Headline
CVE-2021-30045: LibArchive: Buffer overflow in EndOfCentralDirectory::read · Issue #5975 · SerenityOS/serenity
SerenityOS 2021-03-27 contains a buffer overflow vulnerability in the EndOfCentralDirectory::read() function.
Found with FuzzZip.
=================================================================
==57861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300002c6c4 at pc 0x00000052a6aa bp 0x7ffd4de7fb50 sp 0x7ffd4de7f318
READ of size 18 at 0x60300002c6c4 thread T0
#0 0x52a6a9 in __asan_memcpy (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x52a6a9)
#1 0x5645e5 in Archive::EndOfCentralDirectory::read(AK::Span<unsigned char const>) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibArchive/Zip.h:59:9
#2 0x5627a2 in Archive::Zip::try_create(AK::Span<unsigned char const> const&) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibArchive/Zip.cpp:54:35
#3 0x55d410 in LLVMFuzzerTestOneInput /home/lukew/Desktop/serenity-project/serenity/build/../Meta/Lagom/Fuzzers/FuzzZip.cpp:34:21
#4 0x4656f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x4656f1)
#5 0x464e35 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x464e35)
#6 0x4670d7 in fuzzer::Fuzzer::MutateAndTestOne() (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x4670d7)
#7 0x467dd5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x467dd5)
#8 0x45678e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x45678e)
#9 0x47f5d2 in main (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x47f5d2)
#10 0x7f1e543110b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x42b52d in _start (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x42b52d)
0x60300002c6c4 is located 0 bytes to the right of 20-byte region [0x60300002c6b0,0x60300002c6c4)
allocated by thread T0 here:
#0 0x52b25d in malloc (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x52b25d)
#1 0x55f274 in AK::ByteBufferImpl::ByteBufferImpl(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:284:35
#2 0x55ee3c in AK::ByteBufferImpl::copy(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:328:25
#3 0x55da54 in AK::ByteBuffer::copy(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:128:79
#4 0x55d3d8 in LLVMFuzzerTestOneInput /home/lukew/Desktop/serenity-project/serenity/build/../Meta/Lagom/Fuzzers/FuzzZip.cpp:33:27
#5 0x4656f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x4656f1)
#6 0x464e35 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x464e35)
#7 0x4670d7 in fuzzer::Fuzzer::MutateAndTestOne() (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x4670d7)
#8 0x467dd5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x467dd5)
#9 0x45678e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x45678e)
#10 0x47f5d2 in main (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x47f5d2)
#11 0x7f1e543110b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzZip+0x52a6a9) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c067fffd880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fffd890: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c067fffd8a0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fffd8b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fffd8c0: fd fa fa fa fd fd fd fa fa fa 00 00 04 fa fa fa
=>0x0c067fffd8d0: 00 00 00 fa fa fa 00 00[04]fa fa fa fa fa fa fa
0x0c067fffd8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==57861==ABORTING