Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <816566.780300008-sendEmail@localhost>
Date: Mon, 1 May 2017 11:27:43 +0000
From: "Agostino Sarubbo" <ago@...too.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: rzip: heap-based buffer overflow in read_buf (stream.c)

Description:
rzip is a compression program for large files.

A crafted archive causes an heap overflow write.

The complete ASan output:

# rzip -k -f -d $FILE
Read of length -1325400064 failed - Bad address
=================================================================
==5655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x00000045117e bp 0x7ffc9d9f6980 sp 0x7ffc9d9f6130
WRITE of size 187 at 0x60200000efb1 thread T0
    #0 0x45117d in read /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:765
    #1 0x52b8c6 in read_buf /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/stream.c:153:8
    #2 0x526d44 in fill_buffer /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/stream.c:406:6
    #3 0x526d44 in read_stream /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/stream.c:464
    #4 0x518ed9 in unzip_literal /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/runzip.c:75:2
    #5 0x518ed9 in runzip_chunk /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/runzip.c:156
    #6 0x518ed9 in runzip_fd /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/runzip.c:184
    #7 0x51bbfd in decompress_file /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/main.c:176:2
    #8 0x51bbfd in main /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/main.c:334
    #9 0x7f4dd0db578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #10 0x419908 in _init (/usr/bin/rzip+0x419908)

0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x4d26c8 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x5269e0 in fill_buffer /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/stream.c:402:25
    #2 0x5269e0 in read_stream /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/stream.c:464
    #3 0x518ed9 in unzip_literal /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/runzip.c:75:2
    #4 0x518ed9 in runzip_chunk /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/runzip.c:156
    #5 0x518ed9 in runzip_fd /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/runzip.c:184
    #6 0x51bbfd in decompress_file /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/main.c:176:2
    #7 0x51bbfd in main /tmp/portage/app-arch/rzip-2.1-r2/work/rzip-2.1/main.c:334
    #8 0x7f4dd0db578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:765 in read
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa fd fd fa fa 00 05
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5655==ABORTING

Affected version:
2.1

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8364

Reproducer:
https://github.com/asarubbo/poc/blob/master/00277-rzip-heap-overflow-read_buf.rz

Timeline:
2017-04-11: bug discovered and reported to upstream
2017-04-29: blog post about the issue
2017-04-30: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/04/29/rzip-heap-based-buffer-overflow-in-read_buf-stream-c/

--
Agostino Sarubbo
Gentoo Linux Developer


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.