Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A crafted bz3 archive hangs the process #95

Closed
asarubbo opened this issue Mar 23, 2023 · 8 comments
Closed

A crafted bz3 archive hangs the process #95

asarubbo opened this issue Mar 23, 2023 · 8 comments

Comments

@asarubbo
Copy link

Hello,

the attached testcase is able to hang the process:

~ # ps aux | grep bzip3 | grep -v grep
root     36808  100  0.0 21474991596 74724 pts/0 R+ 08:49  14:07 /usr/bin/bzip3 -t 4.crashes.bz3

~ # ps -eo pid,etimes | grep 36808
36808     852

I can reproduce the issue on both v1.2.2 and v1.2.2.r21-ge17c8da (e17c8da)

I can also reproduce with a binary not compiled with Asan.

To reproduce:

bzip3 -t $TESTCASE

Testcase:
4.crashes.bz3.zip

@kspalaiologos
Copy link
Owner

Will take a look later.

@kspalaiologos
Copy link
Owner

kspalaiologos commented Mar 23, 2023

Hangs in libsais_unbwt_decode_1.
Won't fix. When reporting future issues please make sure that you're reporting a problem with bzip3, not libsais.

@asarubbo
Copy link
Author

Based on the statement here IlyaGrebnov/libsais#13 (comment) can you clarify if this is an issue in bzip3 and if bfa5bf8 is the fix?

@kspalaiologos
Copy link
Owner

Yes. There was an extra I/O issue that needed addressing in 56c24ca.

@stevebeattie
Copy link

This issue was assigned CVE-2023-29415.

(I did not assign the CVE, I just noticed it while triaging new CVEs.)

@kspalaiologos
Copy link
Owner

@stevebeattie The CVE description is just plain wrong:

because bzip3 does not follow the required procedure for interacting with libsais.

The libsais documentation never states that it expects a zeroed temporary array.

@stevebeattie
Copy link

I agree. Looking at the (bottom of the) NVD page it seems it was allocated by MITRE, likely from a submission through their webform. You can request to update the description through the same form (though as a piece of advice, keep a record for yourself of what you send them as their ticketing response does not send you a copy of what you submitted, and there can be a delay on when they respond to you).

@kspalaiologos
Copy link
Owner

https://www.cve.org/CVERecord?id=CVE-2023-29417 is also hilarious to me, as bz3_decompress takes the output buffer as parameter and its capacity meaning that obviously when you claim that the buffer you passed has greater capacity than it actually has, the library is going to crash. Of course, you could open such a bug against e.g. glibc because memcpy will keep copying past the end of buffer when the size you passed to it is bogus.

Because it appears to me that these two CVEs were filed with more attention seeking and less reasonable thinking, I think that I will not bother to ask for them to be updated, because everyone who knows C to some extent and bothers to read libsais documentation will know that they're plain invalid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants