oss-security - Re: Re: zlib memory corruption on deflate (i.e. compress)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Mon, 28 Mar 2022 06:29:46 -0700
From: Tavis Ormandy <taviso@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: zlib memory corruption on deflate (i.e.
 compress)

On Sun, Mar 27, 2022 at 05:39:59PM -0700, Eric Biggers wrote:
> 
> I've attached a full reproducer that works with the following parameters:
> 
> 	level=7 (also 8 and 9)
> 	windowBits=15
> 	memLevel=1
> 	strategy=Z_DEFAULT_STRATEGY
> 
> i.e.,
> 
>     deflateInit2(&strm, 7, Z_DEFLATED, 15, 1, Z_DEFAULT_STRATEGY);
> 
> With ASAN, it generates a warning like Tavis's reproducer with Z_FIXED did.
> 

Wow, thanks for your analysis Eric.

Confirmed here, and the output deflated stream is also garbage... ouch,
this is really not good...

It seems likely that an attacker can force this state, even if they
don't control the prefix (e.g. a logfile), or perhaps (theoretically)
force a deflated HTTP response to contain output that wasn't sent, etc,
etc.

Let's hope cleaning up old static copies of zlib isn't going to be a
mess for years to come :(

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@....org
_\_V _( ) _( )  @taviso

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.