Closed ProbeFuzzer closed 6 years ago
CVE-2018-6540 was assigned to this issue. https://nvd.nist.gov/vuln/detail/CVE-2018-6540
can not reproduce in test_65407
after double-checking the download-zip, the error is now reproduced in
make test_65402
fixed => now OK for test_65402
The main problem had been
if (file->stored + size >= file->endbuf)
{
DBG1("try to read beyond end of file");
return 0; /* ESPIPE */
}
checking back v0.13.67 where the testcase has shown the problem => fixed
On latest version (0.13.67) and master branch of zziplib: there is a bus error caused by loading of misaligned address in zzip_disk_findfirst function of src/zzip/mmapped.c, which could be triggered by the POC below. Note that this issue is different from CVE-2018-6484.
The issue happens since the pointer "trailer" (line 420) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs.
To reproduce the issue, run: ./unzip-mem $POC The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst.zip
master/src/zzip/mmapped.c:420:36: runtime error: load of misaligned address 0x7fc6924310f2 for type 'uint32_t', which requires 4 byte alignment 0x7fc6924310f2: note: pointer points here 47 00 00 00 80 00 b5 b5 b5 b5 b5 b5 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^