On latest version (0.631) and master branch (38386bd) of lrzip, there is a heap-use-after-free in lzma_decompress_buf function of (src/stream.c), which could be triggered by the POC below.
The issue is similar to issue #90, but happens in a different function. Triggering of this issue could be tricky: when running on a high-performance server, most likely we fail to reproduce; however, when running lrzip on a desktop with all cpu cores busy, we could reproduce in some cases (1/10).
To reproduce this issue, run the command multiple times: ./bin/lrzip -t $POC
The detailed backtrace is as follows:
==5116==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000000138 at pc 0x00000044f2c2 bp 0x7fd0d3f46c70 sp 0x7fd0d3f46c68
READ of size 8 at 0x612000000138 thread T6
#0 0x44f2c1 in lzma_decompress_buf /home/test/test/./lrzip/master/src/stream.c:564 #1 0x44f2c1 in ucompthread /home/test/test/./lrzip/master/src/stream.c:1522 #2 0x7fd1cb1da6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #3 0x7fd1ca9f141c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x612000000138 is located 248 bytes inside of 288-byte region [0x612000000040,0x612000000160)
freed by thread T0 here:
#0 0x7fd1cbe96148 in __interceptor_free ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_malloc_linux.cc:45 #1 0x468069 in close_stream_in /home/test/test/./lrzip/master/src/stream.c:1839
previously allocated by thread T0 here:
#0 0x7fd1cbe96678 in __interceptor_calloc ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_malloc_linux.cc:70 #1 0x45cd34 in open_stream_in /home/test/test/./lrzip/master/src/stream.c:1082
Thread T6 created by T0 here:
#0 0x7fd1cbdf3c10 in __interceptor_pthread_create ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_interceptors.cc:243 #1 0x44f46c in create_pthread /home/test/test/./lrzip/master/src/stream.c:133
SUMMARY: AddressSanitizer: heap-use-after-free /home/test/test/./lrzip/master/src/stream.c:564 in lzma_decompress_buf
Shadow bytes around the buggy address:
0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c247fff8020: fd fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c247fff8060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5116==ABORTING
On latest version (0.631) and master branch (38386bd) of lrzip, there is a heap-use-after-free in lzma_decompress_buf function of (src/stream.c), which could be triggered by the POC below.
The issue is similar to issue #90, but happens in a different function. Triggering of this issue could be tricky: when running on a high-performance server, most likely we fail to reproduce; however, when running lrzip on a desktop with all cpu cores busy, we could reproduce in some cases (1/10).
To reproduce this issue, run the command multiple times: ./bin/lrzip -t $POC
The detailed backtrace is as follows:
==5116==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000000138 at pc 0x00000044f2c2 bp 0x7fd0d3f46c70 sp 0x7fd0d3f46c68
READ of size 8 at 0x612000000138 thread T6
#0 0x44f2c1 in lzma_decompress_buf /home/test/test/./lrzip/master/src/stream.c:564
#1 0x44f2c1 in ucompthread /home/test/test/./lrzip/master/src/stream.c:1522
#2 0x7fd1cb1da6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#3 0x7fd1ca9f141c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x612000000138 is located 248 bytes inside of 288-byte region [0x612000000040,0x612000000160)
freed by thread T0 here:
#0 0x7fd1cbe96148 in __interceptor_free ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x468069 in close_stream_in /home/test/test/./lrzip/master/src/stream.c:1839
previously allocated by thread T0 here:
#0 0x7fd1cbe96678 in __interceptor_calloc ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_malloc_linux.cc:70
#1 0x45cd34 in open_stream_in /home/test/test/./lrzip/master/src/stream.c:1082
Thread T6 created by T0 here:
#0 0x7fd1cbdf3c10 in __interceptor_pthread_create ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_interceptors.cc:243
#1 0x44f46c in create_pthread /home/test/test/./lrzip/master/src/stream.c:133
SUMMARY: AddressSanitizer: heap-use-after-free /home/test/test/./lrzip/master/src/stream.c:564 in lzma_decompress_buf
Shadow bytes around the buggy address:
0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c247fff8020: fd fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c247fff8060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5116==ABORTING
lrzip_0-631_lrzip_heap-use-after-free_ lzma_decompress_buf.lrz.zip
The text was updated successfully, but these errors were encountered: