lrzip icon indicating copy to clipboard operation
lrzip copied to clipboard
verified publisher icon ckolivas

Use of uninitialized memory bug

Open anon767 opened this issue 2 years ago • 1 comments

Hi, During to a static analyzer verification I found following bug using MSAN and a fuzzer;

Uninitialized bytes in __interceptor_write at offset 0 inside [0x70e000000000, 219)
==2293981==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55ab1f01dee9 in put_fdout /src/stream.c:608:10
    #1 0x55ab1f01ef9b in write_1g /src/stream.c:650:9
    #2 0x55ab1f017698 in unzip_literal /src/runzip.c:168:6
    #3 0x55ab1f017698 in runzip_chunk /src/runzip.c:325:9
    #4 0x55ab1f017698 in runzip_fd /src/runzip.c:387:7
    #5 0x55ab1effc895 in decompress_file /src/lrzip.c:951:6
    #6 0x55ab1eff0efc in main /src/main.c:720:4
    #7 0x7f9a8b276d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #8 0x7f9a8b276e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #9 0x55ab1ef63634 in _start (/src/lrzip+0x22634) (BuildId: 6810fc07e3b025b95f3b30dc8f7bd92fdf2d5317)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /src/stream.c:608:10 in put_fdout
Exiting

anon767 avatar Jan 16 '23 09:01 anon767

Hi, During to a static analyzer verification I found following bug using MSAN and a fuzzer;

Uninitialized bytes in __interceptor_write at offset 0 inside [0x70e000000000, 219)
==2293981==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55ab1f01dee9 in put_fdout /src/stream.c:608:10
    #1 0x55ab1f01ef9b in write_1g /src/stream.c:650:9
    #2 0x55ab1f017698 in unzip_literal /src/runzip.c:168:6
    #3 0x55ab1f017698 in runzip_chunk /src/runzip.c:325:9
    #4 0x55ab1f017698 in runzip_fd /src/runzip.c:387:7
    #5 0x55ab1effc895 in decompress_file /src/lrzip.c:951:6
    #6 0x55ab1eff0efc in main /src/main.c:720:4
    #7 0x7f9a8b276d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #8 0x7f9a8b276e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #9 0x55ab1ef63634 in _start (/src/lrzip+0x22634) (BuildId: 6810fc07e3b025b95f3b30dc8f7bd92fdf2d5317)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /src/stream.c:608:10 in put_fdout
Exiting

I do not see the error. ret is set right above the call to put_fdout. I am NOT sure that the (size_t) is correct since ret is already declared as ssize_t and put_fdout expects the same in its argument list. But ret is not unintialized.

605 ssize_t put_fdout(rzip_control *control, void *offset_buf, ssize_t ret)

638 ssize_t write_1g(rzip_control *control, void *buf, i64 len) 
 639 { 
 640         uchar *offset_buf = buf; 
 641         ssize_t ret; 
 642         i64 total; 
 643  
 644         total = 0; 
 645         while (len > 0) { 
 646                 if (BITS32) 
 647                         ret = MIN(len, one_g); 
 648                 else 
 649                         ret = len; 
 650                 ret = put_fdout(control, offset_buf, (size_t)ret);

pete4abw avatar Feb 27 '23 17:02 pete4abw