Skip to content

Bus error in zzip_disk_findfirst (src/zzip/mmapped.c) [CVE-2018-6540] #15

Closed
@ProbeFuzzer

Description

@ProbeFuzzer

On latest version (0.13.67) and master branch of zziplib:
there is a bus error caused by loading of misaligned address in zzip_disk_findfirst function of src/zzip/mmapped.c, which could be triggered by the POC below. Note that this issue is different from CVE-2018-6484.

The issue happens since the pointer "trailer" (line 420) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs.

419             struct zzip_disk_trailer *trailer = (struct zzip_disk_trailer *) p;
420             zzip_size_t rootseek = zzip_disk_trailer_get_rootseek(trailer);

To reproduce the issue, run: ./unzip-mem $POC
The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst.zip

master/src/zzip/mmapped.c:420:36: runtime error: load of misaligned address 0x7fc6924310f2 for type 'uint32_t', which requires 4 byte alignment
0x7fc6924310f2: note: pointer points here
47 00 00 00 80 00 b5 b5 b5 b5 b5 b5 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions