Found two unpatched (or 1-day) vulnerabilities

[chubbymaggie]

Hi,

While scanning for unpatched (or 1-day) vulnerabilities in popular open source libraries. I found the following 2 unpatched vulnerabilities in opensolaris_crc32.c and inftrees.c:

CVE id: CVE-2016-9843 affected file: osv/bsd/sys/cddl/contrib/opensolaris/uts/common/zmod/opensolaris_crc32.c vulnerability details (NVD) : https://nvd.nist.gov/vuln/detail/CVE-2016-9843 upstream patch: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811

CVE id: CVE-2016-9840 affected file: osv/bsd/sys/cddl/contrib/opensolaris/uts/common/zmod/inftrees.c vulnerability details (NVD) : https://nvd.nist.gov/vuln/detail/CVE-2016-9840 upstream patch: https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0

Hope this is helpful.

Regards, Mahin

[nyh]

Thanks. Can you please enlighten me why this is a security vulnerability? If I understand correctly, both patches say that it is illegal to decrement a pointer to an array before the array's start, even if we never dereference the decremented pointer (and just plan to increment it again later). But on all machines I know (including x86 and arm), it is legal. So where's the problem? And how can it lead to a security vulnerability? I don't see any suggestion in these reports that the code actually dereferences the out-of-bounds pointer, right?

[nyh]

I found an interesting case where compilers (gcc) assumed that a pointer cannot point before the beginning of the object: https://lwn.net/Articles/278137/ I also found the original report which suggested that these crc32.c and inftrees.c could have a problem: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf I'm not sure yet, though, if this is really a problem. It seems to me there's a big gap between an optimizer optimizing away parts of an overflow detection "if" statement (this is where the "security" aspect of this issue came in?), and a compiler which miscompiles the code in crc32.c and inftrees.c.

[chubbymaggie]

Yes, your understanding is correct and undefined behaviors can sometimes lead to security vulnerabilities under certain compiler optimization options. These two vulnerabilities fall under that category, I guess.

Also, if you get time, please check these two research papers to understand more about such vulnerabilities.

1. The Correctness-Security Gap in Compiler Optimization - LangSec'15 (https://nebelwelt.net/publications/files/15LangSec.pdf)
2. Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior - SOSP'13 (https://people.csail.mit.edu/nickolai/papers/wang-stack.pdf)