Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 2 Sep 2017 18:43:53 +0000
From: "Agostino Sarubbo" <ago@...too.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: libzip: use-after-free in _zip_buffer_free (zip_buffer.c)

Description:
libzip is a library for manipulating zip archives.

The relevant ASan output of the issue:

# ziptool $FILE cat index
==1771==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000000d1 at pc 0x7f267d085fc1 bp 0x7ffed21f65f0 sp 0x7ffed21f65e8     
READ of size 1 at 0x6030000000d1 thread T0   
    #0 0x7f267d085fc0 in _zip_buffer_free /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:53:17    
    #1 0x7f267d092646 in _zip_dirent_read /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c
    #2 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69  
    #3 0x7f267d0aabfe in _zip_find_central_dir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613   
    #4 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200
    #5 0x7f267d0a89b7 in zip_open_from_source /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11 
    #6 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15    
    #7 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13    
    #8 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113 
    #9 0x7f267c1b5680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289    
    #10 0x41b058 in _init (/usr/bin/ziptool+0x41b058)  

0x6030000000d1 is located 1 bytes inside of 32-byte region [0x6030000000d0,0x6030000000f0)
freed by thread T0 here: 
    #0 0x4d0850 in __interceptor_cfree /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:55  
    #1 0x7f267d085f83 in _zip_buffer_free /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:57:5
    #2 0x7f267d0935ea in _zip_dirent_read /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c:571:9    
    #3 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69  
    #4 0x7f267d0aabfe in _zip_find_central_dir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613   
    #5 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200
    #6 0x7f267d0a89b7 in zip_open_from_source /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11 
    #7 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15    
    #8 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13
    #9 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113
    #10 0x7f267c1b5680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4d0a08 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f267d0879d8 in _zip_buffer_new /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:168:35
    #2 0x7f267d0879d8 in _zip_buffer_new_from_source /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:190
    #3 0x7f267d0927c2 in _zip_dirent_read /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_dirent.c:443:23
    #4 0x7f267d0aabfe in _zip_read_cdir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:380:69
    #5 0x7f267d0aabfe in _zip_find_central_dir /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:613
    #6 0x7f267d0aabfe in _zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:200
    #7 0x7f267d0a89b7 in zip_open_from_source /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:148:11
    #8 0x7f267d0a7e93 in zip_open /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_open.c:74:15
    #9 0x513392 in read_from_file /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:698:13
    #10 0x513392 in main /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/src/ziptool.c:1113
    #11 0x7f267c1b5680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/portage/dev-libs/libzip-1.2.0/work/libzip-1.2.0/lib/zip_buffer.c:53:17 in _zip_buffer_free
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
=>0x0c067fff8010: fd fd fa fa fd fd fd fd fa fa[fd]fd fd fd fa fa
  0x0c067fff8020: 00 00 00 00 fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c067fff8030: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff8040: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1771==ABORTING

Affected version:
1.2.0

Fixed version:
1.3.0

Commit fix:
https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
This issue can be identified as CVE-2017-12858 which was originally discovered by Brian Carpenter

Reproducer:
https://github.com/asarubbo/poc/blob/master/00239-libzip-UAF-_zip_buffer_free

Timeline:
2017-08-29: upstream released a fix as it fixed another issue
2017-08-24: bug discovered and reported to upstream
2017-09-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:
https://blogs.gentoo.org/ago/2017/09/01/libzip-use-after-free-in-_zip_buffer_free-zip_buffer-c/

--
Agostino Sarubbo
Gentoo Linux Developer


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.