search

gdraheim / zziplib

The ZZIPlib provides read access on ZIP-archives and unpacked data. It features an additional simplified API following the standard Posix API for file access
Other
62 stars 50 forks source link

Invalid memory access in zzip_disk_fread (src/zzip/mmapped.c) [CVE-2018-6381] #12

Closed ProbeFuzzer closed 6 years ago

ProbeFuzzer commented 6 years ago

On latest version (0.13.67) and master branch of zziplib: there is a segmentation fault caused by invalid memory access in zzip_disk_fread function (src/zzip/mmapped.c), which could be triggered by a POC with only 152 bytes.

The issue happens since with the crafted zip file, in line 685 of zzip_disk_fread function, "size" variable could be much larger than the capacity of "file->stored". Note that this function is in library code, which means programs based on libzzip could be affected.

683 if (file->stored) 684 { 685 memcpy(ptr, file->stored, size); 686 file->stored += size; 687 file->avail -= size; 688 return size; 689 }

To reproduce the issue, run: ./unzip-mem $POC The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip

The backtrace is: (gdb) bt

0 0x00007ffff7740427 in __memcpy_ssse3 () from /lib64/libc.so.6

1 0x00007ffff7bd7cd3 in zzip_disk_fread (ptr=0x7fffffffd7b0, sized=1024, nmemb=1, file=0x604280) at ../../src/zzip/mmapped.c:685

2 0x00007ffff7bd8a86 in zzip_mem_disk_fread (ptr=0x7fffffffd7b0, size=1024, nmemb=1, file=0x604280) at ../../src/zzip/memdisk.c:495

3 0x0000000000400c8c in zzip_mem_entry_pipe (disk=0x604060, entry=0x604080, out=0x6047e0) at ../../src/bins/unzip-mem.c:89

4 0x0000000000400cfe in zzip_mem_entry_make (disk=0x604060, entry=0x604080) at ../../src/bins/unzip-mem.c:100

5 0x00000000004017b5 in zzip_mem_entry_makeall (disk=0x604060) at ../../src/bins/unzip-mem.c:310

6 0x0000000000401c7f in main (argc=2, argv=0x7fffffffdd48) at ../../src/bins/unzip-mem.c:399

carnil commented 6 years ago

This issue was assigned CVE-2018-6381

abergmann commented 6 years ago

The POC download link is not working.

ProbeFuzzer commented 6 years ago

@abergmann Thanks, the poc link should work now.

ProbeFuzzer commented 6 years ago

@gdraheim Thanks for fixing this issue.

gdraheim commented 6 years ago

test_63817 works OK

gdraheim commented 6 years ago

a check for the size was added, and the testcase is fixed now