p7zip icon indicating copy to clipboard operation
p7zip copied to clipboard
verified publisher icon p7zip-project

Illegal memory access bug found in 7z

Open Felix-Kit opened this issue 4 years ago • 1 comments

We found a bug with out-of-bounds memory read.

This bug can be triggered by the following command: ./7z x [poc]

The corresponding ASAN log information is as follows: 7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28 p7zip Version 17.04 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs x64)

Scanning the drive for archives: 1 file, 11935871 bytes (12 MiB)

Extracting archive: ATTuzz.zip ASAN:DEADLYSIGNAL

==82511==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3ce2762caa bp 0x7fffa9ba91d0 sp 0x7fffa9ba8918 T0) ==82511==The signal is caused by a READ memory access. ==82511==Hint: address points to the zero page. #0 0x7f3ce2762ca9 (/lib/x86_64-linux-gnu/libc.so.6+0x18aca9) #1 0x7f3ce343c96a (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaf96a) #2 0x7f3cde407116 in NArchive::NDmg::CHandler::Open2(IInStream*) (7z.so+0x67e116) #3 0x7f3cde408af9 in NArchive::NDmg::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) (7z.so+0x67faf9) #4 0x558a93281f39 (/home/versatile/p7zip-noins/bin/7z+0xb6f39) #5 0x558a93297cdc (/home/versatile/p7zip-noins/bin/7z+0xcccdc) #6 0x558a9329c3d2 (/home/versatile/p7zip-noins/bin/7z+0xd13d2) #7 0x558a9329ced2 (/home/versatile/p7zip-noins/bin/7z+0xd1ed2) #8 0x558a9329e39f (/home/versatile/p7zip-noins/bin/7z+0xd339f) #9 0x558a932a21ab (/home/versatile/p7zip-noins/bin/7z+0xd71ab) #10 0x558a932a2e2d (/home/versatile/p7zip-noins/bin/7z+0xd7e2d) #11 0x558a93264193 (/home/versatile/p7zip-noins/bin/7z+0x99193) #12 0x558a932f04a2 (/home/versatile/p7zip-noins/bin/7z+0x1254a2) #13 0x558a931ea570 (/home/versatile/p7zip-noins/bin/7z+0x1f570) #14 0x7f3ce25f9bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #15 0x558a931eb369 (/home/versatile/p7zip-noins/bin/7z+0x20369)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18aca9) ==82511==ABORTING

poc: ATTuzz.zip

This bug is found by fuzzer ATTuzz

Felix-Kit avatar Jan 18 '22 03:01 Felix-Kit

You should compress this file, preferably with bzip2. There is no need to include 12-megs attachment. Anyone wanting to test it will decompress it after downloading 200 bytes; like one in attachment.

PS. Attached file is .bz2, decompress it with: $ bzip2 -d -c ATTuzz.zip.bz2.txt > ATTuzz.zip.

ATTuzz.zip.bz2.txt

tansy avatar Feb 10 '22 19:02 tansy