Closed ProbeFuzzer closed 6 years ago
This was assigned CVE-2018-6869
oops, in the libzzip core, that implies high prio.
I cannot reproduce with all recent patches installed. I do get "Invalid or incomplete multibyte or wide character" ;-) As a matter of fact, this is what EILSEQ is translated to by "perror()" and EILSEQ is what ZZIP_CORRUPTED is translated into.
This was fixed with commit 0c0c925.
We tested in the latest branch and found it is well fixed. Thanks for your recent patch.
Thank y'all, good work.
On latest version (0.13.68) and master branch of zziplib, there is an uncontrolled memory allocation and a crash in __zzip_parse_root_directory function of src/zzip/zip.c, which could be triggered by the POC below.
The issue happens since in line 409 of src/zzip/zip.c file, the request size of malloc (i.e., zz_rootsize) could be manipulated by an input file. Note that this function is in libzzip.
To reproduce the issue, run ./zzdir $POC POC: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip
back stack: ==10395==ERROR: AddressSanitizer failed to allocate 0x8064b8000 (34465349632) bytes of LargeMmapAllocator (errno: 12) ==10395==Process memory map follows: 0x000000400000-0x000000403000 ./product/zziplib/master/exe_asan/bin/zzdir 0x000000602000-0x000000603000 ./product/zziplib/master/exe_asan/bin/zzdir 0x000000603000-0x000000604000 ./product/zziplib/master/exe_asan/bin/zzdir 0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x619000000000
0x619000000000-0x619000020000
0x619000020000-0x640000000000
0x640000000000-0x640000003000
0x7ff68ba00000-0x7ff68bb00000
0x7ff68bc00000-0x7ff68bd00000
0x7ff68bdb5000-0x7ff68e107000
0x7ff68e107000-0x7ff68e11c000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 0x7ff68e11c000-0x7ff68e31b000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 0x7ff68e31b000-0x7ff68e31c000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 0x7ff68e31c000-0x7ff68e31d000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 0x7ff68e31d000-0x7ff68e41e000 /usr/lib64/libm-2.17.so 0x7ff68e41e000-0x7ff68e61d000 /usr/lib64/libm-2.17.so 0x7ff68e61d000-0x7ff68e61e000 /usr/lib64/libm-2.17.so 0x7ff68e61e000-0x7ff68e61f000 /usr/lib64/libm-2.17.so 0x7ff68e61f000-0x7ff68e708000 /usr/lib64/libstdc++.so.6.0.19 0x7ff68e708000-0x7ff68e908000 /usr/lib64/libstdc++.so.6.0.19 0x7ff68e908000-0x7ff68e910000 /usr/lib64/libstdc++.so.6.0.19 0x7ff68e910000-0x7ff68e912000 /usr/lib64/libstdc++.so.6.0.19 0x7ff68e912000-0x7ff68e927000
0x7ff68e927000-0x7ff68e929000 /usr/lib64/libdl-2.17.so 0x7ff68e929000-0x7ff68eb29000 /usr/lib64/libdl-2.17.so 0x7ff68eb29000-0x7ff68eb2a000 /usr/lib64/libdl-2.17.so 0x7ff68eb2a000-0x7ff68eb2b000 /usr/lib64/libdl-2.17.so 0x7ff68eb2b000-0x7ff68eb42000 /usr/lib64/libpthread-2.17.so 0x7ff68eb42000-0x7ff68ed41000 /usr/lib64/libpthread-2.17.so 0x7ff68ed41000-0x7ff68ed42000 /usr/lib64/libpthread-2.17.so 0x7ff68ed42000-0x7ff68ed43000 /usr/lib64/libpthread-2.17.so 0x7ff68ed43000-0x7ff68ed47000
0x7ff68ed47000-0x7ff68eeff000 /usr/lib64/libc-2.17.so 0x7ff68eeff000-0x7ff68f0ff000 /usr/lib64/libc-2.17.so 0x7ff68f0ff000-0x7ff68f103000 /usr/lib64/libc-2.17.so 0x7ff68f103000-0x7ff68f105000 /usr/lib64/libc-2.17.so 0x7ff68f105000-0x7ff68f10a000
0x7ff68f10a000-0x7ff68f11f000 /usr/lib64/libz.so.1.2.7 0x7ff68f11f000-0x7ff68f31e000 /usr/lib64/libz.so.1.2.7 0x7ff68f31e000-0x7ff68f31f000 /usr/lib64/libz.so.1.2.7 0x7ff68f31f000-0x7ff68f320000 /usr/lib64/libz.so.1.2.7 0x7ff68f320000-0x7ff68f339000 ./product/zziplib/master/exe_asan/lib/libzzip-0.so.13.0.65 0x7ff68f339000-0x7ff68f538000 ./product/zziplib/master/exe_asan/lib/libzzip-0.so.13.0.65 0x7ff68f538000-0x7ff68f539000 ./product/zziplib/master/exe_asan/lib/libzzip-0.so.13.0.65 0x7ff68f539000-0x7ff68f53a000 ./product/zziplib/master/exe_asan/lib/libzzip-0.so.13.0.65 0x7ff68f53a000-0x7ff68f53b000
0x7ff68f53b000-0x7ff68f632000 /usr/lib64/libasan.so.2.0.0 0x7ff68f632000-0x7ff68f832000 /usr/lib64/libasan.so.2.0.0 0x7ff68f832000-0x7ff68f835000 /usr/lib64/libasan.so.2.0.0 0x7ff68f835000-0x7ff68f836000 /usr/lib64/libasan.so.2.0.0 0x7ff68f836000-0x7ff6904ab000
0x7ff6904ab000-0x7ff6904cc000 /usr/lib64/ld-2.17.so 0x7ff690662000-0x7ff690669000
0x7ff690683000-0x7ff6906c0000
0x7ff6906c1000-0x7ff6906cc000
0x7ff6906cc000-0x7ff6906cd000 /usr/lib64/ld-2.17.so 0x7ff6906cd000-0x7ff6906ce000 /usr/lib64/ld-2.17.so 0x7ff6906ce000-0x7ff6906cf000
0x7ffcd3484000-0x7ffcd34a5000 [stack] 0x7ffcd34ff000-0x7ffcd3501000 [vdso] 0xffffffffff600000-0xffffffffff601000 [vsyscall] ==10395==End of process memory map. ==10395==AddressSanitizer CHECK failed: ../../../../libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
0 0x7ff68f5dba31 (/lib64/libasan.so.2+0xa0a31)