You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
on 0.631 (the latest version) and the latest master branch:
there is a use-after-free problem in the ucompthread function (src/stream.c) that causes the program to crash. Note that this issue is caused by the memory free of "ucthread", which is different from CVE-2017-8846 (#71) casued by memory free of "stream_info *sinfo".
This issue can be triggered by the POC with command lrzip -t $POC
The problem happens in line 1519 of stream.c file. Once "ucthread" is released, "uci" points to a random address, resulting in segmentation fault.
1513 uci = &ucthread[i];
...
1518 retry:
1519 if (uci->c_type != CTYPE_NONE) {
1520 switch (uci->c_type) {
1521 case CTYPE_LZMA:
bin/lrzip -t output/poc/71.lrz
Decompressing...
ASAN:SIGSEGV
==78968==AddressSanitizer: while reporting a bug found another one. Ignoring.
ASAN:SIGSEGV
==78968==AddressSanitizer: while reporting a bug found another one. Ignoring.
chunk_bytes -93 is invalid in runzip_chunk
Fatal error - exiting
ASAN:SIGSEGV
==78968==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001ebc0 at pc 0x00000043e376 bp 0x7fdc847f9d10 sp 0x7fdc847f9d08
ASAN:SIGSEGV
==78968==AddressSanitizer: while reporting a bug found another one. Ignoring.
==78968==AddressSanitizer: while reporting a bug found another one. Ignoring.
READ of size 1 at 0x61d00001ebc0 thread T7
#0 0x43e375 in ucompthread lrzip/src/stream.c:1519 #1 0x7fdc8a22ce24 in start_thread (/lib64/libpthread.so.0+0x7e24) #2 0x7fdc89a4134c in __clone (/lib64/libc.so.6+0xf834c)
0x61d00001ebc0 is located 320 bytes inside of 2016-byte region [0x61d00001ea80,0x61d00001f260)
freed by thread T0 here:
#0 0x7fdc8ae96e32 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:45 #1 0x451334 in close_stream_in lrzip/src/stream.c:1839
previously allocated by thread T0 here:
#0 0x7fdc8ae97292 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:70 #1 0x44941d in open_stream_in lrzip/src/stream.c:1082
Thread T7 created by T0 here:
#0 0x7fdc8ae390b4 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:179 #1 0x43e5cc in create_pthread lrzip/src/stream.c:133
SUMMARY: AddressSanitizer: heap-use-after-free lrzip/src/stream.c:1519 ucompthread
Shadow bytes around the buggy address:
0x0c3a7fffbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a7fffbd70: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c3a7fffbd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbdb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbdc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==78968==ABORTING
The text was updated successfully, but these errors were encountered:
on 0.631 (the latest version) and the latest master branch:
there is a use-after-free problem in the ucompthread function (src/stream.c) that causes the program to crash. Note that this issue is caused by the memory free of "ucthread", which is different from CVE-2017-8846 (#71) casued by memory free of "stream_info *sinfo".
This issue can be triggered by the POC with command lrzip -t $POC
POC: https://github.com/ProbeFuzzer/poc/blob/master/lrzip/lrzip_0-631_lrzip_use-after-free_ucompthread.lrz
The problem happens in line 1519 of stream.c file. Once "ucthread" is released, "uci" points to a random address, resulting in segmentation fault.
1513 uci = &ucthread[i];
...
1518 retry:
1519 if (uci->c_type != CTYPE_NONE) {
1520 switch (uci->c_type) {
1521 case CTYPE_LZMA:
bin/lrzip -t output/poc/71.lrz
Decompressing...
ASAN:SIGSEGV
==78968==AddressSanitizer: while reporting a bug found another one. Ignoring.
ASAN:SIGSEGV
==78968==AddressSanitizer: while reporting a bug found another one. Ignoring.
chunk_bytes -93 is invalid in runzip_chunk
Fatal error - exiting
ASAN:SIGSEGV
==78968==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001ebc0 at pc 0x00000043e376 bp 0x7fdc847f9d10 sp 0x7fdc847f9d08
ASAN:SIGSEGV
==78968==AddressSanitizer: while reporting a bug found another one. Ignoring.
==78968==AddressSanitizer: while reporting a bug found another one. Ignoring.
READ of size 1 at 0x61d00001ebc0 thread T7
#0 0x43e375 in ucompthread lrzip/src/stream.c:1519
#1 0x7fdc8a22ce24 in start_thread (/lib64/libpthread.so.0+0x7e24)
#2 0x7fdc89a4134c in __clone (/lib64/libc.so.6+0xf834c)
0x61d00001ebc0 is located 320 bytes inside of 2016-byte region [0x61d00001ea80,0x61d00001f260)
freed by thread T0 here:
#0 0x7fdc8ae96e32 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x451334 in close_stream_in lrzip/src/stream.c:1839
previously allocated by thread T0 here:
#0 0x7fdc8ae97292 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:70
#1 0x44941d in open_stream_in lrzip/src/stream.c:1082
Thread T7 created by T0 here:
#0 0x7fdc8ae390b4 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:179
#1 0x43e5cc in create_pthread lrzip/src/stream.c:133
SUMMARY: AddressSanitizer: heap-use-after-free lrzip/src/stream.c:1519 ucompthread
Shadow bytes around the buggy address:
0x0c3a7fffbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a7fffbd70: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c3a7fffbd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbdb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffbdc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==78968==ABORTING
The text was updated successfully, but these errors were encountered: