[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Pointer misuse unziping files with busybox
From: Justin Ferguson <justin () asac ! co>
Date: 2018-07-29 18:58:08
Message-ID: CABejAMJfYbPQAeLLAdFojWawcACw3rHXBLp=6XOFOhV5wmwE1w () mail ! gmail ! com
[Download RAW message or body]
Hello,
As an additional addendum, bugs are sometimes hard to quantify in
terms of what vernacular to use. From the written description this
would be termed as an "out-of-bounds read" or "read access violation".
(I stopped and read because I was curious what weird thing was
happening with a pointer)
-me
On Thu, Jul 26, 2018 at 12:11 PM, Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi,
>
> On Sun, Oct 25, 2015 at 11:34:27PM +0100, Gustavo Grieco wrote:
>> Unziping a specially crafted zip file results in a computation of an invalid
>> pointer and a crash reading an invalid address. Upstream is taking a look
>> to it, but in the meantime if someone wants to provide some feedback, it
>> will be nice. Find an attached a test case to reproduce it. A
>> complete backtrace in busybox 1.21 (debug) is available here:
>>
>> $ gdb --args ./busybox_unstripped unzip x.-6170921383890712452
>> ...
>> (gdb) run
>> Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip
>> x.-6170921383890712452
>> [Thread debugging using libthread_db enabled]
>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>> Archive: x.-6170921383890712452
>> inflating: ]3j ½r «I K-%Ix
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257,
>> d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "",
>> t=0x60620000eb08,
>> t@entry=0x602c0000fe60, m=0x7fffffffd260) at
>> archival/libarchive/decompress_gunzip.c:441
>> 441 r.e = (unsigned char) e[*p - s]; /* non-simple--look
>> up
>> in lists */
>> (gdb) bt
>> #0 huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257,
>> d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "",
>> t=0x60620000eb08, t@entry=0x602c0000fe60, m=0x7fffffffd260) at
>> archival/libarchive/decompress_gunzip.c:441
>> #1 0x0000000000520b52 in inflate_block (state=state@entry=0x602c0000fe00,
>> e=e@entry=0x602c0000fe83 "") at archival/libarchive/decompress_gunzip.c:905
>> #2 0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at
>> archival/libarchive/decompress_gunzip.c:947
>> #3 inflate_unzip_internal (state=state@entry=0x602c0000fe00, in=in@entry=3,
>> out=out@entry=4) at archival/libarchive/decompress_gunzip.c:1004
>> #4 0x0000000000522a6a in inflate_unzip (aux=aux@entry=0x7fffffffdc30,
>> in=in@entry=3, out=out@entry=4) at
>> archival/libarchive/decompress_gunzip.c:1048
>> #5 0x000000000051b255 in unzip_extract (dst_fd=4,
>> zip_header=0x7fffffffdd50)
>> at archival/unzip.c:255
>> #6 unzip_main (argc=<optimized out>, argv=<optimized out>) at
>> archival/unzip.c:654
>> #7 0x00000000004088bd in run_applet_no_and_exit
>> (applet_no=applet_no@entry=328, argv=argv@entry=0x7fffffffe170) at
>> libbb/appletlib.c:759
>> #8 0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip",
>> argv=argv@entry=0x7fffffffe170) at libbb/appletlib.c:766
>> #9 0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at
>> libbb/appletlib.c:728
>> #10 run_applet_and_exit (name=<optimized out>, argv=argv@entry
>> =0x7fffffffe168)
>> at libbb/appletlib.c:768
>> #11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168)
>> at
>> libbb/appletlib.c:823
>>
>> (gdb) x/i $rip
>> => 0x51fb17 <huft_build+2852>: mov (%rdi),%dl
>> (gdb) info registers
>> rax 0x0 0
>> rbx 0x57 87
>> rcx 0x814a18 8473112
>> rdx 0x140900 1313024
>> rsi 0x5fa900 6269184
>> rdi 0xa04dcc 10505676
>> rbp 0x10007fff7940 0x10007fff7940
>> rsp 0x7fffffffc930 0x7fffffffc930
>> r8 0x7fffffffcb64 140737488341860
>> r9 0x7fffffffcbe8 140737488341992
>> r10 0x60620000eb10 105974023121680
>> r11 0x7fffffffcadc 140737488341724
>> r12 0x7fffffffd260 140737488343648
>> r13 0x8 8
>> r14 0x10007fff7944 17594333493572
>> r15 0x0 0
>> rip 0x51fb17 0x51fb17 <huft_build+2852>
>> eflags 0x10216 [ PF AF IF RF ]
>> cs 0x33 51
>> ss 0x2b 43
>> ds 0x0 0
>> es 0x0 0
>> fs 0x0 0
>> gs 0x0 0
>>
>> This issue was discovered with QuickFuzz
>
> FTR, this older issue got CVE-2015-9261 assigned.
>
> Regards,
> Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic