oss-sec mailing list archives
zziplib: NULL pointer dereference in prescan_entry (fseeko.c)
From: Agostino Sarubbo <ago () gentoo org>
Date: Thu, 09 Feb 2017 14:47:14 +0100
Description: zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file. The unzzipcat-seeko utility provided by the package, by default, without any crafted zip shows a NULL pointer access. For completeness I’m attaching my reproducer. The complete ASan output: # unzzipcat-seeko $FILE ==3376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041f8da bp 0xbebebebebebebeae sp 0x7ffe6020c2a0 T0) ==3376==The signal is caused by a READ memory access. ==3376==Hint: address points to the zero page. #0 0x41f8d9 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:550 #1 0x41f8d9 in __asan::asan_realloc(void*, unsigned long, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:748 #2 0x4d29a1 in __interceptor_realloc /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:85 #3 0x7f21bce0f146 in prescan_entry /tmp/portage/dev-libs/zziplib-0.13.62- r1/work/zziplib-0.13.62/zzip/fseeko.c:189:25 #4 0x7f21bce0f146 in zzip_entry_findfirst /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:324 #5 0x509cb3 in main /tmp/portage/dev-libs/zziplib-0.13.62- r1/work/zziplib-0.13.62/bins/unzzipcat-seeko.c:79:22 #6 0x7f21bbf5261f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #7 0x4197e8 in _init (/usr/bin/unzzipcat-seeko+0x4197e8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:550 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) ==3376==ABORTING Affected version: 0.13.62 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00157-zziplib-nullptr-prescan_entry Timeline: 2017-01-17: bug discovered and poked upstream 2017-02-09: blog post about the issue Note: This bug was found with Address Sanitizer. Permalink: https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- zziplib: NULL pointer dereference in prescan_entry (fseeko.c) Agostino Sarubbo (Feb 09)