New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid memory access in zzip_disk_fread (src/zzip/mmapped.c) [CVE-2018-6381] #12
Milestone
Comments
|
This issue was assigned CVE-2018-6381 |
|
The POC download link is not working. |
gdraheim
added a commit
that referenced
this issue
Feb 1, 2018
|
@abergmann Thanks, the poc link should work now. |
|
@gdraheim Thanks for fixing this issue. |
|
test_63817 works OK |
gdraheim
added a commit
that referenced
this issue
Feb 5, 2018
|
a check for the size was added, and the testcase is fixed now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On latest version (0.13.67) and master branch of zziplib:
there is a segmentation fault caused by invalid memory access in zzip_disk_fread function (src/zzip/mmapped.c), which could be triggered by a POC with only 152 bytes.
The issue happens since with the crafted zip file, in line 685 of zzip_disk_fread function, "size" variable could be much larger than the capacity of "file->stored". Note that this function is in library code, which means programs based on libzzip could be affected.
683 if (file->stored)
684 {
685 memcpy(ptr, file->stored, size);
686 file->stored += size;
687 file->avail -= size;
688 return size;
689 }
To reproduce the issue, run: ./unzip-mem $POC
The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip
The backtrace is:
(gdb) bt
#0 0x00007ffff7740427 in __memcpy_ssse3 () from /lib64/libc.so.6
#1 0x00007ffff7bd7cd3 in zzip_disk_fread (ptr=0x7fffffffd7b0, sized=1024, nmemb=1, file=0x604280) at ../../src/zzip/mmapped.c:685
#2 0x00007ffff7bd8a86 in zzip_mem_disk_fread (ptr=0x7fffffffd7b0, size=1024, nmemb=1, file=0x604280) at ../../src/zzip/memdisk.c:495
#3 0x0000000000400c8c in zzip_mem_entry_pipe (disk=0x604060, entry=0x604080, out=0x6047e0) at ../../src/bins/unzip-mem.c:89
#4 0x0000000000400cfe in zzip_mem_entry_make (disk=0x604060, entry=0x604080) at ../../src/bins/unzip-mem.c:100
#5 0x00000000004017b5 in zzip_mem_entry_makeall (disk=0x604060) at ../../src/bins/unzip-mem.c:310
#6 0x0000000000401c7f in main (argc=2, argv=0x7fffffffdd48) at ../../src/bins/unzip-mem.c:399
The text was updated successfully, but these errors were encountered: