search

gdraheim / zziplib

The ZZIPlib provides read access on ZIP-archives and unpacked data. It features an additional simplified API following the standard Posix API for file access
Other
64 stars 53 forks source link

[Bug]: stack-buffer-overflow in zzdir(version 0.13.72, commit 6699e0fe) #143

Closed benehalo closed 9 months ago

benehalo commented 2 years ago

Crash Inputs

Here are the files that trigger the bug - zip.c_347_44-in-__zzip_fetch_disk_trailer.zip

Bug Description

I apply ASan (Address Sanitizer) to check for errors and report the detected errors as follows.

AddressSanitizer: stack-buffer-overflow on address 0x7ffe86e4eeb0 at pc 0x0000004c7234 bp 0x7ffe86e4ea30 sp 0x7ffe86e4ea28
READ of size 8 at 0x7ffe86e4eeb0 thread T0
    #0 0x4c7233 in __zzip_fetch_disk_trailer /data/code/zziplib/zzip/zip.c:347:44
    #1 0x4c7233 in __zzip_dir_parse /data/code/zziplib/zzip/zip.c:763:15
    #2 0x4c7233 in zzip_dir_fdopen_ext_io /data/code/zziplib/zzip/zip.c:731:15
    #3 0x4c780b in zzip_dir_open_ext_io /data/code/zziplib/zzip/zip.c:847:16
    #4 0x4c54a9 in zzip_opendir_ext_io /data/code/zziplib/zzip/dir.c:293:11
    #5 0x4c4239 in main /data/code/zziplib/bins/zzdir.c:41:15
    #6 0x7f66063d7082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41c37d in _start (/data/program/zziplib/orig-asan/bin/zzdir+0x41c37d)

Address 0x7ffe86e4eeb0 is located in stack of thread T0 at offset 1136 in frame
    #0 0x4c5e5f in zzip_dir_fdopen_ext_io /data/code/zziplib/zzip/zip.c:723

  This frame has 2 object(s):
    [32, 78) 'dirent.i.i' (line 413)
    [112, 1136) 'buffer.i.i' (line 189) <== Memory access at offset 1136 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /data/code/zziplib/zzip/zip.c:347:44 in __zzip_fetch_disk_trailer
Shadow bytes around the buggy address:
  0x100050dc1d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100050dc1d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100050dc1da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100050dc1db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100050dc1dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100050dc1dd0: 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x100050dc1de0: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100050dc1df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100050dc1e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100050dc1e10: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
  0x100050dc1e20: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==264665==

How to Reproduce

The aforementioned bug can be stably reproduced in version 0.13.72 (commit id 6699e0fe).

  1. Download the zziplib source code with the official link.
  2. Using clang/clang++ (10.0.0-4ubuntu1), build zziplib with ASan.
    • -U_FORTIFY_SOURCE -fsanitize=address -g
  3. Execute zzdir with the provided input files.
    • eg: /data/program/zziplib/orig-asan/bin/zzdir <input-file-path>
gdraheim commented 9 months ago

it seems to be fixed, test added.