Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

one invalid memroy access issue in zzip_disk_entry_to_file_header in mmapped.c #69

Open
92wyunchao opened this issue Mar 25, 2019 · 3 comments
Open

one invalid memroy access issue in zzip_disk_entry_to_file_header in mmapped.c #69

92wyunchao opened this issue Mar 25, 2019 · 3 comments

Comments

@92wyunchao
Copy link

POC:
zip_poc.zip

There exisits one invalid memroy access issue in zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service. This bug can be triggered by the executable unzzip-mem.

$ unzzip-mem $poc

ASAN:SIGSEGV

==8254==ERROR: AddressSanitizer: SEGV on unknown address 0x1772507f (pc 0xb772ff16 sp 0xbfce6a10 bp 0x0101db82 T0)
#0 0xb772ff15 in zzip_disk_entry_to_file_header /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/mmapped.c:272
#1 0xb77390d8 in zzip_mem_entry_new /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:201
#2 0xb77390d8 in zzip_mem_disk_load /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:160
#3 0xb77386c7 in zzip_mem_disk_open /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:94
#4 0x80ce02e in unzzip_cat /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzipcat-mem.c:72
#5 0x80d0fae in unzzip_extract /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzipcat-mem.c:143
#6 0x80cd5f0 in main /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzip.c:187
#7 0xb74d7af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
#8 0x80caa74 in _start (/home/rookie/asan/zziplib-master/build/bin/unzzip-mem+0x80caa74)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/mmapped.c:272 zzip_disk_entry_to_file_header
==8254==ABORTING
gdraheim added a commit that referenced this issue Jan 4, 2021
@gdraheim
add testcase for #69 / no segfault seen
812d6bd
@nickthetait
Copy link

It appears that NVD recently started tracking this as CVE-2020-18770

@keentux keentux mentioned this issue Sep 20, 2023
Closed
@keentux
Copy link

keentux commented Dec 20, 2023

I've tried to reproduce the SEGV without any success. Building the zziplib in 0.69 in debug for i686 architecture, adding the -fsatinize=address , and calling unzzip-mem for the zip_poc.zip doesn't failed with a ASAN:SEGV.
The issue dated from 4 years ago but @92wyunchao , do you have more information or do you still have the issue ?

The pointer mentioned in the error logs should be protected by:

zziplib/zzip/mmapped.c

Line 279 in 6699e0f

if (disk->buffer > ptr || ptr >= disk->endbuf)

@keentux keentux mentioned this issue Jan 17, 2024
Closed
@gdraheim
Copy link
Owner

I cant see how "off" affects the clamping operation but atleast I would like to make sure that the returned pointer has a full file_header available.

gdraheim added a commit that referenced this issue Feb 26, 2024
@gdraheim
#69 assert full zzip_file_header
803f49a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gdraheim @nickthetait @92wyunchao @keentux