Closed ProbeFuzzer closed 6 years ago
CVE-2018-6542 was assigned to this issue. https://nvd.nist.gov/vuln/detail/CVE-2018-6542
can not reproduce in test_65427 on master
after double-checking the download-size of the zip, the error is now reproduced in
make test_65422
turns out that the fopen may have failed, after which the testcase is OK
checking back with v0.13.67 where the testcase had shown the problem => fixed
On latest version (0.13.67) and master branch of zziplib: there is a bus error (when handling seek of disk64_trailer) caused by loading of misaligned address in zzip_disk_findfirst function of src/zzip/mmapped.c, which could be triggered by the POC below. Note that this issue is different from https://github.com/gdraheim/zziplib/issues/15.
The issue happens since the pointer "trailer" (line 444) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs. The POC is as small as 100 bytes.
To reproduce the issue, run: ./unzip-mem -p $POC The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip
master/src/zzip/mmapped.c:444:25: runtime error: load of misaligned address 0x7f798f31e163 for type 'uint64_t', which requires 8 byte alignment 0x7f798f31e163: note: pointer points here 71 00 00 00 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^