oss-sec mailing list archives
snzip: memory allocation failure in work_buffer_resize (snzip.c)
From: Agostino Sarubbo <ago () gentoo org>
Date: Tue, 18 Oct 2016 17:02:24 +0200
Description:
snzip is a compression/decompression tool based on snappy.
A fuzzing revealed a memory allocation failure.
The complete ASan output:
# snzip -d $FILE
Ȥ�==12351==WARNING: AddressSanitizer failed to allocate 0xffffffffc8617364
bytes
==12351==AddressSanitizer's allocator is terminating the process instead of
returning 0
==12351==If you don't like this behavior set allocator_may_return_null=1
==12351==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)
#0 0x4ca7ed in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
#1 0x4d1323 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:159
#2 0x4cf076 in __sanitizer::ReportAllocatorCannotReturnNull()
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_allocator.cc:147
#3 0x424896 in
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul,
4398046511104ul, 0ul, __sanitizer::SizeClassMap,
__asan::AsanMapUnmapCallback>,
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul,
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>
, __sanitizer::LargeMmapAllocator >::ReturnNullOrDie() /var/tmp/portage/sys-
devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1317
#4 0x424896 in __asan::Allocator::Allocate(unsigned long, unsigned long,
__sanitizer::BufferedStackTrace*, __asan::AllocType, bool)
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:359
#5 0x4205bd in __asan::Allocator::Reallocate(void*, unsigned long,
__sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:539
#6 0x4205bd in __asan::asan_realloc(void*, unsigned long,
__sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:732
#7 0x4c1231 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79
#8 0x4fe72c in work_buffer_resize /tmp/portage/app-
arch/snzip-1.0.3/work/snzip-1.0.3/snzip.c:584:13
#9 0x51667b in snappy_java_uncompress /tmp/portage/app-
arch/snzip-1.0.3/work/snzip-1.0.3/snappy-java-format.c:193:7
#10 0x4f68ea in main /tmp/portage/app-
arch/snzip-1.0.3/work/snzip-1.0.3/snzip.c:401:11
#11 0x7fcbabbd261f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#12 0x419988 in _init (/usr/bin/snzip+0x419988)
Affected version:
1.0.3
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-10-13: bug discovered
2016-10-13: bug reported to upstream
2016-10-08: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2016/10/18/snzip-memory-allocation-failure-in-work_buffer_resize-snzip-c
Current thread:
- snzip: memory allocation failure in work_buffer_resize (snzip.c) Agostino Sarubbo (Oct 18)