'Re: [oss-security] Pointer misuse unziping files with busybox'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Pointer misuse unziping files with busybox
From:       Justin Ferguson <justin () asac ! co>
Date:       2018-07-29 18:58:08
Message-ID: CABejAMJfYbPQAeLLAdFojWawcACw3rHXBLp=6XOFOhV5wmwE1w () mail ! gmail ! com
[Download RAW message or body]

Hello,

As an additional addendum, bugs are sometimes hard to quantify in
terms of what vernacular to use. From the written description this
would be termed as an "out-of-bounds read" or "read access violation".
(I stopped and read because I was curious what weird thing was
happening with a pointer)

-me


On Thu, Jul 26, 2018 at 12:11 PM, Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi,
>
> On Sun, Oct 25, 2015 at 11:34:27PM +0100, Gustavo Grieco wrote:
>> Unziping a specially crafted zip file results in a computation of an invalid
>> pointer and a crash reading an invalid address. Upstream is taking a look
>> to it, but in the meantime if someone wants to provide some feedback, it
>> will be nice. Find an attached a test case to reproduce it. A
>> complete backtrace in busybox 1.21 (debug) is available here:
>>
>> $ gdb --args ./busybox_unstripped unzip x.-6170921383890712452
>> ...
>> (gdb) run
>> Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip
>> x.-6170921383890712452
>> [Thread debugging using libthread_db enabled]
>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>> Archive:  x.-6170921383890712452
>>   inflating: ]3j 緝 侵  K-%Ix
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257,
>> d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "",
>> t=0x60620000eb08,
>>     t@entry=0x602c0000fe60, m=0x7fffffffd260) at
>> archival/libarchive/decompress_gunzip.c:441
>> 441                    r.e = (unsigned char) e[*p - s]; /* non-simple--look
>> up
>> in lists */
>> (gdb) bt
>> #0  huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257,
>> d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "",
>>     t=0x60620000eb08, t@entry=0x602c0000fe60, m=0x7fffffffd260) at
>> archival/libarchive/decompress_gunzip.c:441
>> #1  0x0000000000520b52 in inflate_block (state=state@entry=0x602c0000fe00,
>> e=e@entry=0x602c0000fe83 "") at archival/libarchive/decompress_gunzip.c:905
>> #2  0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at
>> archival/libarchive/decompress_gunzip.c:947
>> #3  inflate_unzip_internal (state=state@entry=0x602c0000fe00, in=in@entry=3,
>> out=out@entry=4) at archival/libarchive/decompress_gunzip.c:1004
>> #4  0x0000000000522a6a in inflate_unzip (aux=aux@entry=0x7fffffffdc30,
>> in=in@entry=3, out=out@entry=4) at
>> archival/libarchive/decompress_gunzip.c:1048
>> #5  0x000000000051b255 in unzip_extract (dst_fd=4,
>> zip_header=0x7fffffffdd50)
>> at archival/unzip.c:255
>> #6  unzip_main (argc=<optimized out>, argv=<optimized out>) at
>> archival/unzip.c:654
>> #7  0x00000000004088bd in run_applet_no_and_exit
>> (applet_no=applet_no@entry=328, argv=argv@entry=0x7fffffffe170) at
>> libbb/appletlib.c:759
>> #8  0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip",
>> argv=argv@entry=0x7fffffffe170) at libbb/appletlib.c:766
>> #9  0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at
>> libbb/appletlib.c:728
>> #10 run_applet_and_exit (name=<optimized out>, argv=argv@entry
>> =0x7fffffffe168)
>> at libbb/appletlib.c:768
>> #11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168)
>> at
>> libbb/appletlib.c:823
>>
>> (gdb) x/i $rip
>> => 0x51fb17 <huft_build+2852>:    mov    (%rdi),%dl
>> (gdb) info registers
>> rax            0x0    0
>> rbx            0x57    87
>> rcx            0x814a18    8473112
>> rdx            0x140900    1313024
>> rsi            0x5fa900    6269184
>> rdi            0xa04dcc    10505676
>> rbp            0x10007fff7940    0x10007fff7940
>> rsp            0x7fffffffc930    0x7fffffffc930
>> r8             0x7fffffffcb64    140737488341860
>> r9             0x7fffffffcbe8    140737488341992
>> r10            0x60620000eb10    105974023121680
>> r11            0x7fffffffcadc    140737488341724
>> r12            0x7fffffffd260    140737488343648
>> r13            0x8    8
>> r14            0x10007fff7944    17594333493572
>> r15            0x0    0
>> rip            0x51fb17    0x51fb17 <huft_build+2852>
>> eflags         0x10216    [ PF AF IF RF ]
>> cs             0x33    51
>> ss             0x2b    43
>> ds             0x0    0
>> es             0x0    0
>> fs             0x0    0
>> gs             0x0    0
>>
>> This issue was discovered with QuickFuzz
>
> FTR, this older issue got CVE-2015-9261 assigned.
>
> Regards,
> Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic