Infinite recursion - gzipfinfo

[RootUp]

Product affected: gzipfinfo 20190919
OS Details: Linux 4.15.0-65-generic #74-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux

Summary

While fuzzing gzipfinfo multiple hangs were observed which could lead to denial of service, I think this happens because of infinite recursion.

Debug BT

#0  0x00007ffff6c0c34e in __libc_read (fd=3, buf=0x7fffffff5560, nbytes=64) at ../sysdeps/unix/sysv/linux/read.c:27
#1  0x00007ffff6e67fd0 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#2  0x00005555555fbbd4 in libcfile_file_read_buffer_with_error_code (error=0x40, error_code=<synthetic pointer>, size=<optimized out>, 
    buffer=0x7fffffff5560 "\020\206@<\305ܭ\215\325x\002\226\357x۰M\274zN\003!\020\206\357<\305ܭ\215\325x\002\226\371\331r\034\031\064l\357<\305ܼ\260M>\275d`x۰M\274zN\003!@", file=0x606000000080) at libcfile_file.c:2344
#3  libcfile_file_read_buffer (file=0x606000000080, 
    buffer=0x7fffffff5560 "\020\206@<\305ܭ\215\325x\002\226\357x۰M\274zN\003!\020\206\357<\305ܭ\215\325x\002\226\371\331r\034\031\064l\357<\305ܼ\260M>\275d`x۰M\274zN\003!@", size=<optimized out>, error=error@entry=0x7fffffffdaf0) at libcfile_file.c:1489
#4  0x00005555555831f8 in libbfio_file_io_handle_read_buffer (file_io_handle=0x6030000000a0, buffer=<optimized out>, size=<optimized out>, 
    error=0x7fffffffdaf0) at libbfio_file_io_handle.c:907
#5  0x000055555558619b in libbfio_handle_read_buffer (handle=handle@entry=0x60e000000040, 
    buffer=buffer@entry=0x7fffffff5560 "\020\206@<\305ܭ\215\325x\002\226\357x۰M\274zN\003!\020\206\357<\305ܭ\215\325x\002\226\371\331r\034\031\064l\357<\305ܼ\260M>\275d`x۰M\274zN\003!@", size=size@entry=64, error=error@entry=0x7fffffffdaf0) at libbfio_handle.c:1145
#6  0x000055555557647f in libgzipf_member_header_read_name (member_header=member_header@entry=0x6040000001d0, 
    file_io_handle=file_io_handle@entry=0x60e000000040, error=error@entry=0x7fffffffdaf0) at libgzipf_member_header.c:544
#7  0x000055555557781f in libgzipf_member_header_read_file_io_handle (member_header=0x6040000001d0, 
    file_io_handle=file_io_handle@entry=0x60e000000040, file_offset=<optimized out>, error=error@entry=0x7fffffffdaf0)
    at libgzipf_member_header.c:796
#8  0x0000555555571f9b in libgzipf_file_open_read (internal_file=internal_file@entry=0x604000000010, 
    file_io_handle=file_io_handle@entry=0x60e000000040, error=error@entry=0x7fffffffdaf0) at libgzipf_file.c:1071
#9  0x0000555555572c31 in libgzipf_file_open_file_io_handle (file=file@entry=0x604000000010, file_io_handle=0x60e000000040, 
    access_flags=access_flags@entry=1, error=error@entry=0x7fffffffdaf0) at libgzipf_file.c:778
#10 0x000055555557350f in libgzipf_file_open (file=<optimized out>, 
    filename=0x7fffffffe02c "in/id_000000,src_000004,time_98221,op_havoc,rep_8", access_flags=access_flags@entry=1, 
    error=error@entry=0x7fffffffdaf0) at libgzipf_file.c:432
#11 0x0000555555570344 in info_handle_open_input (info_handle=<optimized out>, filename=<optimized out>, error=0x7fffffffdaf0)
    at info_handle.c:239
#12 0x000055555556cb4c in main (argc=<optimized out>, argv=<optimized out>) at gzipfinfo.c:231

Vulnerable code

	if( info_handle_open_input(
	     gzipfinfo_info_handle,
	     source,
	     &error ) != 1 )

Reference: https://github.com/libyal/libgzipf/blob/master/gzipftools/gzipfinfo.c#L231-L234

To reproduce: gzipfinfo $POC

Attached POC.zip for your reference.

[joachimmetz]

@RootUp this project focuses on data format analysis is not ready for production usage. Hence the experimental status.

[RootUp]

Hi @joachimmetz thanks for taking a look, I was not familiar regarding this. So I'll close the issue, or are we tracking this?

[joachimmetz]

I'll take a look when this project is further along, but the TL;DR is don't spend a lot of time fuzzing this project when it's not ready for prime usage yet.