mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c)

Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A crafted image posted early for another issue, causes a stack overflow.

The complete ASan output:

# mujstest $FILE
==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
WRITE of size 1453 at 0x7fff29560b00 thread T0
    #0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
    #1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/platform/x11/jstest_main.c:358:7
    #2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)

Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in frame
    #0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/platform/x11/jstest_main.c:293

  This frame has 7 object(s):
    [32, 1056) 'path'
    [1184, 2208) 'text' <== Memory access at offset 1056 partially underflows this variable
    [2336, 2340) 'w' <== Memory access at offset 1056 partially underflows this variable
    [2352, 2356) 'h' <== Memory access at offset 1056 partially underflows this variable
    [2368, 2372) 'x' <== Memory access at offset 1056 partially underflows this variable
    [2384, 2388) 'y' <== Memory access at offset 1056 partially underflows this variable
    [2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32127==ABORTING

Affected version:
1.10a

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6060

Reproducer:
https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main

Timeline:
2017-02-05: bug discovered and reported to upstream
2017-02-17: blog post about the issue
2017-02-17: CVE assigned via cveform.mitre.org

Note:
This bug was found with Address Sanitizer.

Permalink:
https://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c

Posted in advisories, security | Leave a comment

mupdf: use-after-free in fz_subsample_pixmap (pixmap.c)

Description:
mupdf is a lightweight PDF viewer and toolkit written in portable C.

A fuzzing through mutool revealed a use-after-free. It seems that a fix for the recent heap overflow in fz_subsample_pixmap fixes this issue too.

The complete ASan output:

 # mutool draw $FILE
==17100==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000abb6 at pc 0x7fba6a8cee53 bp 0x7ffedf859700 sp 0x7ffedf8596f8                                                                                                                                       
READ of size 1 at 0x60c00000abb6 thread T0                                                                                                                                                                                                                                     
    #0 0x7fba6a8cee52 in fz_subsample_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12                                                                                                                                            
    #1 0x7fba6a8d4dfa in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:686:3                                                                                                                                          
    #2 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11                                                                                                                                        
    #3 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3                                                                                                                                                    
    #4 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6                                                                                                                                        
    #5 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4                                                                                                                                                              
    #6 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6                                                                                                                                                            
    #7 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3                                                                                                                                                             
    #8 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5                                                                                                                                                            
    #9 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7                                                                                                                                                          
    #10 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12                                                                                                                                                                
    #11 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                    
    #12 0x41e1a8 in _init (/usr/bin/mutool+0x41e1a8)                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                               
0x60c00000abb6 is located 1 bytes to the right of 117-byte region [0x60c00000ab40,0x60c00000abb5)                                                                                                                                                                              
freed by thread T0 here:                                                                                                                                                                                                                                                       
    #0 0x4d6c10 in free /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47                                                                                                                                         
    #1 0x7fba6a810878 in fz_free /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:187:2                                                                                                                                                          
    #2 0x7fba6a8d0a0c in fz_decomp_image_from_stream /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:330:3                                                                                                                                       
    #3 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
    #4 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
    #5 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
    #6 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
    #7 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
    #8 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
    #9 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
    #10 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
    #11 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
    #12 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
    #13 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12
    #14 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4d6f68 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fba6a80c08f in do_scavenging_malloc /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:17:7
    #2 0x7fba6a80c08f in fz_malloc_array /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:80
    #3 0x7fba6a8cfd40 in fz_decomp_image_from_stream /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:268:13
    #4 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
    #5 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
    #6 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
    #7 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
    #8 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
    #9 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
    #10 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
    #11 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
    #12 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
    #13 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
    #14 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12
    #15 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12 in fz_subsample_pixmap
Shadow bytes around the buggy address:
  0x0c187fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fff9570: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
  0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
  0x0c187fff9590: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fff95a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fff95b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fff95c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17100==ABORTING

Affected version:
1.10a

Fixed version:
1.11 (that will be released in march)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Reproducer:
https://github.com/asarubbo/poc/blob/master/00149-mupdf-UAF-fz_subsample_pixmap

Timeline:
2017-02-06: bug discovered and reported to upstream
2017-02-09: upstream released a patch
2017-02-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c

Posted in advisories, security | Leave a comment

zziplib: assertion failure in seeko.c

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an a NULL pointer access.

The complete ASan output:

# unzzipcat-seeko $FILE
/tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:313: ZZIP_ENTRY *zzip_entry_findfirst(FILE *): Assertion `0 <= root && root < mapsize' failed.

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5981

Reproducer:
https://github.com/asarubbo/poc/blob/master/00161-zziplib-assertionfailure-seeko_C

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c

Posted in advisories, security | Leave a comment

zziplib: load of misaligned address in memdisk.c

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered the load of a misaligned address. It can cause undefined behavior.

The complete ASan output:

# unzzipcat-mem $FILE
/tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:250:33: runtime error: load of misaligned address 0x00000295d17d for type 'uint16_t' (aka 'unsigned short'), which requires 2 byte alignment
0x00000295d17d: note: pointer points here
 5a 45 93 58 75 70 0b  00 00 61 64 0a 50 4b 01  02 1e 03 0a 00 00 00 00  ff ff ff ff 42 00 00 00  b1
             ^ 
/tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:256:22: runtime error: load of misaligned address 0x00000295d17f for type 'uint16_t' (aka 'unsigned short'), which requires 2 byte alignment
0x00000295d17f: note: pointer points here
 93 58 75 70 0b  00 00 61 64 0a 50 4b 01  02 1e 03 0a 00 00 00 00  ff ff ff ff 42 00 00 00  b1 01 00
             ^

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00160-zziplib-misalignedadd-memdisk_c

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-load-of-misaligned-address-in-memdisk-c

Posted in advisories, security | Leave a comment

zziplib: NULL pointer dereference in main (unzzipcat.c)

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an a NULL pointer access.

The complete ASan output:

# unzzipcat $FILE
==22686==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f6de98b259a bp 0x7ffddc25a080 sp 0x7ffddc259f98 T0)
==22686==The signal is caused by a READ memory access.
==22686==Hint: address points to the zero page.
    #0 0x7f6de98b2599 in strlen /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/strlen.S:76
    #1 0x7f6de989b7ab in _IO_puts /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/libio/ioputs.c:36
    #2 0x509d73 in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat.c:94:6
    #3 0x7f6de985161f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #4 0x419848 in _init (/usr/bin/unzzipcat+0x419848)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/strlen.S:76 in strlen
==22686==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00158-zziplib-nullptr-main

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-main-unzzipcat-c

Posted in advisories, security | Leave a comment

zziplib: NULL pointer dereference in zzip_mem_entry_new (memdisk.c)

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an NULL pointer access.

The complete ASan output:

# unzzipcat-mem $FILE
==7955==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001a (pc 0x7fcfc78e3c50 bp 0x7ffdf55d4f70 sp 0x7ffdf55d4e40 T0)
==7955==The signal is caused by a READ memory access.
==7955==Hint: address points to the zero page.
    #0 0x7fcfc78e3c4f in zzip_mem_entry_new /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:182:21
    #1 0x7fcfc78e3c4f in zzip_mem_disk_load /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #2 0x7fcfc78e38b7 in zzip_mem_disk_open /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #3 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #4 0x7fcfc6a2361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:182:21 in zzip_mem_entry_new
==7955==ABORTING

also, the undefined behavior sanitizer says about:

# unzzipcat-mem $FILE
/tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:182:21: runtime error: member access within null pointer of type 'struct zzip_file_header'

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5980

Reproducer:
https://github.com/asarubbo/poc/blob/master/00154-zziplib-nullptr-zzip_mem_entry_new

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c

Posted in advisories, security | Leave a comment

zziplib: NULL pointer dereference in prescan_entry (fseeko.c)

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

The unzzipcat-seeko utility provided by the package, by default, without any crafted zip shows a NULL pointer access. For completeness I’m attaching my reproducer.

The complete ASan output:

# unzzipcat-seeko $FILE
==3376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041f8da bp 0xbebebebebebebeae sp 0x7ffe6020c2a0 T0)                                                                                                                                         
==3376==The signal is caused by a READ memory access.                                                                                                                                                                                                                          
==3376==Hint: address points to the zero page.                                                                                                                                                                                                                                 
    #0 0x41f8d9 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:550                                                          
    #1 0x41f8d9 in __asan::asan_realloc(void*, unsigned long, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:748                                                                   
    #2 0x4d29a1 in __interceptor_realloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:85                                                                                                                        
    #3 0x7f21bce0f146 in prescan_entry /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:189:25                                                                                                                                                      
    #4 0x7f21bce0f146 in zzip_entry_findfirst /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:324                                                                                                                                                  
    #5 0x509cb3 in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-seeko.c:79:22                                                                                                                                                             
    #6 0x7f21bbf5261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #7 0x4197e8 in _init (/usr/bin/unzzipcat-seeko+0x4197e8)                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:550 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*)                                          
==3376==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5979

Reproducer:
https://github.com/asarubbo/poc/blob/master/00157-zziplib-nullptr-prescan_entry

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with Address Sanitizer.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c

Posted in advisories, security | Leave a comment

zziplib: out of bounds read in zzip_mem_entry_new (memdisk.c)

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an out of bounds read.

The complete ASan output:

# unzzipcat-mem $FILE
==7934==ERROR: AddressSanitizer: unknown-crash on address 0x7f439a704000 at pc 0x0000004bb815 bp 0x7fff911ebe30 sp 0x7fff911eb5e0
READ of size 59396 at 0x7f439a704000 thread T0
    #0 0x4bb814 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x7f439a3da299 in zzip_mem_entry_new /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:210:13
    #2 0x7f439a3da299 in zzip_mem_disk_load /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #3 0x7f439a3d98b7 in zzip_mem_disk_open /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #4 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #5 0x7f439951961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe8f34d87b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe8f34d8800:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7934==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5978

Reproducer:
https://github.com/asarubbo/poc/blob/master/00156-zziplib-oobread-zzip_mem_entry_new

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c

Posted in advisories, security | Leave a comment

zziplib: NULL pointer dereference in main (unzzipcat-mem.c)

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an a NULL pointer access.

The complete ASan output:

# unzzipcat-mem $FILE
==7919==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f9a138fb59a bp 0x7ffe1c0b0050 sp 0x7ffe1c0aff78 T0)
==7919==The signal is caused by a READ memory access.
==7919==Hint: address points to the zero page.
    #0 0x7f9a138fb599 in strlen /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/strlen.S:76
    #1 0x7f9a138e47ab in _IO_puts /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/libio/ioputs.c:36
    #2 0x509c8b in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:94:6
    #3 0x7f9a1389a61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #4 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/strlen.S:76 in strlen
==7919==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00155-zziplib-nullptr-main

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-main-unzzipcat-mem-c

Posted in advisories, security | Leave a comment

zziplib: invalid memory read in zzip_mem_entry_extra_block (memdisk.c)

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an invalid memory read.

The complete ASan output:

# unzzipcat-mem $FILE
==7950==ERROR: AddressSanitizer: SEGV on unknown address 0x603000014e32 (pc 0x7f414b4c8693 bp 0x7fff48f3ff70 sp 0x7fff48f3fe40 T0)
==7950==The signal is caused by a READ memory access.
    #0 0x7f414b4c8692 in zzip_mem_entry_extra_block /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:248:20
    #1 0x7f414b4c8692 in zzip_mem_entry_new /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:218
    #2 0x7f414b4c8692 in zzip_mem_disk_load /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #3 0x7f414b4c78b7 in zzip_mem_disk_open /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #4 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #5 0x7f414a60761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:248:20 in zzip_mem_entry_extra_block
==7950==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5977

Reproducer:
https://github.com/asarubbo/poc/blob/master/00153-zziplib-invalidread-zzip_mem_entry_extra_block

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c

Posted in advisories, security | Leave a comment