[Bug 10871] New: Heap overflow in decompress_unlzma

bugzilla at busybox.net bugzilla at busybox.net
Mon Mar 19 11:48:16 UTC 2018


https://bugs.busybox.net/show_bug.cgi?id=10871

            Bug ID: 10871
           Summary: Heap overflow in decompress_unlzma
           Product: Busybox
           Version: 1.27.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: radovan.scasny at siemens.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 7531
  --> https://bugs.busybox.net/attachment.cgi?id=7531&action=edit
defconfig

Heap overflow in decompress_unlzma

It is possible to trigger buffer overflow in
(archival/libarchive/decompress_unlzma.c line 459) using files from [bug
#10436] and specific configuration (see attached defconfig).

There is a general problem handling files. With specific defconfig attached
unzip fails to check zip fileheader magic (archival/unzip.c line 695) and uses
(archival/libarchive/decompress_unlzma.c) for decompression which leads to
segmentation fault.

Please find attached strace and gdb log leading to the segmentation fault
alongside defconfig.

$ gdb --args ../busybox.nosuid unzip id_000008,sig_11,src_000775,op_havoc,rep_8
-oqd /tmp
(gdb)  run
Starting program: /home/busybox.nosuid unzip
id_000008,sig_11,src_000775,op_havoc,rep_8 -oqd /tmp
unzip: removing leading '/' from member names

Program received signal SIGSEGV, Segmentation fault.
0x000a6b9c in unpack_lzma_stream (xstate=0xbefff9d8)
    at
/usr/src/debug/busybox/1.27.2-r0/busybox-1.27.2/archival/libarchive/decompress_unlzma.c:459
459  previous_byte = buffer[pos];

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list