Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid memory access in zzip_disk_fread (src/zzip/mmapped.c) [CVE-2018-6381] #12

Closed
ProbeFuzzer opened this issue Jan 29, 2018 · 6 comments

Comments

@ProbeFuzzer
Copy link

ProbeFuzzer commented Jan 29, 2018

On latest version (0.13.67) and master branch of zziplib:
there is a segmentation fault caused by invalid memory access in zzip_disk_fread function (src/zzip/mmapped.c), which could be triggered by a POC with only 152 bytes.

The issue happens since with the crafted zip file, in line 685 of zzip_disk_fread function, "size" variable could be much larger than the capacity of "file->stored". Note that this function is in library code, which means programs based on libzzip could be affected.

683 if (file->stored)
684 {
685 memcpy(ptr, file->stored, size);
686 file->stored += size;
687 file->avail -= size;
688 return size;
689 }

To reproduce the issue, run: ./unzip-mem $POC
The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip

The backtrace is:
(gdb) bt
#0 0x00007ffff7740427 in __memcpy_ssse3 () from /lib64/libc.so.6
#1 0x00007ffff7bd7cd3 in zzip_disk_fread (ptr=0x7fffffffd7b0, sized=1024, nmemb=1, file=0x604280) at ../../src/zzip/mmapped.c:685
#2 0x00007ffff7bd8a86 in zzip_mem_disk_fread (ptr=0x7fffffffd7b0, size=1024, nmemb=1, file=0x604280) at ../../src/zzip/memdisk.c:495
#3 0x0000000000400c8c in zzip_mem_entry_pipe (disk=0x604060, entry=0x604080, out=0x6047e0) at ../../src/bins/unzip-mem.c:89
#4 0x0000000000400cfe in zzip_mem_entry_make (disk=0x604060, entry=0x604080) at ../../src/bins/unzip-mem.c:100
#5 0x00000000004017b5 in zzip_mem_entry_makeall (disk=0x604060) at ../../src/bins/unzip-mem.c:310
#6 0x0000000000401c7f in main (argc=2, argv=0x7fffffffdd48) at ../../src/bins/unzip-mem.c:399

@carnil
Copy link

carnil commented Jan 29, 2018

This issue was assigned CVE-2018-6381

@abergmann
Copy link

The POC download link is not working.

@ProbeFuzzer
Copy link
Author

@abergmann Thanks, the poc link should work now.

@ProbeFuzzer
Copy link
Author

@gdraheim Thanks for fixing this issue.

gdraheim added a commit that referenced this issue Feb 4, 2018
gdraheim added a commit that referenced this issue Feb 4, 2018
@gdraheim
Copy link
Owner

gdraheim commented Feb 4, 2018

test_63817 works OK

@gdraheim gdraheim added this to the v0.13.68 milestone Feb 4, 2018
@gdraheim
Copy link
Owner

gdraheim commented Feb 5, 2018

a check for the size was added, and the testcase is fixed now

@gdraheim gdraheim closed this as completed Feb 5, 2018
@gdraheim gdraheim changed the title Invalid memory access in zzip_disk_fread (src/zzip/mmapped.c) Invalid memory access in zzip_disk_fread (src/zzip/mmapped.c) [CVE-2018-6381] Mar 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants