zziplib: out of bounds read in zzip_mem_entry_new (memdisk.c)

Posted on February 9, 2017 by ago

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an out of bounds read.

The complete ASan output:

# unzzipcat-mem $FILE
==7934==ERROR: AddressSanitizer: unknown-crash on address 0x7f439a704000 at pc 0x0000004bb815 bp 0x7fff911ebe30 sp 0x7fff911eb5e0
READ of size 59396 at 0x7f439a704000 thread T0
    #0 0x4bb814 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x7f439a3da299 in zzip_mem_entry_new /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:210:13
    #2 0x7f439a3da299 in zzip_mem_disk_load /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #3 0x7f439a3d98b7 in zzip_mem_disk_open /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #4 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #5 0x7f439951961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe8f34d87b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe8f34d8800:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7934==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5978

Reproducer:
https://github.com/asarubbo/poc/blob/master/00156-zziplib-oobread-zzip_mem_entry_new

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c

This entry was posted in advisories, security. Bookmark the permalink.

One Response to zziplib: out of bounds read in zzip_mem_entry_new (memdisk.c)

  1. Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.