GNU bug report logs -
#33501
Malformed inputs triggering uninitialized memory use in inflate_dynamic()
Previous Next
Reported by: Hanno Böck <hanno <at> hboeck.de>
Date: Sun, 25 Nov 2018 15:46:01 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33501 in the body.
You can then email your comments to 33501 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gzip <at> gnu.org:
bug#33501; Package
gzip.
(Sun, 25 Nov 2018 15:46:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Hanno Böck <hanno <at> hboeck.de>:
New bug report received and forwarded. Copy sent to
bug-gzip <at> gnu.org.
(Sun, 25 Nov 2018 15:46:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
I did some testing of gzip with afl-fuzzing and memory sanitizer and it
ends up finding a use of uninitialized memory on some malformed inputs.
Sample input (base64):
H4sIADAwMDAwMGQAAAA=
With msan this causes:
==21601==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x4affab in inflate_dynamic /f/gzip/gzip-1.9/inflate.c:803:9
#1 0x4affab in inflate_block /f/gzip/gzip-1.9/inflate.c:925
#2 0x4affab in inflate /f/gzip/gzip-1.9/inflate.c:957
#3 0x4c805d in unzip /f/gzip/gzip-1.9/unzip.c:132:19
#4 0x4a1234 in treat_file /f/gzip/gzip-1.9/gzip.c:1002:13
#5 0x49d760 in main /f/gzip/gzip-1.9/gzip.c:670:13
#6 0x7f85c3d724ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
#7 0x41c4d9 in _start (/r/gz/gzip+0x41c4d9)
You can reproduce by building gzip with clang+msan, e.g.
./configure CC=clang LD=clang CFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE" LDFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE"
And then run the above sample with gzip -dc.
(msan is incompatible with fortify source and some distros set it by
default, so it's better to unset it.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno <at> hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Information forwarded
to
bug-gzip <at> gnu.org:
bug#33501; Package
gzip.
(Wed, 28 Nov 2018 21:10:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 33501 <at> debbugs.gnu.org (full text, mbox):
This should fix it:
--- a/inflate.c
+++ b/inflate.c
@@ -799,6 +799,11 @@ inflate_dynamic(void)
NEEDBITS((unsigned)bl)
j = (td = tl + ((unsigned)b & m))->b;
DUMPBITS(j)
+ if (td->e == 99) /* invalid code */
+ {
+ huft_free(tl);
+ return 2;
+ }
j = td->v.n;
if (j < 16) /* length of code in bits (0..15) */
ll[i++] = l = j; /* save last length in l */
However I don’t have a memory sanitizer, so please verify. Thanks.
Mark
> On Nov 25, 2018, at 7:45 AM, Hanno Böck <hanno <at> hboeck.de> wrote:
>
> Hi,
>
> I did some testing of gzip with afl-fuzzing and memory sanitizer and it
> ends up finding a use of uninitialized memory on some malformed inputs.
>
> Sample input (base64):
> H4sIADAwMDAwMGQAAAA=
>
> With msan this causes:
>
> ==21601==WARNING: MemorySanitizer: use-of-uninitialized-value
> #0 0x4affab in inflate_dynamic /f/gzip/gzip-1.9/inflate.c:803:9
> #1 0x4affab in inflate_block /f/gzip/gzip-1.9/inflate.c:925
> #2 0x4affab in inflate /f/gzip/gzip-1.9/inflate.c:957
> #3 0x4c805d in unzip /f/gzip/gzip-1.9/unzip.c:132:19
> #4 0x4a1234 in treat_file /f/gzip/gzip-1.9/gzip.c:1002:13
> #5 0x49d760 in main /f/gzip/gzip-1.9/gzip.c:670:13
> #6 0x7f85c3d724ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
> #7 0x41c4d9 in _start (/r/gz/gzip+0x41c4d9)
>
> You can reproduce by building gzip with clang+msan, e.g.
> ./configure CC=clang LD=clang CFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE" LDFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE"
>
> And then run the above sample with gzip -dc.
>
> (msan is incompatible with fortify source and some distros set it by
> default, so it's better to unset it.)
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno <at> hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
>
>
>
Information forwarded
to
bug-gzip <at> gnu.org:
bug#33501; Package
gzip.
(Fri, 30 Nov 2018 14:29:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 33501 <at> debbugs.gnu.org (full text, mbox):
On Wed, 28 Nov 2018 21:09:45 +0000
"Adler, Mark" <madler <at> alumni.caltech.edu> wrote:
> However I don’t have a memory sanitizer, so please verify. Thanks.
It's fixed with this patch.
(Also memory sanitizer is just a clang feature. While it's a bit
trickier to use in complex applications due to dependencies, for a
simple tool like gzip which only depends on libc it works pretty
straightforward.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno <at> hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Information forwarded
to
bug-gzip <at> gnu.org:
bug#33501; Package
gzip.
(Fri, 30 Nov 2018 17:03:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 33501 <at> debbugs.gnu.org (full text, mbox):
My clang on macOS doesn’t support it.
> On Nov 30, 2018, at 6:28 AM, Hanno Böck <hanno <at> hboeck.de> wrote:
>
> On Wed, 28 Nov 2018 21:09:45 +0000
> "Adler, Mark" <madler <at> alumni.caltech.edu> wrote:
>
>> However I don’t have a memory sanitizer, so please verify. Thanks.
>
> It's fixed with this patch.
>
> (Also memory sanitizer is just a clang feature. While it's a bit
> trickier to use in complex applications due to dependencies, for a
> simple tool like gzip which only depends on libc it works pretty
> straightforward.)
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno <at> hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Reply sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility.
(Fri, 30 Nov 2018 21:04:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Hanno Böck <hanno <at> hboeck.de>:
bug acknowledged by developer.
(Fri, 30 Nov 2018 21:04:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 33501-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Thanks for the fix. I installed the attached patch into the GNU gzip
master and am marking this bug as done.
[0001-gzip-fix-use-of-uninitialized-memory.patch (text/x-patch, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 29 Dec 2018 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 118 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.