Headline
CVE-2023-29417: heap-buffer-overflow in bz3_decompress() · Issue #97 · kspalaiologos/bzip3
** DISPUTED ** An issue was discovered in libbzip3.a in bzip3 1.2.2. There is a bz3_decompress out-of-bounds read in certain situations where buffers passed to bzip3 do not contain enough space to be filled with decompressed data. NOTE: the vendor’s perspective is that the observed behavior can only occur for a contract violation, and thus the report is invalid.
bz3_compress crashes because out is a null pointer. it was improperly called. once again I have to show you the stack trace:
Program received signal SIGSEGV, Segmentation fault.
__memcpy_avx_unaligned_erms ()
at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:710
710 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0 __memcpy_avx_unaligned_erms ()
at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:710
#1 0x000055555556245f in bz3_decompress (in=<optimized out>,
in@entry=0x555555568498 "BZ3v1", out=out@entry=0x0,
in_size=<optimized out>, in_size@entry=31,
out_size=out_size@entry=0x7fffffffe448) at ../src/libbz3.c:908
#2 0x000055555555525a in main (argc=<optimized out>,
argv=0x7fffffffe588) at decompress-file.c:28
notice: out=out@entry=0x0, out_size=out_size@entry=0x7fffffffe448). The size of the output is large, hence malloc failed. when malloc inside of decompress-file fails, it returns null. the memory under null is not big enough for us to be able to write 0x7fffffffe448 into, hence it is not the library’s fault. it is a problem with decompress-file.c not being robust enough.
it is impossible to determine whether the buffer passed to bz3_decompress will even contain enough bytes for the output, which is why we pass out_size to it. but the decompress-file.c program clearly lied to the API, and there is no way in portable C to check it. you would have to use malloc_get_usable_size:
0 [14:55] Desktop/workspace/bzip3@master % cd examples 22s
0 [14:55] workspace/bzip3@master/examples % gcc decompress-file.c -o decompress-file -O3 -lbzip3
0 [14:55] workspace/bzip3@master/examples % ./decompress-file ~/Desktop/6.crashes.bz3 6.crashes
zsh: segmentation fault ./decompress-file ~/Desktop/6.crashes.bz3 6.crashes
139 [14:55] workspace/bzip3@master/examples % ./decompress-file ~/Desktop/6.crashes.bz3 6.crashes
zsh: segmentation fault ./decompress-file ~/Desktop/6.crashes.bz3 6.crashes
139 [14:55] workspace/bzip3@master/examples % gdb -q decompress-file
Reading symbols from decompress-file...
(No debugging symbols found in decompress-file)
(gdb) set args ~/Desktop/6.crashes.bz3 6.crashes
(gdb) run
Starting program: /home/palaiologos/Desktop/workspace/bzip3/examples/decompress-file ~/Desktop/6.crashes.bz3 6.crashes
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:710
710 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0 __memcpy_avx_unaligned_erms ()
at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:710
#1 0x00007ffff7fb8cbc in bz3_decompress (in=0x55555555a4a5 "\n", out=0x0,
in_size=<optimized out>, out_size=0x7fffffffe4c8) at src/libbz3.c:908
#2 0x000055555555518a in main ()
(gdb)
notice: out_size=x7fffffffe4c8, out=0x0