I have no clue. Just checked again and that patched version of v0.631 works exactly like I quoted. No segfault, only error messages.

[asarubbo]

So the right comment would be: "I cannot reproduce" instead of "maybe you are using a pre-patched < 0.631". That's all.

[tansy]

It doesn't change the fact that issue was already fixed and now appears out of blue again.

[ckolivas]

Fixed in master.