-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
one invalid memroy access issue in zzip_disk_entry_to_file_header in mmapped.c #69
Comments
It appears that NVD recently started tracking this as CVE-2020-18770 |
I've tried to reproduce the SEGV without any success. Building the zziplib in 0.69 in debug for i686 architecture, adding the The pointer mentioned in the error logs should be protected by: Line 279 in 6699e0f
|
I cant see how "off" affects the clamping operation but atleast I would like to make sure that the returned pointer has a full file_header available. |
POC:
zip_poc.zip
There exisits one invalid memroy access issue in zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service. This bug can be triggered by the executable unzzip-mem.
$ unzzip-mem $poc
ASAN:SIGSEGV
==8254==ERROR: AddressSanitizer: SEGV on unknown address 0x1772507f (pc 0xb772ff16 sp 0xbfce6a10 bp 0x0101db82 T0)
#0 0xb772ff15 in zzip_disk_entry_to_file_header /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/mmapped.c:272
#1 0xb77390d8 in zzip_mem_entry_new /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:201
#2 0xb77390d8 in zzip_mem_disk_load /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:160
#3 0xb77386c7 in zzip_mem_disk_open /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:94
#4 0x80ce02e in unzzip_cat /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzipcat-mem.c:72
#5 0x80d0fae in unzzip_extract /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzipcat-mem.c:143
#6 0x80cd5f0 in main /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzip.c:187
#7 0xb74d7af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
#8 0x80caa74 in _start (/home/rookie/asan/zziplib-master/build/bin/unzzip-mem+0x80caa74)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/mmapped.c:272 zzip_disk_entry_to_file_header
==8254==ABORTING
The text was updated successfully, but these errors were encountered: