{"id":1764,"date":"2017-05-07T20:16:34","date_gmt":"2017-05-07T18:16:34","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1764"},"modified":"2017-05-09T10:04:57","modified_gmt":"2017-05-09T08:04:57","slug":"lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/05\/07\/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c\/","title":{"rendered":"lrzip: heap-based buffer overflow write in read_1g (stream.c)"},"content":{"rendered":"

Description<\/strong>:
\nlrzip<\/a> is a compression utility that excels at compressing large files.<\/p>\n

The complete ASan output of the issue:<\/p>\n

# lrzip -t $FILE\r\n==25584==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef33 at pc 0x00000045246e bp 0x7ffd881d4970 sp 0x7ffd881d4120\r\nWRITE of size 8 at 0x60200000ef33 thread T0\r\n    #0 0x45246d in read \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:765\r\n    #1 0x537ce1 in read_1g \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/stream.c:731:9\r\n    #2 0x53e349 in read_buf \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/stream.c:774:8\r\n    #3 0x53e349 in fill_buffer \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/stream.c:1648\r\n    #4 0x53e349 in read_stream \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/stream.c:1755\r\n    #5 0x5307fc in read_vchars \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/runzip.c:79:6\r\n    #6 0x5307fc in unzip_match \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/runzip.c:208\r\n    #7 0x5307fc in runzip_chunk \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/runzip.c:329\r\n    #8 0x5307fc in runzip_fd \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/runzip.c:382\r\n    #9 0x519b41 in decompress_file \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/lrzip.c:826:6\r\n    #10 0x511074 in main \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/main.c:669:4\r\n    #11 0x7f02ed48f78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #12 0x41abf8 in _init (\/usr\/bin\/lrzip+0x41abf8)\r\n\r\n0x60200000ef33 is located 0 bytes to the right of 3-byte region [0x60200000ef30,0x60200000ef33)\r\nallocated by thread T0 here:\r\n    #0 0x4d39b8 in malloc \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:64\r\n    #1 0x53e2ab in fill_buffer \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/stream.c:1643:10\r\n    #2 0x53e2ab in read_stream \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/stream.c:1755\r\n    #3 0x5307fc in read_vchars \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/runzip.c:79:6\r\n    #4 0x5307fc in unzip_match \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/runzip.c:208\r\n    #5 0x5307fc in runzip_chunk \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/runzip.c:329\r\n    #6 0x5307fc in runzip_fd \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/runzip.c:382\r\n    #7 0x519b41 in decompress_file \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/lrzip.c:826:6\r\n    #8 0x511074 in main \/tmp\/portage\/app-arch\/lrzip-0.631\/work\/lrzip-0.631\/main.c:669:4\r\n    #9 0x7f02ed48f78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/sys-devel\/llvm-3.9.1-r1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:765 in read\r\nShadow bytes around the buggy address:\r\n  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9de0: fa fa fa fa fa fa[03]fa fa fa fd fd fa fa fd fa\r\n  0x0c047fff9df0: fa fa fd fd fa fa 04 fa fa fa 03 fa fa fa 05 fa\r\n  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==25584==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n0.631<\/p>\n
Fixed version:<\/strong>
\nN\/A<\/p>\n
Commit fix:<\/strong>
\nN\/A<\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2017-8844<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00232-lrzip-heapoverflow-read_1g<\/a><\/p>\n
Timeline:<\/strong>
\n2017-03-24: bug discovered and reported to upstream
\n2017-05-07: blog post about the issue
\n2017-05-08: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
lrzip: heap-based buffer overflow write in read_1g (stream.c)<\/a><\/p><\/blockquote>\n