zziplib: NULL pointer dereference in zzip_mem_entry_new (memdisk.c)

Posted on February 9, 2017 by ago

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an NULL pointer access.

The complete ASan output:

# unzzipcat-mem $FILE
==7955==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001a (pc 0x7fcfc78e3c50 bp 0x7ffdf55d4f70 sp 0x7ffdf55d4e40 T0)
==7955==The signal is caused by a READ memory access.
==7955==Hint: address points to the zero page.
    #0 0x7fcfc78e3c4f in zzip_mem_entry_new /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:182:21
    #1 0x7fcfc78e3c4f in zzip_mem_disk_load /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #2 0x7fcfc78e38b7 in zzip_mem_disk_open /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #3 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #4 0x7fcfc6a2361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:182:21 in zzip_mem_entry_new
==7955==ABORTING

also, the undefined behavior sanitizer says about:

# unzzipcat-mem $FILE
/tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:182:21: runtime error: member access within null pointer of type 'struct zzip_file_header'

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5980

Reproducer:
https://github.com/asarubbo/poc/blob/master/00154-zziplib-nullptr-zzip_mem_entry_new

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c

This entry was posted in advisories, security. Bookmark the permalink.

One Response to zziplib: NULL pointer dereference in zzip_mem_entry_new (memdisk.c)

  1. Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.