Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Segmentation fault" (possible DoS) when parsing compressed data with function "inflate_gzip" #1021

Closed
sz3n opened this issue Aug 21, 2016 · 7 comments

Comments

Projects
None yet
4 participants
@sz3n
Copy link

commented Aug 21, 2016

libtorrent version (or branch): 1.1.0.0

platform/architecture: Ubuntu 14.04LTS x86_64

compiler and compiler version: gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)

The issue was found with "afl fuzzer" while executing a modified version of the "test_gzip" testsuite with the following input data(displayed in base64 format):

H4sIAAjjYGJiWXWAAAAAYFlZWVlZWV34+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4AP4I
DAgLy5kMWQP/YmIA/wUAmQxZBf9iYgD/BQD/ALy8IAAAl5eXl5eXl5eXl5eXl5eXAABZWVlZWVlZ
Xfj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+PgA/ggMCAvLmQxZA/9iYgD/BQCZDFkF/2Ji
AP8FAP8AvLwgAACXl5eXl5eXl5eXl5eXl5cAAFlZWVlZWVlZAPoIDAgLy5kMWQX/YmIA/wUAWVlZ
WVlZWVlZAID//1lZWVlZWVkA+ggMCAvLmQxZBf9iYgD/BQBZWVlZWVlZWVkAgP//YmJiEARkQPZZ
WVlZWQwMDIsIAEQ=

A segmentation fault signal was captured while running:
./test_gzip gzip_data
The output from ASAN:

ASAN:SIGSEGV
=================================================================
==28954==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000048cb19 sp 0x7ffe24a458b0 bp 0x000000000000 T0)
    #0 0x48cb18 in construct(huffman*, short*, int) /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:365
    #1 0x494c77 in dynamic /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:693
    #2 0x494c77 in puff(unsigned char*, unsigned int*, unsigned char const*, unsigned int*) /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:781
    #3 0x489f71 in libtorrent::inflate_gzip(char const*, int, std::vector<char, std::allocator<char> >&, int, boost::system::error_code&) /home/user/libtorrent-rasterbar-1.1.0/src/gzip.cpp:230
    #4 0x482aed in main /home/user/libtorrent-rasterbar-1.1.0/examples3/test_gzip.cpp:84
    #5 0x7f8f1ede1f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x48025c in _start (/tmp/fuzz_gzip/test_gzip+0x48025c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:365 construct(huffman*, short*, int)
==28954==ABORTING

The issue seems to be located in the puff.cpp file inside the "construct" function.

To reproduce:
1.compile "test_gzip.cpp" (here attached)
2.copy the base64 encoded data to a file (ex. gzip_data.b64)
3.decode the file to a new file ("base64 -d gzip_data.b64 > gzip_data")
3.run ./test_gzip gzip_data

test_gzip.cpp.txt

@arvidn

This comment has been minimized.

Copy link
Owner

commented Aug 21, 2016

thanks for the report!

@arvidn

This comment has been minimized.

Copy link
Owner

commented Aug 21, 2016

fix has been pushed to RC_1_1 and master

@arvidn arvidn closed this Aug 21, 2016

@david-geiger

This comment has been minimized.

Copy link

commented Sep 9, 2016

Hi,

Is also this security issue valid for branch RC_1_0 ? and others ?

If yes is possible to have a patch to fix this issue in others branchs?

@arvidn

This comment has been minimized.

Copy link
Owner

commented Sep 12, 2016

back-ported to RC_1_0 here: 2d7d012

@david-geiger

This comment has been minimized.

Copy link

commented Sep 12, 2016

Thank you very much!

@pmattern

This comment has been minimized.

Copy link

commented Sep 14, 2016

Wouldn't this warrant another point release of the 1.0.x series?

@arvidn

This comment has been minimized.

Copy link
Owner

commented Sep 14, 2016

yeah, probably

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.