GNU bug report logs - #33501
Malformed inputs triggering uninitialized memory use in inflate_dynamic()

Previous Next

Package: gzip;

Reported by: Hanno Böck <hanno <at> hboeck.de>

Date: Sun, 25 Nov 2018 15:46:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: "Adler, Mark" <madler <at> alumni.caltech.edu>
To: "33501 <at> debbugs.gnu.org" <33501 <at> debbugs.gnu.org>
Cc: Hanno Böck <hanno <at> hboeck.de>
Subject: bug#33501: Malformed inputs triggering uninitialized memory use in	inflate_dynamic()
Date: Wed, 28 Nov 2018 21:09:45 +0000

This should fix it:

--- a/inflate.c
+++ b/inflate.c
@@ -799,6 +799,11 @@ inflate_dynamic(void)
     NEEDBITS((unsigned)bl)
     j = (td = tl + ((unsigned)b & m))->b;
     DUMPBITS(j)
+    if (td->e == 99)    /* invalid code */
+    {
+      huft_free(tl);
+      return 2;
+    }
     j = td->v.n;
     if (j < 16)                 /* length of code in bits (0..15) */
       ll[i++] = l = j;          /* save last length in l */

However I don’t have a memory sanitizer, so please verify. Thanks.

Mark


> On Nov 25, 2018, at 7:45 AM, Hanno Böck <hanno <at> hboeck.de> wrote:
> 
> Hi,
> 
> I did some testing of gzip with afl-fuzzing and memory sanitizer and it
> ends up finding a use of uninitialized memory on some malformed inputs.
> 
> Sample input (base64):
> H4sIADAwMDAwMGQAAAA=
> 
> With msan this causes:
> 
> ==21601==WARNING: MemorySanitizer: use-of-uninitialized-value
>    #0 0x4affab in inflate_dynamic /f/gzip/gzip-1.9/inflate.c:803:9
>    #1 0x4affab in inflate_block /f/gzip/gzip-1.9/inflate.c:925
>    #2 0x4affab in inflate /f/gzip/gzip-1.9/inflate.c:957
>    #3 0x4c805d in unzip /f/gzip/gzip-1.9/unzip.c:132:19
>    #4 0x4a1234 in treat_file /f/gzip/gzip-1.9/gzip.c:1002:13
>    #5 0x49d760 in main /f/gzip/gzip-1.9/gzip.c:670:13
>    #6 0x7f85c3d724ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
>    #7 0x41c4d9 in _start (/r/gz/gzip+0x41c4d9)
> 
> You can reproduce by building gzip with clang+msan, e.g.
> ./configure CC=clang LD=clang CFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE" LDFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE"
> 
> And then run the above sample with gzip -dc.
> 
> (msan is incompatible with fortify source and some distros set it by
> default, so it's better to unset it.)
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: hanno <at> hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
> 
> 
>
This bug report was last modified 6 years and 231 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.