[Bug 1824530] Re: Heap Buffer Overflow in UzpPassword

Eduardo dos Santos Barretto 1824530 at bugs.launchpad.net
Mon Apr 15 14:39:23 UTC 2019 

** Changed in: unzip (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unzip in Ubuntu.
https://bugs.launchpad.net/bugs/1824530

Title:
  Heap Buffer Overflow in UzpPassword

Status in unzip package in Ubuntu:
  Confirmed

Bug description:
  Distributor ID:	Ubuntu
  Description:	Ubuntu 18.04.2 LTS
  Release:	18.04
  Codename:	bionic

  unzip:
    Installed: 6.0-21ubuntu1
    Candidate: 6.0-21ubuntu1

  The current version of unzip will crash with a heap overflow. I have
  attached crash.zip to reproduce the issue. Normal unpacking or testing
  the archive with -t argument is enough to trigger the bug. This is the
  only place that I have reported the issue to.

  ASAN:
  ==13994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000490f at pc 0x7f6f788eb8f9 bp 0x7ffd1c67ec30 sp 0x7ffd1c67e3c0
  WRITE of size 8210 at 0x62500000490f thread T0
      #0 0x7f6f788eb8f8 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)
      #1 0x7f6f788ebc86 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)
      #2 0x55b5a10ccc87 in UzpPassword fileio.c:1594
      #3 0x55b5a1097ddb in decrypt crypt.c:513
      #4 0x55b5a10b6f2e in extract_or_test_entrylist extract.c:1284
      #5 0x55b5a10b6f2e in extract_or_test_files extract.c:586
      #6 0x55b5a1101f24 in do_seekable process.c:987
      #7 0x55b5a1108e56 in process_zipfiles process.c:401
      #8 0x55b5a1093566 in unzip unzip.c:1278
      #9 0x7f6f7826db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
      #10 0x55b5a108afb9 in _start (/home/user/unzip-asan/unzip-6.0/unzip+0x17fb9)

  0x62500000490f is located 0 bytes to the right of 8207-byte region [0x625000002900,0x62500000490f)
  allocated by thread T0 here:
      #0 0x7f6f7892bb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
      #1 0x55b5a10ccbfc in UzpPassword fileio.c:1593

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) in __interceptor_vsprintf
  Shadow bytes around the buggy address:
    0x0c4a7fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c4a7fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c4a7fff88f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c4a7fff8900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c4a7fff8910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c4a7fff8920: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
  ==13994==ABORTING

  GDB:
  *** buffer overflow detected ***: /home/user/unzip-dbg/unzip-6.0/unzip terminated

  Program received signal SIGABRT, Aborted.
  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
  51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  (gdb) bt
  #0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x00007ffff7814801 in __GI_abort () at abort.c:79
  #2  0x00007ffff785d897 in __libc_message (action=action at entry=(do_abort | do_backtrace), 
      fmt=fmt at entry=0x7ffff798a988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
  #3  0x00007ffff7908cff in __GI___fortify_fail_abort (need_backtrace=need_backtrace at entry=true, 
      msg=msg at entry=0x7ffff798a905 "buffer overflow detected") at fortify_fail.c:33
  #4  0x00007ffff7908d21 in __GI___fortify_fail (msg=msg at entry=0x7ffff798a905 "buffer overflow detected")
      at fortify_fail.c:44
  #5  0x00007ffff7906a10 in __GI___chk_fail () at chk_fail.c:28
  #6  0x00007ffff7905f29 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
  #7  0x00007ffff7862494 in __GI__IO_default_xsputn (f=0x7fffffffd8b0, data=<optimized out>, n=11)
      at genops.c:417
  #8  0x00007ffff782f9aa in _IO_vfprintf_internal (s=s at entry=0x7fffffffd8b0, 
      format=format at entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ", ap=ap at entry=0x7fffffffd9f0)
      at vfprintf.c:1674
  #9  0x00007ffff7905fcb in ___vsprintf_chk (
      s=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=1, slen=8207, format=0x555555578b90 <PasswPrompt> "[%s] %s password: ", 
      args=args at entry=0x7fffffffd9f0) at vsprintf_chk.c:82
  #10 0x00007ffff7905efa in ___sprintf_chk (
      s=s at entry=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=flags at entry=1, slen=slen at entry=8207, 
      format=format at entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ") at sprintf_chk.c:31
  #11 0x0000555555562c95 in sprintf (__fmt=<synthetic pointer>, 
      __s=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"...) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
  #12 UzpPassword (pG=<optimized out>, rcnt=<optimized out>, pwbuf=0x555555890280 '\a' <repeats 88 times>, "! ", 
      size=81, zfn=0x5555558715c0 <G+988384> "crash.zip", 
      efn=0x555555870420 <G+983872> "dri", '\a' <repeats 197 times>...) at fileio.c:1594
  ---Type <return> to continue, or q <return> to quit---
  #13 0x000055555555adf3 in decrypt (passwrd=<optimized out>) at crypt.c:513
  #14 0x000055555555de54 in extract_or_test_entrylist (numchunk=numchunk at entry=1, 
      pfilnum=pfilnum at entry=0x7fffffffdc58, pnum_bad_pwd=pnum_bad_pwd at entry=0x7fffffffdc60, 
      pold_extra_bytes=pold_extra_bytes at entry=0x7fffffffdc68, pnum_dirs=pnum_dirs at entry=0x7fffffffdc54, 
      pdirlist=pdirlist at entry=0x7fffffffdc70, error_in_archive=51) at extract.c:1284
  #15 0x0000555555560488 in extract_or_test_files () at extract.c:586
  #16 0x00005555555682b2 in do_seekable (lastchance=lastchance at entry=0) at process.c:987
  #17 0x00005555555691f7 in process_zipfiles () at process.c:401
  #18 0x000055555555a58e in unzip (argc=<optimized out>, argv=<optimized out>) at unzip.c:1278
  #19 0x00007ffff77f5b97 in __libc_start_main (main=0x555555558190 <main>, argc=3, argv=0x7fffffffdf28, 
      init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf18)
      at ../csu/libc-start.c:310
  #20 0x00005555555581da in _start ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1824530/+subscriptions

More information about the foundations-bugs mailing list