oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

libzip: use-after-free in _zip_buffer_free (zip_buffer.c)

From: "Agostino Sarubbo" <ago () gentoo org>
Date: Sat, 2 Sep 2017 18:43:53 +0000
Description:
libzip is a library for manipulating zip archives.

The relevant ASan output of the issue:

# ziptool $FILE cat index
==1771==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000000d1 at pc 0x7f267d085fc1 bp 0x7ffed21f65f0 
sp 0x7ffed21f65e8     
READ of size 1 at 0x6030000000d1 thread T0   
    #0 0x7f267d085fc0 in _zip_buffer_free 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:53:17    
    #1 0x7f267d092646 in _zip_dirent_read /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c
    #2 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69  
    #3 0x7f267d0aabfe in _zip_find_central_dir 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613   
    #4 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200
    #5 0x7f267d0a89b7 in zip_open_from_source 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11 
    #6 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15    
    #7 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13    
    #8 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113 
    #9 0x7f267c1b5680 in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289    
    #10 0x41b058 in _init (/usr/bin/ziptool+0x41b058)  

0x6030000000d1 is located 1 bytes inside of 32-byte region [0x6030000000d0,0x6030000000f0)
freed by thread T0 here: 
    #0 0x4d0850 in __interceptor_cfree 
/var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:55  
    #1 0x7f267d085f83 in _zip_buffer_free /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:57:5
    #2 0x7f267d0935ea in _zip_dirent_read 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c:571:9    
    #3 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69  
    #4 0x7f267d0aabfe in _zip_find_central_dir 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613   
    #5 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200
    #6 0x7f267d0a89b7 in zip_open_from_source 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11 
    #7 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15    
    #8 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13
    #9 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113
    #10 0x7f267c1b5680 in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4d0a08 in malloc 
/var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f267d0879d8 in _zip_buffer_new 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:168:35
    #2 0x7f267d0879d8 in _zip_buffer_new_from_source 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:190
    #3 0x7f267d0927c2 in _zip_dirent_read 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c:443:23
    #4 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69
    #5 0x7f267d0aabfe in _zip_find_central_dir 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613
    #6 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200
    #7 0x7f267d0a89b7 in zip_open_from_source 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11
    #8 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15
    #9 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13
    #10 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113
    #11 0x7f267c1b5680 in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-use-after-free 
/var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:53:17 in _zip_buffer_free
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
=>0x0c067fff8010: fd fd fa fa fd fd fd fd fa fa[fd]fd fd fd fa fa
  0x0c067fff8020: 00 00 00 00 fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c067fff8030: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff8040: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1771==ABORTING

Affected version:
1.2.0

Fixed version:
1.3.0

Commit fix:
https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
This issue can be identified as CVE-2017-12858 which was originally discovered by Brian Carpenter

Reproducer:
https://github.com/asarubbo/poc/blob/master/00239-libzip-UAF-_zip_buffer_free

Timeline:
2017-08-29: upstream released a fix as it fixed another issue
2017-08-24: bug discovered and reported to upstream
2017-09-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core 
Infrastructure Initiative.

Permalink:
https://blogs.gentoo.org/ago/2017/09/01/libzip-use-after-free-in-_zip_buffer_free-zip_buffer-c/

--
Agostino Sarubbo
Gentoo Linux Developer
Previous By Date Next
Previous By Thread Next

Current thread: