{"id":1309,"date":"2017-02-09T15:39:13","date_gmt":"2017-02-09T13:39:13","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1309"},"modified":"2017-02-09T15:39:13","modified_gmt":"2017-02-09T13:39:13","slug":"zziplib-load-of-misaligned-address-in-memdisk-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/09\/zziplib-load-of-misaligned-address-in-memdisk-c\/","title":{"rendered":"zziplib: load of misaligned address in memdisk.c"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/zziplib.sourceforge.net\/\">zziplib<\/a> is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.<\/p>\n<p>A fuzz on it discovered the load of a misaligned address. It can cause undefined behavior.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># unzzipcat-mem $FILE\r\n\/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:250:33: runtime error: load of misaligned address 0x00000295d17d for type 'uint16_t' (aka 'unsigned short'), which requires 2 byte alignment\r\n0x00000295d17d: note: pointer points here\r\n 5a 45 93 58 75 70 0b  00 00 61 64 0a 50 4b 01  02 1e 03 0a 00 00 00 00  ff ff ff ff 42 00 00 00  b1\r\n             ^ \r\n\/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:256:22: runtime error: load of misaligned address 0x00000295d17f for type 'uint16_t' (aka 'unsigned short'), which requires 2 byte alignment\r\n0x00000295d17f: note: pointer points here\r\n 93 58 75 70 0b  00 00 61 64 0a 50 4b 01  02 1e 03 0a 00 00 00 00  ff ff ff ff 42 00 00 00  b1 01 00\r\n             ^\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n0.13.62<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00160-zziplib-misalignedadd-memdisk_c\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00160-zziplib-misalignedadd-memdisk_c<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-01-17: bug discovered and poked upstream<br \/>\n2017-02-09: blog post about the issue<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><br \/>\nhttps:\/\/blogs.gentoo.org\/ago\/2017\/02\/09\/zziplib-load-of-misaligned-address-in-memdisk-c<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file. A fuzz on it discovered the load of a misaligned address. It can cause undefined behavior. The &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/09\/zziplib-load-of-misaligned-address-in-memdisk-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-l7","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1309"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1309"}],"version-history":[{"count":1,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1309\/revisions"}],"predecessor-version":[{"id":1310,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1309\/revisions\/1310"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}