Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use-after-free in lzma_decompress_buf (src/stream.c) #95

Closed
traceprobe opened this issue May 2, 2018 · 2 comments
Closed

use-after-free in lzma_decompress_buf (src/stream.c) #95

traceprobe opened this issue May 2, 2018 · 2 comments

Comments

@traceprobe
Copy link

On latest version (0.631) and master branch (38386bd) of lrzip, there is a heap-use-after-free in lzma_decompress_buf function of (src/stream.c), which could be triggered by the POC below.

The issue is similar to issue #90, but happens in a different function. Triggering of this issue could be tricky: when running on a high-performance server, most likely we fail to reproduce; however, when running lrzip on a desktop with all cpu cores busy, we could reproduce in some cases (1/10).

To reproduce this issue, run the command multiple times: ./bin/lrzip -t $POC

The detailed backtrace is as follows:
==5116==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000000138 at pc 0x00000044f2c2 bp 0x7fd0d3f46c70 sp 0x7fd0d3f46c68
READ of size 8 at 0x612000000138 thread T6
#0 0x44f2c1 in lzma_decompress_buf /home/test/test/./lrzip/master/src/stream.c:564
#1 0x44f2c1 in ucompthread /home/test/test/./lrzip/master/src/stream.c:1522
#2 0x7fd1cb1da6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#3 0x7fd1ca9f141c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x612000000138 is located 248 bytes inside of 288-byte region [0x612000000040,0x612000000160)
freed by thread T0 here:
#0 0x7fd1cbe96148 in __interceptor_free ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x468069 in close_stream_in /home/test/test/./lrzip/master/src/stream.c:1839

previously allocated by thread T0 here:
#0 0x7fd1cbe96678 in __interceptor_calloc ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_malloc_linux.cc:70
#1 0x45cd34 in open_stream_in /home/test/test/./lrzip/master/src/stream.c:1082

Thread T6 created by T0 here:
#0 0x7fd1cbdf3c10 in __interceptor_pthread_create ../../../../gcc-7.3.0-src/libsanitizer/asan/asan_interceptors.cc:243
#1 0x44f46c in create_pthread /home/test/test/./lrzip/master/src/stream.c:133

SUMMARY: AddressSanitizer: heap-use-after-free /home/test/test/./lrzip/master/src/stream.c:564 in lzma_decompress_buf
Shadow bytes around the buggy address:
0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c247fff8020: fd fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c247fff8060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5116==ABORTING

lrzip_0-631_lrzip_heap-use-after-free_ lzma_decompress_buf.lrz.zip

@carnil
Copy link

carnil commented May 3, 2018

CVE-2018-10685

@ckolivas
Copy link
Owner

Fixed generically with safeguards in other code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants