oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

zziplib: NULL pointer dereference in prescan_entry (fseeko.c)

From: Agostino Sarubbo <ago () gentoo org>
Date: Thu, 09 Feb 2017 14:47:14 +0100
Description:
zziplib is an intentionally lightweight library that offers the ability to 
easily extract data from files archived in a single zip file.

The unzzipcat-seeko utility provided by the package, by default, without any 
crafted zip shows a NULL pointer access. For completeness I’m attaching my 
reproducer.

The complete ASan output:

# unzzipcat-seeko $FILE
==3376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x00000041f8da bp 0xbebebebebebebeae sp 0x7ffe6020c2a0 T0)                                                              
                                                                           
==3376==The signal is caused by a READ memory access.                                                                   
                                                                                                                        
                               
==3376==Hint: address points to the zero page.                                                                          
                                                                                                                        
                               
    #0 0x41f8d9 in __asan::Allocator::Reallocate(void*, unsigned long, 
__sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:550                                              
            
    #1 0x41f8d9 in __asan::asan_realloc(void*, unsigned long, 
__sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:748                                              
                     
    #2 0x4d29a1 in __interceptor_realloc /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:85                                            
                                                                            
    #3 0x7f21bce0f146 in prescan_entry /tmp/portage/dev-libs/zziplib-0.13.62-
r1/work/zziplib-0.13.62/zzip/fseeko.c:189:25                                                                            
                                                                          
    #4 0x7f21bce0f146 in zzip_entry_findfirst /tmp/portage/dev-
libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:324                                                          
                                                                                        
    #5 0x509cb3 in main /tmp/portage/dev-libs/zziplib-0.13.62-
r1/work/zziplib-0.13.62/bins/unzzipcat-seeko.c:79:22                                                                    
                                                                                         
    #6 0x7f21bbf5261f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                 
                                                                                       
    #7 0x4197e8 in _init (/usr/bin/unzzipcat-seeko+0x4197e8)                                                            
                                                                                                                        
                               
                                                                                                                        
                                                                                                                        
                               
AddressSanitizer can not provide additional info.                                                                       
                                                                                                                        
                               
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:550 in 
__asan::Allocator::Reallocate(void*, unsigned long, 
__sanitizer::BufferedStackTrace*)                                          
==3376==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00157-zziplib-nullptr-prescan_entry

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue

Note:
This bug was found with Address Sanitizer.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
Previous By Date Next
Previous By Thread Next

Current thread: