Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

divide-by-zero in bufRead::get (libzpaq.h) #66

Closed
asarubbo opened this issue Mar 24, 2017 · 2 comments
Closed

divide-by-zero in bufRead::get (libzpaq.h) #66

asarubbo opened this issue Mar 24, 2017 · 2 comments

Comments

@asarubbo
Copy link

On 0.631:

# lrzip -t $FILE
Decompressing...
ASAN:DEADLYSIGNAL
=================================================================
==8026==ERROR: AddressSanitizer: FPE on unknown address 0x0000005e7957 (pc 0x0000005e7957 bp 0x7fcdf9ba58d0 sp 0x7fcdf9ba5870 T1)
    #0 0x5e7956 in bufRead::get() /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:468:41
    #1 0x5856f1 in libzpaq::Decompresser::findBlock(double*) /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.cpp:1236:21
    #2 0x55f79a in libzpaq::decompress(libzpaq::Reader*, libzpaq::Writer*) /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.cpp:1363:12
    #3 0x55f4e2 in zpaq_decompress /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:538:2
    #4 0x54b3a4 in zpaq_decompress_buf /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:453:2
    #5 0x54b3a4 in ucompthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1534
    #6 0x7fd33c0594a3 in start_thread /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_create.c:333
    #7 0x7fd33b38466c in clone /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109                                                                             
                                                                                                                                                                                                                  
AddressSanitizer can not provide additional info.                                                                                                                                                                 
SUMMARY: AddressSanitizer: FPE /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:468:41 in bufRead::get()                                                                                      
Thread T1 created by T0 here:                                                                                                                                                                                     
    #0 0x42d49d in pthread_create /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245                                                                 
    #1 0x53e70f in create_pthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:133:6                                                                                                               
    #2 0x53e70f in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1673                                                                                                                   
    #3 0x53e70f in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755                                                                                                                   
    #4 0x5303e3 in read_u8 /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:55:6                                                                                                                       
    #5 0x5303e3 in read_header /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:144                                                                                                                    
    #6 0x5303e3 in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:314                                                                                                                   
    #7 0x5303e3 in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382                                                                                                                      
    #8 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6                                                                                                               
    #9 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4                                                                                                                           
    #10 0x7fd33b2bd78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                       
                                                                                                                                                                                                                  
==8026==ABORTING

Reproducer:
https://github.com/asarubbo/poc/blob/master/00228-lrzip-fpe-bufRead-get

@ppisar
Copy link

ppisar commented May 9, 2017

This is known as CVE-2017-8842 http://seclists.org/oss-sec/2017/q2/230.

Simple workaround is

--- a/libzpaq/libzpaq.h
+++ b/libzpaq/libzpaq.h
@@ -465,7 +465,9 @@ struct bufRead: public libzpaq::Reader {
 
        int get() {
                if (progress && !(*s_len % 128)) {
-                       int pct = (total_len - *s_len) * 100 / total_len;
+                       int pct = (total_len > 0) ?
+                           (total_len - *s_len) * 100 / total_len :
+                           100;
 
                        if (pct / 10 != *last_pct / 10) {
                                int i;

but real fix is needed in the parser in stream.c where s_buf and c_len are set,

@ckolivas
Copy link
Owner

Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants