{"id":1702,"date":"2017-04-29T16:46:55","date_gmt":"2017-04-29T14:46:55","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1702"},"modified":"2017-05-01T13:27:58","modified_gmt":"2017-05-01T11:27:58","slug":"rzip-heap-based-buffer-overflow-in-read_buf-stream-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/04\/29\/rzip-heap-based-buffer-overflow-in-read_buf-stream-c\/","title":{"rendered":"rzip: heap-based buffer overflow in read_buf (stream.c)"},"content":{"rendered":"

Description<\/strong>:
\nrzip<\/a> is a compression program for large files.<\/p>\n

A crafted archive causes an heap overflow write.<\/p>\n

The complete ASan output:<\/p>\n

# rzip -k -f -d $FILE\r\nRead of length -1325400064 failed - Bad address\r\n=================================================================\r\n==5655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x00000045117e bp 0x7ffc9d9f6980 sp 0x7ffc9d9f6130\r\nWRITE of size 187 at 0x60200000efb1 thread T0\r\n    #0 0x45117d in read \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:765\r\n    #1 0x52b8c6 in read_buf \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/stream.c:153:8\r\n    #2 0x526d44 in fill_buffer \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/stream.c:406:6\r\n    #3 0x526d44 in read_stream \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/stream.c:464\r\n    #4 0x518ed9 in unzip_literal \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/runzip.c:75:2\r\n    #5 0x518ed9 in runzip_chunk \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/runzip.c:156\r\n    #6 0x518ed9 in runzip_fd \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/runzip.c:184\r\n    #7 0x51bbfd in decompress_file \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/main.c:176:2\r\n    #8 0x51bbfd in main \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/main.c:334\r\n    #9 0x7f4dd0db578f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #10 0x419908 in _init (\/usr\/bin\/rzip+0x419908)\r\n\r\n0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)\r\nallocated by thread T0 here:\r\n    #0 0x4d26c8 in malloc \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:64\r\n    #1 0x5269e0 in fill_buffer \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/stream.c:402:25\r\n    #2 0x5269e0 in read_stream \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/stream.c:464\r\n    #3 0x518ed9 in unzip_literal \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/runzip.c:75:2\r\n    #4 0x518ed9 in runzip_chunk \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/runzip.c:156\r\n    #5 0x518ed9 in runzip_fd \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/runzip.c:184\r\n    #6 0x51bbfd in decompress_file \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/main.c:176:2\r\n    #7 0x51bbfd in main \/tmp\/portage\/app-arch\/rzip-2.1-r2\/work\/rzip-2.1\/main.c:334\r\n    #8 0x7f4dd0db578f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:765 in read\r\nShadow bytes around the buggy address:\r\n  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa fd fd fa fa 00 05\r\n  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==5655==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n2.1<\/p>\n
Fixed version:<\/strong>
\nN\/A<\/p>\n
Commit fix:<\/strong>
\nN\/A<\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2017-8364<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00277-rzip-heap-overflow-read_buf.rz<\/a><\/p>\n
Timeline:<\/strong>
\n2017-04-11: bug discovered and reported to upstream
\n2017-04-29: blog post about the issue
\n2017-04-30: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
rzip: heap-based buffer overflow in read_buf (stream.c)<\/a><\/p><\/blockquote>\n