Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Segmentation fault" (possible DoS) when parsing compressed data with function "inflate_gzip" #1021

Closed
sz3n opened this issue Aug 21, 2016 · 7 comments
Closed

"Segmentation fault" (possible DoS) when parsing compressed data with function "inflate_gzip" #1021

sz3n opened this issue Aug 21, 2016 · 7 comments

Comments

@sz3n
Copy link

sz3n commented Aug 21, 2016

libtorrent version (or branch): 1.1.0.0

platform/architecture: Ubuntu 14.04LTS x86_64

compiler and compiler version: gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)

The issue was found with "afl fuzzer" while executing a modified version of the "test_gzip" testsuite with the following input data(displayed in base64 format):

H4sIAAjjYGJiWXWAAAAAYFlZWVlZWV34+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4AP4I
DAgLy5kMWQP/YmIA/wUAmQxZBf9iYgD/BQD/ALy8IAAAl5eXl5eXl5eXl5eXl5eXAABZWVlZWVlZ
Xfj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+PgA/ggMCAvLmQxZA/9iYgD/BQCZDFkF/2Ji
AP8FAP8AvLwgAACXl5eXl5eXl5eXl5eXl5cAAFlZWVlZWVlZAPoIDAgLy5kMWQX/YmIA/wUAWVlZ
WVlZWVlZAID//1lZWVlZWVkA+ggMCAvLmQxZBf9iYgD/BQBZWVlZWVlZWVkAgP//YmJiEARkQPZZ
WVlZWQwMDIsIAEQ=

A segmentation fault signal was captured while running:
./test_gzip gzip_data
The output from ASAN:

ASAN:SIGSEGV
=================================================================
==28954==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000048cb19 sp 0x7ffe24a458b0 bp 0x000000000000 T0)
    #0 0x48cb18 in construct(huffman*, short*, int) /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:365
    #1 0x494c77 in dynamic /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:693
    #2 0x494c77 in puff(unsigned char*, unsigned int*, unsigned char const*, unsigned int*) /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:781
    #3 0x489f71 in libtorrent::inflate_gzip(char const*, int, std::vector<char, std::allocator<char> >&, int, boost::system::error_code&) /home/user/libtorrent-rasterbar-1.1.0/src/gzip.cpp:230
    #4 0x482aed in main /home/user/libtorrent-rasterbar-1.1.0/examples3/test_gzip.cpp:84
    #5 0x7f8f1ede1f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x48025c in _start (/tmp/fuzz_gzip/test_gzip+0x48025c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:365 construct(huffman*, short*, int)
==28954==ABORTING

The issue seems to be located in the puff.cpp file inside the "construct" function.

To reproduce:
1.compile "test_gzip.cpp" (here attached)
2.copy the base64 encoded data to a file (ex. gzip_data.b64)
3.decode the file to a new file ("base64 -d gzip_data.b64 > gzip_data")
3.run ./test_gzip gzip_data

test_gzip.cpp.txt
@arvidn arvidn mentioned this issue Aug 21, 2016
Merged
@arvidn
Copy link
Owner

arvidn commented Aug 21, 2016

thanks for the report!

@arvidn
Copy link
Owner

arvidn commented Aug 21, 2016

fix has been pushed to RC_1_1 and master

@arvidn arvidn closed this as completed Aug 21, 2016
@david-geiger
Copy link

Hi,

Is also this security issue valid for branch RC_1_0 ? and others ?

If yes is possible to have a patch to fix this issue in others branchs?

@arvidn
Copy link
Owner

arvidn commented Sep 12, 2016

back-ported to RC_1_0 here: 2d7d012

@david-geiger
Copy link

Thank you very much!

@pmattern
Copy link

Wouldn't this warrant another point release of the 1.0.x series?

@arvidn
Copy link
Owner

arvidn commented Sep 14, 2016

yeah, probably

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arvidn @david-geiger @sz3n @pmattern