Re: Pointer misuse unziping files with busybox

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Sun, Oct 25, 2015 at 11:34:27PM +0100, Gustavo Grieco wrote:
> Unziping a specially crafted zip file results in a computation of an invalid
> pointer and a crash reading an invalid address. Upstream is taking a look
> to it, but in the meantime if someone wants to provide some feedback, it
> will be nice. Find an attached a test case to reproduce it. A
> complete backtrace in busybox 1.21 (debug) is available here:
>
> $ gdb --args ./busybox_unstripped unzip x.-6170921383890712452
> ...
> (gdb) run
> Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip
> x.-6170921383890712452
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Archive:  x.-6170921383890712452
>   inflating: ]3j½r«IK-%Ix
>
> Program received signal SIGSEGV, Segmentation fault.
> huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257,
> d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "",
> t=0x60620000eb08,
>     t@entry=0x602c0000fe60, m=0x7fffffffd260) at
> archival/libarchive/decompress_gunzip.c:441
> 441                    r.e = (unsigned char) e[*p - s]; /* non-simple--look
> up
> in lists */
> (gdb) bt
> #0  huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257,
> d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "",
>     t=0x60620000eb08, t@entry=0x602c0000fe60, m=0x7fffffffd260) at
> archival/libarchive/decompress_gunzip.c:441
> #1  0x0000000000520b52 in inflate_block (state=state@entry=0x602c0000fe00,
> e=e@entry=0x602c0000fe83 "") at archival/libarchive/decompress_gunzip.c:905
> #2  0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at
> archival/libarchive/decompress_gunzip.c:947
> #3  inflate_unzip_internal (state=state@entry=0x602c0000fe00, in=in@entry=3,
> out=out@entry=4) at archival/libarchive/decompress_gunzip.c:1004
> #4  0x0000000000522a6a in inflate_unzip (aux=aux@entry=0x7fffffffdc30,
> in=in@entry=3, out=out@entry=4) at
> archival/libarchive/decompress_gunzip.c:1048
> #5  0x000000000051b255 in unzip_extract (dst_fd=4,
> zip_header=0x7fffffffdd50)
> at archival/unzip.c:255
> #6  unzip_main (argc=<optimized out>, argv=<optimized out>) at
> archival/unzip.c:654
> #7  0x00000000004088bd in run_applet_no_and_exit
> (applet_no=applet_no@entry=328, argv=argv@entry=0x7fffffffe170) at
> libbb/appletlib.c:759
> #8  0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip",
> argv=argv@entry=0x7fffffffe170) at libbb/appletlib.c:766
> #9  0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at
> libbb/appletlib.c:728
> #10 run_applet_and_exit (name=<optimized out>, argv=argv@entry
> =0x7fffffffe168)
> at libbb/appletlib.c:768
> #11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168)
> at
> libbb/appletlib.c:823
>
> (gdb) x/i $rip
> => 0x51fb17 <huft_build+2852>:    mov    (%rdi),%dl
> (gdb) info registers
> rax            0x0    0
> rbx            0x57    87
> rcx            0x814a18    8473112
> rdx            0x140900    1313024
> rsi            0x5fa900    6269184
> rdi            0xa04dcc    10505676
> rbp            0x10007fff7940    0x10007fff7940
> rsp            0x7fffffffc930    0x7fffffffc930
> r8             0x7fffffffcb64    140737488341860
> r9             0x7fffffffcbe8    140737488341992
> r10            0x60620000eb10    105974023121680
> r11            0x7fffffffcadc    140737488341724
> r12            0x7fffffffd260    140737488343648
> r13            0x8    8
> r14            0x10007fff7944    17594333493572
> r15            0x0    0
> rip            0x51fb17    0x51fb17 <huft_build+2852>
> eflags         0x10216    [ PF AF IF RF ]
> cs             0x33    51
> ss             0x2b    43
> ds             0x0    0
> es             0x0    0
> fs             0x0    0
> gs             0x0    0
>
> This issue was discovered with QuickFuzz

FTR, this older issue got CVE-2015-9261 assigned.

Regards,
Salvatore