[Bug 1794909] Re: Memory corruption in RAR decoder

Daniel Axtens daniel.axtens at canonical.com
Tue Dec 11 04:32:57 UTC 2018 

This is the warc infinite loop test case. Unlike the other files, it's
*not* encoded, and I use ./bsdtar -Oxf warcloop.warc to see the looping
behaviour.

** Attachment added: "warcloop.warc"
   https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909/+attachment/5221006/+files/warcloop.warc

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libarchive in Ubuntu.
https://bugs.launchpad.net/bugs/1794909

Title:
  Memory corruption in RAR decoder

Status in libarchive package in Ubuntu:
  New

Bug description:
  Hi,

  There are some crashes and memory corruption issues in
  libarchive's RAR decoder. Most notably, I have observed some
  double-frees and heap use-after-frees, both reading and writing. These
  have not been detected by previous fuzzing runs because of the CRC
  checks in the RAR parser.

  The memory corruption seems to arise in ppmd7 decoding. The code can
  be made to read and write addresses that are at least partially
  attacker controlled, but the decoder is complex and I don't have the
  time to investigate fully whether the level of control is sufficient
  to lead to code execution. My gut feeling is that someone more skilled
  than I could cause arbitrary code execution, but I cannot say for
  certain.

  This bug can be used to crash bsdtar and other programs that use
  libarchive, such as file-roller.

  I have attached some test cases that demonstrate this.

  They run as follows:
  xxd -r testcase.rar.txt testcase.rar
  bsdtar -Oxf testcase.rar

  The test cases are:

   - oob-read.txt - Ppmd7_DecodeSymbol does an out-of-bounds read and
     crashes. (No UAF.)

   - uaf-read.txt - this heap UAF causes an out-of-bounds read in
     Ppmd7_DecodeSymbol and crashes.

   - double-free.txt - this test case causes a double-free

   - uaf-rw.txt - this shows reads and writes into a previously freed
     heap region.

  I've tested all of these on the version of bsdtar that ships with
  Ubuntu 18.04 Bionic and also with a build of libarchive from git. My
  analysis of their behaviour comes from running them under valgrind and
  ASAN. If you have any trouble reproducing them let me know.

  The crashes were found with afl-fuzz and the FairFuzz extension.

  I've also reported this to the OSS-Fuzz contacts for the upstream
  project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909/+subscriptions

More information about the foundations-bugs mailing list