Skip to content

Bus error when handling disk64_trailer in __zzip_fetch_disk_trailer (src/zzip/zip.c) [CVE-2018-6541] #16

Closed
@ProbeFuzzer

Description

@ProbeFuzzer

On latest version (0.13.67) and master branch of zziplib:
there is a bus error caused by loading of misaligned address when handling disk64_trailer local entries in __zzip_fetch_disk_trailer function of src/zzip/zip.c, which could be triggered by the POC below.

The issue happens since the struct zzip_disk_trailer "orig" (line 336) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs. This issue is different from CVE-2018-6484, and arises when invoking a different function.

336                         zzip_disk64_trailer_localentries(orig);
337                     trailer->zz_finalentries =
338                         zzip_disk64_trailer_finalentries(orig);

To reproduce the issue, run: ./unzzip -p $POC
https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip

master/src/zzip/zip.c:336:25: runtime error: load of misaligned address 0x7f1d4f853036 for type 'uint64_t', which requires 8 byte alignment
0x7f1d4f853036: note: pointer points here
03 dd e5 69 50 5a 50 4b 03 dd e5 69 50 5a 50 4b 06 14 00 0b 00 06 14 00 00 00 00 00 00 00 61 55
^

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions