Bus error when handling (root seek of disk64_trailer) in zzip_disk_findfirst (src/zzip/mmapped.c) [CVE-2018-6542] #17
Milestone
Comments
|
CVE-2018-6542 was assigned to this issue. |
|
can not reproduce in test_65427 on master |
|
after double-checking the download-size of the zip, the error is now reproduced in make test_65422 |
gdraheim
added a commit
that referenced
this issue
Feb 5, 2018
gdraheim
added a commit
that referenced
this issue
Feb 5, 2018
|
turns out that the fopen may have failed, after which the testcase is OK |
|
checking back with v0.13.67 where the testcase had shown the problem => fixed |
gdraheim
changed the title
This was referenced Jan 16, 2025
This was referenced Jan 23, 2025
This was referenced Jan 30, 2025
This was referenced Feb 11, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On latest version (0.13.67) and master branch of zziplib:
there is a bus error (when handling seek of disk64_trailer) caused by loading of misaligned address in zzip_disk_findfirst function of src/zzip/mmapped.c, which could be triggered by the POC below. Note that this issue is different from #15.
The issue happens since the pointer "trailer" (line 444) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs. The POC is as small as 100 bytes.
To reproduce the issue, run: ./unzip-mem -p $POC
The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip
master/src/zzip/mmapped.c:444:25: runtime error: load of misaligned address 0x7f798f31e163 for type 'uint64_t', which requires 8 byte alignment
0x7f798f31e163: note: pointer points here
71 00 00 00 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
The text was updated successfully, but these errors were encountered: