Bug ID 1037925
Summary VUL-1: lrzip: invalid memory read in lzo_decompress_buf (stream.c)
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 724063 [details]
00230-lrzip-invalidread-lzo1x_decompress_reproducer

Ref:
https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/
==============================================================
Description:
lrzip is a compression utility that excels at compressing large files.

The complete ASan output of the issue:

# lrzip -t $FILE
==3311==ERROR: AddressSanitizer: SEGV on unknown address 0x602000010000 (pc
0x7f75cabe8834 bp 0x62100002c11f sp 0x7f7085ab4d78 T5)
==3311==The signal is caused by a READ memory access.
    #0 0x7f75cabe8833 in lzo1x_decompress
/tmp/portage/dev-libs/lzo-2.08/work/lzo-2.08/src/lzo1x_d.ch:108
    #1 0x54af2f in lzo_decompress_buf
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:590:10
    #2 0x54af2f in ucompthread
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1525
    #3 0x7f75ca2944a3 in start_thread
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_create.c:333
    #4 0x7f75c95bf66c in clone
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/tmp/portage/dev-libs/lzo-2.08/work/lzo-2.08/src/lzo1x_d.ch:108 in
lzo1x_decompress
Thread T5 created by T0 here:
    #0 0x42d49d in pthread_create
/tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245
    #1 0x53e70f in create_pthread
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:133:6
    #2 0x53e70f in fill_buffer
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1673
    #3 0x53e70f in read_stream
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
    #4 0x531075 in unzip_literal
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:162:16
    #5 0x531075 in runzip_chunk
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:320
    #6 0x531075 in runzip_fd
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
    #7 0x519b41 in decompress_file
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
    #8 0x511074 in main
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
    #9 0x7f75c94f878f in __libc_start_main
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

Dunno wtf decompression type to use!
==3311==AddressSanitizer: while reporting a bug found another one. Ignoring.
Fatal error - exiting

Affected version:
0.631

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00230-lrzip-invalidread-lzo1x_decompress

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-05-07: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

    lrzip: invalid memory read in lzo_decompress_buf (stream.c)
==============================================================


(open-)SUSE: https://software.opensuse.org/package/lrzip

0.631 (TW, official repo)
0.621 (42.{1,2}, official repo)

==============================================================
k_mikhail@linux-mk500:~> lrzip -t 00230-lrzip-invalidread-lzo1x_decompress 
Decompressing...
Failed to decompress buffer - lzmaerr=6
������������ ������������������������������ (core dumped)

k_mikhail@linux-mk500:~> lrzip --version
lrzip version 0.621
==============================================================

You are receiving this mail because: