use-after-free in ucompthread (src/stream.c)

[ProbeFuzzer]

on 0.631 (the latest version) and the latest master branch: there is a use-after-free problem in the ucompthread function (src/stream.c) that causes the program to crash. Note that this issue is caused by the memory free of "ucthread", which is different from CVE-2017-8846 (https://github.com/ckolivas/lrzip/issues/71) casued by memory free of "stream_info *sinfo".

This issue can be triggered by the POC with command lrzip -t $POC

POC: https://github.com/ProbeFuzzer/poc/blob/master/lrzip/lrzip_0-631_lrzip_use-after-free_ucompthread.lrz

The problem happens in line 1519 of stream.c file. Once "ucthread" is released, "uci" points to a random address, resulting in segmentation fault.

1513 uci = &ucthread[i]; ... 1518 retry: 1519 if (uci->c_type != CTYPE_NONE) { 1520 switch (uci->c_type) { 1521 case CTYPE_LZMA:

^{bin/lrzip -t output/poc/71.lrz Decompressing... ASAN:SIGSEGV ==78968==AddressSanitizer: while reporting a bug found another one. Ignoring. ASAN:SIGSEGV ==78968==AddressSanitizer: while reporting a bug found another one. Ignoring. chunk_bytes -93 is invalid in runzip_chunk Fatal error - exiting}

ASAN:SIGSEGV ==78968==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001ebc0 at pc 0x00000043e376 bp 0x7fdc847f9d10 sp 0x7fdc847f9d08 ASAN:SIGSEGV ==78968==AddressSanitizer: while reporting a bug found another one. Ignoring. ==78968==AddressSanitizer: while reporting a bug found another one. Ignoring. READ of size 1 at 0x61d00001ebc0 thread T7

0 0x43e375 in ucompthread lrzip/src/stream.c:1519

#1 0x7fdc8a22ce24 in start_thread (/lib64/libpthread.so.0+0x7e24)
#2 0x7fdc89a4134c in __clone (/lib64/libc.so.6+0xf834c)

0x61d00001ebc0 is located 320 bytes inside of 2016-byte region [0x61d00001ea80,0x61d00001f260) freed by thread T0 here:

0 0x7fdc8ae96e32 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:45

#1 0x451334 in close_stream_in lrzip/src/stream.c:1839

previously allocated by thread T0 here:

0 0x7fdc8ae97292 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:70

#1 0x44941d in open_stream_in lrzip/src/stream.c:1082

Thread T7 created by T0 here:

0 0x7fdc8ae390b4 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:179

#1 0x43e5cc in create_pthread lrzip/src/stream.c:133

SUMMARY: AddressSanitizer: heap-use-after-free lrzip/src/stream.c:1519 ucompthread Shadow bytes around the buggy address: 0x0c3a7fffbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fffbd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fffbd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3a7fffbd70: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd 0x0c3a7fffbd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fffbd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fffbda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fffbdb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fffbdc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==78968==ABORTING

[carnil]

This issue has been assigned CVE-2018-5747

[ckolivas]

Fixed generically in other code.