Description:
libzip is a library for manipulating zip archives.
The relevant ASan output of the issue:
# ziptool $FILE cat index ==1771==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000000d1 at pc 0x7f267d085fc1 bp 0x7ffed21f65f0 sp 0x7ffed21f65e8 READ of size 1 at 0x6030000000d1 thread T0 #0 0x7f267d085fc0 in _zip_buffer_free /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:53:17 #1 0x7f267d092646 in _zip_dirent_read /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c #2 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69 #3 0x7f267d0aabfe in _zip_find_central_dir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613 #4 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200 #5 0x7f267d0a89b7 in zip_open_from_source /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11 #6 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15 #7 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13 #8 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113 #9 0x7f267c1b5680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289 #10 0x41b058 in _init (/usr/bin/ziptool+0x41b058) 0x6030000000d1 is located 1 bytes inside of 32-byte region [0x6030000000d0,0x6030000000f0) freed by thread T0 here: #0 0x4d0850 in __interceptor_cfree /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:55 #1 0x7f267d085f83 in _zip_buffer_free /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:57:5 #2 0x7f267d0935ea in _zip_dirent_read /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c:571:9 #3 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69 #4 0x7f267d0aabfe in _zip_find_central_dir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613 #5 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200 #6 0x7f267d0a89b7 in zip_open_from_source /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11 #7 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15 #8 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13 #9 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113 #10 0x7f267c1b5680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289 previously allocated by thread T0 here: #0 0x4d0a08 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:66 #1 0x7f267d0879d8 in _zip_buffer_new /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:168:35 #2 0x7f267d0879d8 in _zip_buffer_new_from_source /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:190 #3 0x7f267d0927c2 in _zip_dirent_read /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c:443:23 #4 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69 #5 0x7f267d0aabfe in _zip_find_central_dir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613 #6 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200 #7 0x7f267d0a89b7 in zip_open_from_source /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11 #8 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15 #9 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13 #10 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113 #11 0x7f267c1b5680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:53:17 in _zip_buffer_free Shadow bytes around the buggy address: 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd =>0x0c067fff8010: fd fd fa fa fd fd fd fd fa fa[fd]fd fd fd fa fa 0x0c067fff8020: 00 00 00 00 fa fa fd fd fd fa fa fa fd fd fd fd 0x0c067fff8030: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 0x0c067fff8040: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1771==ABORTING
Affected version:
1.2.0
Fixed version:
1.3.0
Commit fix:
https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
This issue can be identified as CVE-2017-12858 which was originally discovered by Brian Carpenter
Reproducer:
https://github.com/asarubbo/poc/blob/master/00239-libzip-UAF-_zip_buffer_free
Timeline:
2017-08-29: upstream released a fix as it fixed another issue
2017-08-24: bug discovered and reported to upstream
2017-09-01: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.
Permalink: