[Bug 10871] New: Heap overflow in decompress_unlzma
bugzilla at busybox.net
bugzilla at busybox.net
Mon Mar 19 11:48:16 UTC 2018
https://bugs.busybox.net/show_bug.cgi?id=10871
Bug ID: 10871
Summary: Heap overflow in decompress_unlzma
Product: Busybox
Version: 1.27.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: radovan.scasny at siemens.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 7531
--> https://bugs.busybox.net/attachment.cgi?id=7531&action=edit
defconfig
Heap overflow in decompress_unlzma
It is possible to trigger buffer overflow in
(archival/libarchive/decompress_unlzma.c line 459) using files from [bug
#10436] and specific configuration (see attached defconfig).
There is a general problem handling files. With specific defconfig attached
unzip fails to check zip fileheader magic (archival/unzip.c line 695) and uses
(archival/libarchive/decompress_unlzma.c) for decompression which leads to
segmentation fault.
Please find attached strace and gdb log leading to the segmentation fault
alongside defconfig.
$ gdb --args ../busybox.nosuid unzip id_000008,sig_11,src_000775,op_havoc,rep_8
-oqd /tmp
(gdb) run
Starting program: /home/busybox.nosuid unzip
id_000008,sig_11,src_000775,op_havoc,rep_8 -oqd /tmp
unzip: removing leading '/' from member names
Program received signal SIGSEGV, Segmentation fault.
0x000a6b9c in unpack_lzma_stream (xstate=0xbefff9d8)
at
/usr/src/debug/busybox/1.27.2-r0/busybox-1.27.2/archival/libarchive/decompress_unlzma.c:459
459 previous_byte = buffer[pos];
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list