[Bug 1037923] New: VUL-1: lrzip: NULL pointer dereference in bufRead::get (libzpaq.h)
http://bugzilla.opensuse.org/show_bug.cgi?id=1037923 Bug ID: 1037923 Summary: VUL-1: lrzip: NULL pointer dereference in bufRead::get (libzpaq.h) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 724061 --> http://bugzilla.opensuse.org/attachment.cgi?id=724061&action=edit 00229-lrzip-nullptr-bufRead-get_reproducer Ref: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bu... ======================================================= Description: lrzip is a compression utility that excels at compressing large files. The complete ASan output of the issue: # lrzip -t $FILE ==24966==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005e7caa bp 0x7f7c755a58d0 sp 0x7f7c755a5870 T2) ==24966==The signal is caused by a READ memory access. ==24966==Hint: address points to the zero page. #0 0x5e7ca9 in bufRead::get() /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:485:24 #1 0x5856f1 in libzpaq::Decompresser::findBlock(double*) /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.cpp:1236:21 #2 0x55f79a in libzpaq::decompress(libzpaq::Reader*, libzpaq::Writer*) /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.cpp:1363:12 #3 0x55f4e2 in zpaq_decompress /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:538:2 #4 0x54b3a4 in zpaq_decompress_buf /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:453:2 #5 0x54b3a4 in ucompthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1534 #6 0x7f81b7a434a3 in start_thread /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_create.c:333 #7 0x7f81b6d6e66c in clone /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:485:24 in bufRead::get() Thread T2 created by T0 here: #0 0x42d49d in pthread_create /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245 #1 0x53e70f in create_pthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:133:6 #2 0x53e70f in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1673 #3 0x53e70f in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755 #4 0x531075 in unzip_literal /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:162:16 #5 0x531075 in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:320 #6 0x531075 in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382 #7 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6 #8 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4 #9 0x7f81b6ca778f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 ==24966==ABORTING Affected version: 0.631 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00229-lrzip-nullptr-bufRead-get Timeline: 2017-03-24: bug discovered and reported to upstream 2017-05-07: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: lrzip: NULL pointer dereference in bufRead::get (libzpaq.h) ======================================================= (open-)SUSE: https://software.opensuse.org/package/lrzip 0.631 (TW, official repo) 0.621 (42.{1,2}, official repo) ======================================================= k_mikhail@linux-mk500:~> lrzip -t 00229-lrzip-nullptr-bufRead-get Decompressing... Inconsistent length after decompression. Got 0 bytes, expected 2 Inconsistent length after decompression. Got 0 bytes, expected 2 Ошибка сегментирования (core dumped) k_mikhail@linux-mk500:~> lrzip --version lrzip version 0.621 ======================================================= -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1037923
http://bugzilla.opensuse.org/show_bug.cgi?id=1037923#c1
Mikhail Kasimov
http://bugzilla.opensuse.org/show_bug.cgi?id=1037923
http://bugzilla.opensuse.org/show_bug.cgi?id=1037923#c2
Alexander Bergmann
participants (1)
-
bugzilla_noreply@novell.com