Segmentation fault caused by null pointer dereference during multithread processing in ucompthread, stream.c:1523

[5hadowblad3]

Hi, there.

There is a segmentation caused by null pointer dereference that leads to a fatal error during the execution in the newest master branch 597be1f. Here is a brief explanation:

This is the output during execution:

Decompressing...
Bad checksum: 0x5b496f91 - expected: 0x2000210c
Fatal error - exiting
Segmentation fault

To reproduce, run:

lrzip -t seg-stream1523

POC (unzip first): seg-stream1523.zip

Here is the trace reported by ASAN:

==161258==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x00000043f8d8 bp 0x0000007cd680 sp 0x7f811dafdd80 T3)
    #0 0x43f8d7 in ucompthread ../stream.c:1523
    #1 0x7f81218fc6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #2 0x7f8120d2e41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../stream.c:1523 ucompthread
Thread T3 created by T0 here:
    #0 0x7f81221941e3 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x361e3)
    #1 0x4516f3 in create_pthread ../stream.c:133
    #2 0x4516f3 in fill_buffer ../stream.c:1699
    #3 0x4516f3 in read_stream ../stream.c:1786

==161258==ABORTING

[pete4abw]

Nope. A curious thing about lrzip is it requires a file extension. Testing a file without an extension has proven problematic. In any event, a properly named file works as expected even with your distractions and intentional munging. As I said, there is no way to account every act of intentional sabotage. Your file has an expected size of 70,506,183,141,503. Enjoy the program. It works great.

peter@tommyv:~/Downloads$ lrzip.631 -tvv seg-stream1523.lrz
Using configuration file /home/peter/.lrzip/lrzip.conf
Threading is ENABLED. Number of CPUs detected: 8
Detected 16563281920 bytes ram
Compression level 7
Nice Value: 19
Show Progress
Max Verbose
Test file integrity
Temporary Directory set as: ./
Detected lrzip version 0.6 file.
Unknown hash, falling back to CRC
CRC32 being used for integrity testing.
Decompressing...
Reading chunk_bytes at 24
Expected size: 70506183141503
Chunk byte width: 2
Reading eof flag at 25
EOF: 1
Reading expected chunksize at 26
Chunk size: 10240
Reading stream 0 header at 29
Reading stream 1 header at 36
Reading ucomp header at 43
Fill_buffer stream 0 c_len 55 u_len 55 last_head 0
Starting thread 0 to decompress 55 bytes from stream 0
Thread 0 decompressed 55 bytes from stream 0
Taking decompressed data from thread 0
Reading ucomp header at 105
Fill_buffer stream 1 c_len 269 u_len 9387 last_head 131
Starting thread 1 to decompress 269 bytes from stream 1
Reading ucomp header at 160
Fill_buffer stream 1 c_len 24 u_len 985 last_head 0
Thread 1 decompressed 9387 bytes from stream 1
Starting thread 2 to decompress 24 bytes from stream 1
Taking decompressed data from thread 1
Closing stream at 190, want to seek to 411
Bad checksum: 0x5b496f91 - expected: 0x2000210c
Fatal error - exiting

peter@tommyv:~/Downloads$ lrzip.631 -ivv seg-stream1523.lrz
Using configuration file /home/peter/.lrzip/lrzip.conf
Detected lrzip version 0.6 file.
Unknown hash, falling back to CRC
Rzip chunk 1:
Chunk byte width: 2
Chunk size: 10240
Stream: 0
Offset: 28
Block   Comp    Percent Size
1       none    100.0%  55 / 55 Offset: 0       Head: 0
Stream: 1
Offset: 28
Block   Comp    Percent Size
1       none    2.9%    269 / 9387      Offset: 0       Head: 131
2       lzma    2.7%    24 / 985        Offset: 0       Head: 0
Invalid chunk bytes 20
No such file or directory
Fatal error - exiting

[5hadowblad3]

Well, since it is a multithread issue, you still can use the uploaded file (without adding an extension name) to reproduce this segmentation fault by running the command multiple times. I add a more detailed explanation related to this bug in the newest issue #165 for another related bug.

[ckolivas]

Fixed in git.

[5hadowblad3]

This is assigned with CVE-2021-27345.

[carnil]

Fixing ocmmit should be https://github.com/ckolivas/lrzip/commit/be884d09e09b00fbddd31b75dc1f4736d72006a8