search

ckolivas / lrzip

Long Range Zip
http://lrzip.kolivas.org
GNU General Public License v2.0
619 stars 76 forks source link

NULL pointer dereference in bufRead::get (libzpaq.h) #67

Closed asarubbo closed 6 years ago

asarubbo commented 7 years ago

On 0.631:

# lrzip -t $FILE
Decompressing...                                                                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
Inconsistent length after decompression. Got 0 bytes, expected 2                                                                                                                                                  
ASAN:DEADLYSIGNAL                                                                                                                                                                                                 
=================================================================                                                                                                                                                 
==24966==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005e7caa bp 0x7f7c755a58d0 sp 0x7f7c755a5870 T2)                                                                               
==24966==The signal is caused by a READ memory access.                                                                                                                                                            
==24966==Hint: address points to the zero page.                                                                                                                                                                   
    #0 0x5e7ca9 in bufRead::get() /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:485:24                                                                                                     
    #1 0x5856f1 in libzpaq::Decompresser::findBlock(double*) /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.cpp:1236:21                                                                       
    #2 0x55f79a in libzpaq::decompress(libzpaq::Reader*, libzpaq::Writer*) /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.cpp:1363:12                                                         
    #3 0x55f4e2 in zpaq_decompress /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:538:2                                                                                                     
    #4 0x54b3a4 in zpaq_decompress_buf /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:453:2                                                                                                          
    #5 0x54b3a4 in ucompthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1534                                                                                                                   
    #6 0x7f81b7a434a3 in start_thread /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_create.c:333
    #7 0x7f81b6d6e66c in clone /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:485:24 in bufRead::get()
Thread T2 created by T0 here:
    #0 0x42d49d in pthread_create /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245
    #1 0x53e70f in create_pthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:133:6
    #2 0x53e70f in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1673
    #3 0x53e70f in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
    #4 0x531075 in unzip_literal /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:162:16
    #5 0x531075 in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:320
    #6 0x531075 in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #7 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #8 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #9 0x7f81b6ca778f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

==24966==ABORTING

Reproducer: https://github.com/asarubbo/poc/blob/master/00229-lrzip-nullptr-bufRead-get

ppisar commented 7 years ago

CVE-2017-8847 was assigned http://seclists.org/oss-sec/2017/q2/231.

Sixth invocation of zpaq_decompress() receives bogus c_buf=0x0, c_len=2 arguments.

ckolivas commented 6 years ago

Fixed generically via other safeguards.