Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Oct 2015 16:14:53 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Pointer misuse unziping files with busybox

Fix:

http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e

2015-10-25 19:34 GMT-03:00 Gustavo Grieco <gustavo.grieco@...il.com>:

> Unziping a specially crafted zip file results in a computation of an
> invalid
> pointer and a crash reading an invalid address. Upstream is taking a look
> to it, but in the meantime if someone wants to provide some feedback, it
> will be nice. Find an attached a test case to reproduce it. A
> complete backtrace in busybox 1.21 (debug) is available here:
>
> $ gdb --args ./busybox_unstripped unzip x.-6170921383890712452
> ...
> (gdb) run
> Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip
> x.-6170921383890712452
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Archive:  x.-6170921383890712452
>   inflating: ]3j½r«I K-%Ix
>
> Program received signal SIGSEGV, Segmentation fault.
> huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257,
> d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "",
> t=0x60620000eb08,
>     t@...ry=0x602c0000fe60, m=0x7fffffffd260) at
> archival/libarchive/decompress_gunzip.c:441
> 441                    r.e = (unsigned char) e[*p - s]; /*
> non-simple--look up
> in lists */
> (gdb) bt
> #0  huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257,
> d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "",
>     t=0x60620000eb08, t@...ry=0x602c0000fe60, m=0x7fffffffd260) at
> archival/libarchive/decompress_gunzip.c:441
> #1  0x0000000000520b52 in inflate_block (state=state@...ry=0x602c0000fe00,
> e=e@...ry=0x602c0000fe83 "") at
> archival/libarchive/decompress_gunzip.c:905
> #2  0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at
> archival/libarchive/decompress_gunzip.c:947
> #3  inflate_unzip_internal (state=state@...ry=0x602c0000fe00, in=in@...ry
> =3,
> out=out@...ry=4) at archival/libarchive/decompress_gunzip.c:1004
> #4  0x0000000000522a6a in inflate_unzip (aux=aux@...ry=0x7fffffffdc30,
> in=in@...ry=3, out=out@...ry=4) at
> archival/libarchive/decompress_gunzip.c:1048
> #5  0x000000000051b255 in unzip_extract (dst_fd=4,
> zip_header=0x7fffffffdd50)
> at archival/unzip.c:255
> #6  unzip_main (argc=<optimized out>, argv=<optimized out>) at
> archival/unzip.c:654
> #7  0x00000000004088bd in run_applet_no_and_exit
> (applet_no=applet_no@...ry=328, argv=argv@...ry=0x7fffffffe170) at
> libbb/appletlib.c:759
> #8  0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip",
> argv=argv@...ry=0x7fffffffe170) at libbb/appletlib.c:766
> #9  0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at
> libbb/appletlib.c:728
> #10 run_applet_and_exit (name=<optimized out>, argv=argv@...ry
> =0x7fffffffe168)
> at libbb/appletlib.c:768
> #11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168)
> at
> libbb/appletlib.c:823
>
> (gdb) x/i $rip
> => 0x51fb17 <huft_build+2852>:    mov    (%rdi),%dl
> (gdb) info registers
> rax            0x0    0
> rbx            0x57    87
> rcx            0x814a18    8473112
> rdx            0x140900    1313024
> rsi            0x5fa900    6269184
> rdi            0xa04dcc    10505676
> rbp            0x10007fff7940    0x10007fff7940
> rsp            0x7fffffffc930    0x7fffffffc930
> r8             0x7fffffffcb64    140737488341860
> r9             0x7fffffffcbe8    140737488341992
> r10            0x60620000eb10    105974023121680
> r11            0x7fffffffcadc    140737488341724
> r12            0x7fffffffd260    140737488343648
> r13            0x8    8
> r14            0x10007fff7944    17594333493572
> r15            0x0    0
> rip            0x51fb17    0x51fb17 <huft_build+2852>
> eflags         0x10216    [ PF AF IF RF ]
> cs             0x33    51
> ss             0x2b    43
> ds             0x0    0
> es             0x0    0
> fs             0x0    0
> gs             0x0    0
>
> This issue was discovered with QuickFuzz
>
> Thanks!
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ