[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 25 Oct 2015 23:34:27 +0100
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Pointer misuse unziping files with busybox
Unziping a specially crafted zip file results in a computation of an invalid
pointer and a crash reading an invalid address. Upstream is taking a look
to it, but in the meantime if someone wants to provide some feedback, it
will be nice. Find an attached a test case to reproduce it. A
complete backtrace in busybox 1.21 (debug) is available here:
$ gdb --args ./busybox_unstripped unzip x.-6170921383890712452
...
(gdb) run
Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip
x.-6170921383890712452
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Archive: x.-6170921383890712452
inflating: ]3j½r«I..K-%Ix
Program received signal SIGSEGV, Segmentation fault.
huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257,
d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "",
t=0x60620000eb08,
t@...ry=0x602c0000fe60, m=0x7fffffffd260) at
archival/libarchive/decompress_gunzip.c:441
441 r.e = (unsigned char) e[*p - s]; /* non-simple--look
up
in lists */
(gdb) bt
#0 huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257,
d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "",
t=0x60620000eb08, t@...ry=0x602c0000fe60, m=0x7fffffffd260) at
archival/libarchive/decompress_gunzip.c:441
#1 0x0000000000520b52 in inflate_block (state=state@...ry=0x602c0000fe00,
e=e@...ry=0x602c0000fe83 "") at archival/libarchive/decompress_gunzip.c:905
#2 0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at
archival/libarchive/decompress_gunzip.c:947
#3 inflate_unzip_internal (state=state@...ry=0x602c0000fe00, in=in@...ry=3,
out=out@...ry=4) at archival/libarchive/decompress_gunzip.c:1004
#4 0x0000000000522a6a in inflate_unzip (aux=aux@...ry=0x7fffffffdc30,
in=in@...ry=3, out=out@...ry=4) at
archival/libarchive/decompress_gunzip.c:1048
#5 0x000000000051b255 in unzip_extract (dst_fd=4,
zip_header=0x7fffffffdd50)
at archival/unzip.c:255
#6 unzip_main (argc=<optimized out>, argv=<optimized out>) at
archival/unzip.c:654
#7 0x00000000004088bd in run_applet_no_and_exit
(applet_no=applet_no@...ry=328, argv=argv@...ry=0x7fffffffe170) at
libbb/appletlib.c:759
#8 0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip",
argv=argv@...ry=0x7fffffffe170) at libbb/appletlib.c:766
#9 0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at
libbb/appletlib.c:728
#10 run_applet_and_exit (name=<optimized out>, argv=argv@...ry
=0x7fffffffe168)
at libbb/appletlib.c:768
#11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168)
at
libbb/appletlib.c:823
(gdb) x/i $rip
=> 0x51fb17 <huft_build+2852>: mov (%rdi),%dl
(gdb) info registers
rax 0x0 0
rbx 0x57 87
rcx 0x814a18 8473112
rdx 0x140900 1313024
rsi 0x5fa900 6269184
rdi 0xa04dcc 10505676
rbp 0x10007fff7940 0x10007fff7940
rsp 0x7fffffffc930 0x7fffffffc930
r8 0x7fffffffcb64 140737488341860
r9 0x7fffffffcbe8 140737488341992
r10 0x60620000eb10 105974023121680
r11 0x7fffffffcadc 140737488341724
r12 0x7fffffffd260 140737488343648
r13 0x8 8
r14 0x10007fff7944 17594333493572
r15 0x0 0
rip 0x51fb17 0x51fb17 <huft_build+2852>
eflags 0x10216 [ PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
This issue was discovered with QuickFuzz
Thanks!
Content of type "text/html" skipped
Download attachment "x.-6170921383890712452" of type "application/octet-stream" (314 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
