multiple crashes from fuzzing

Question

multiple crashes from fuzzing

asarubbo opened this issue a year ago · comments

Hello,

Here are my findings about v1.2.2.

You can reproduce via bzip3 -Bcd $FILE

I didn't make further analisys, so I don't know if there are issues, with the same root cause. Please specify that so we will make as little confusion as possible in the CVE request.

Full log: 11.crashes.bz3.log.txt
Testcase: 11.crashes.bz3

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f5060696cdc at pc 0x7f506420673c bp 0x7ffdcde7ea70 sp 0x7ffdcde7ea68
WRITE of size 4 at 0x7f5060696cdc thread T0
    #0 0x7f506420673b in libsais_unbwt_calculate_biPSI /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:4570:33
    #1 0x7f506420673b in libsais_unbwt_init_single /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:4616:5
    #2 0x7f506420673b in libsais_unbwt_core /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5164:7
    #3 0x7f506420673b in libsais_unbwt_main /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5188:29
    #4 0x7f506420673b in libsais_unbwt_aux /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5231:12
    #5 0x7f506420673b in libsais_unbwt /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5261:12
    #6 0x7f506420673b in bz3_decode_block /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:680:9
    #7 0x55fdaf6609d4 in process /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:241:21
    #8 0x55fdaf65f08e in main /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:596:21
    #9 0x7f5063f3e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7f5063f3e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #11 0x55fdaf59e680  (/usr/bin/bzip3+0x20680)

Full log: 132.crashes.bz3.log.txt
Testcase: 132.crashes.bz3

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62c000008b68 at pc 0x7fcbabf8b113 bp 0x7ffc5907bd70 sp 0x7ffc5907bd68
READ of size 2 at 0x62c000008b68 thread T0
    #0 0x7fcbabf8b112 in libsais_unbwt_decode_1 /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:4625:18
    #1 0x7fcbabf8b112 in libsais_unbwt_decode /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5089:9
    #2 0x7fcbabf8b112 in libsais_unbwt_decode_omp /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5151:9
    #3 0x7fcbabf8b112 in libsais_unbwt_core /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5166:5
    #4 0x7fcbabf8b112 in libsais_unbwt_main /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5188:29
    #5 0x7fcbabf8b112 in libsais_unbwt_aux /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5231:12
    #6 0x7fcbabf8b112 in libsais_unbwt /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/./include/libsais.h:5261:12
    #7 0x7fcbabf8b112 in bz3_decode_block /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:680:9
    #8 0x55cfa986f9d4 in process /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:241:21
    #9 0x55cfa986e08e in main /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:596:21
    #10 0x7fcbabcbe1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #11 0x7fcbabcbe2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #12 0x55cfa97ad680  (/usr/bin/bzip3+0x20680)

Full log: 1.crashes.bz3.log.txt
Testcase: 1.crashes.bz3

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fce284f5aec at pc 0x7fce2af9cc70 bp 0x7ffeadf3cf70 sp 0x7ffeadf3cf68
READ of size 1 at 0x7fce284f5aec thread T0
    #0 0x7fce2af9cc6f in mrled /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:273:13
    #1 0x7fce2af99ee1 in bz3_decode_block /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:697:9
    #2 0x5650c82909d4 in process /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:241:21
    #3 0x5650c828f08e in main /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:596:21
    #4 0x7fce2acce1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7fce2acce2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #6 0x5650c81ce680  (/usr/bin/bzip3+0x20680)

Full log: 233.crashes.bz3.log.txt
Testcase: 233.crashes.bz3

ERROR: AddressSanitizer: negative-size-param: (size=-7)
    #0 0x55ac173c77ac in __asan_memmove /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.7/work/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30:3
    #1 0x7fe34c236e13 in bz3_decode_block /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:623:9
    #2 0x55ac174049d4 in process /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:241:21
    #3 0x55ac1740308e in main /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:596:21
    #4 0x7fe34bf711f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7fe34bf712ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #6 0x55ac17342680  (/usr/bin/bzip3+0x20680)

Full log: 387.crashes.bz3.log.txt
Testcase: 387.crashes.bz3

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa266f4b590 at pc 0x5612ddb7da2e bp 0x7ffce97f6670 sp 0x7ffce97f5e40
READ of size 50331650 at 0x7fa266f4b590 thread T0
    #0 0x5612ddb7da2d in __interceptor_fwrite /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.7/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1229:16
    #1 0x5612ddc229f4 in xwrite /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:79:9
    #2 0x5612ddc229f4 in process /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:245:17
    #3 0x5612ddc2108e in main /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/main.c:596:21
    #4 0x7fa2738c41f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7fa2738c42ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #6 0x5612ddb60680  (/usr/bin/bzip3+0x20680)

Testcases/logs:
bzip3.zip

Kamila Szewczyk · Answer 1 · Wed Mar 22 2023 20:46:58 GMT+0800 (China Standard Time)

Hello. Crashes 1 and 2 will not be considered as they are not an issue with bzip3.
I will work on crashes 3, 4 and 5.

Kamila Szewczyk · Answer 2 · Wed Mar 22 2023 20:58:41 GMT+0800 (China Standard Time)

All of the issues are as of now fixed on the main branch.

Agostino Sarubbo · Answer 3 · Wed Mar 22 2023 21:01:00 GMT+0800 (China Standard Time)

I see two commits for 3 issues, can you clarify what commit fixes what issue? That would certainly help packagers.

Kamila Szewczyk · Answer 4 · Wed Mar 22 2023 21:03:27 GMT+0800 (China Standard Time)

The last issue was fixed way before. 8ec8ce7 fixes issue 3, bb06deb fixes issue 4.
I am planning to release v1.2.3 after some more testing in a timely fashion.

Agostino Sarubbo · Answer 5 · Wed Mar 22 2023 21:24:14 GMT+0800 (China Standard Time)

The last issue was fixed way before. 8ec8ce7 fixes issue 3, bb06deb fixes issue 4. I am planning to release v1.2.3 after some more testing in a timely fashion.

Thanks for the info. I think I discovered another issue in v1.2.2 that is not fixed in master. Can you wait a bit until I file a new ticket here?

Kamila Szewczyk · Answer 6 · Wed Mar 22 2023 21:25:29 GMT+0800 (China Standard Time)

Yeah, of course. You can open a new ticket or just state the issue here.

Agostino Sarubbo · Answer 7 · Wed Mar 22 2023 21:49:59 GMT+0800 (China Standard Time)

Hello. Crashes 1 and 2 will not be considered as they are not an issue with bzip3.

I understand your concern but I don't agree at all with you.

From my understanding, you are not using an upstream version of libsais.h, instead you are using a custom libsais.h. So at this point it doesn't matter if the bug is in the pure libbz3 code or in the libsais.h, but the matter is that with a crafted archive, an attacker can cause a DoS, or potentially execution of the code.

I realized that issue n°1 is a pure duplicate of #59 while issue n°2 can be a completely different issue. Do you have a plan to fix those bugs? I'm wondering if with some magic in libbz3 is possible to deny to reach these bugs in libsais.h

Kamila Szewczyk · Answer 8 · Wed Mar 22 2023 22:15:12 GMT+0800 (China Standard Time)

From my understanding, you are not using an upstream version of libsais.h, instead you are using a custom libsais.h. So at this point it doesn't matter if the bug is in the pure libbz3 code or in the libsais.h, but the matter is that with a crafted archive, an attacker can cause a DoS, or potentially execution of the code.

My fork of libsais.h simply fixes the issues I could be bothered to fix. There are no other differences between my fork and the upstream. If the upstream fixes the issues, I will copy the patches to my trunk. No magic is possible to deny these bugs. If we wanted to checksum the buffer before it reaches libsais, it would still be possible to hit the UB.

I will not fix the rest of issues in libsais.h, even though they impact my code, because a fix would be very time consuming and (I think) detrimental to performance. If you want to do so, patches are welcome.

Agostino Sarubbo · Answer 9 · Thu Mar 23 2023 23:35:38 GMT+0800 (China Standard Time)

The last issue was fixed way before

For the record, aae16d1 fixes the issue for me.

Agostino Sarubbo · Answer 10 · Mon Mar 27 2023 15:15:43 GMT+0800 (China Standard Time)

Hello. Crashes 1 and 2 will not be considered as they are not an issue with bzip3.

Based on the statement here IlyaGrebnov/libsais#13 (comment) it looks like they are considered issues in bzip3, can you clarify if bfa5bf8 is the fix for both or not?

Kamila Szewczyk · Answer 11 · Mon Mar 27 2023 19:35:43 GMT+0800 (China Standard Time)

Yes. Both of them no longer crash.

Petr Pisar · Answer 12 · Thu Apr 06 2023 23:19:06 GMT+0800 (China Standard Time)

Processing 1.crashes.bz3 by bzip3-1.3.0 still reads from an uninitialized memory:

$ valgrind -- bzip3 -t  1.crashes.bz3
==8703== Memcheck, a memory error detector
==8703== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==8703== Using Valgrind-3.20.0 and LibVEX; rerun with -h for copyright info
==8703== Command: bzip3 -t 1.crashes.bz3
==8703==
==8703== Conditional jump or move depends on uninitialised value(s)
==8703==    at 0x485986F: mrled (libbz3.c:285)
==8703==    by 0x4863983: bz3_decode_block (libbz3.c:711)
==8703==    by 0x10B85C: process (main.c:274)
==8703==    by 0x10AAAC: main (main.c:717)
==8703==
==8703== Conditional jump or move depends on uninitialised value(s)
==8703==    at 0x48598E8: mrled (libbz3.c:288)
==8703==    by 0x4863983: bz3_decode_block (libbz3.c:711)
==8703==    by 0x10B85C: process (main.c:274)
==8703==    by 0x10AAAC: main (main.c:717)
==8703==
Failed to decode a block: CRC32 check failed

Kamila Szewczyk · Answer 13 · Thu Apr 06 2023 23:27:37 GMT+0800 (China Standard Time)

This is not dangerous (read of memory that is one byte past the input buffer, which is larger than the input size anyway; on the next loop iteration bounds are checked properly and iteration is aborted), however, I have patched it on the main branch anyway.

Petr Pisar · Answer 14 · Thu Apr 06 2023 23:58:55 GMT+0800 (China Standard Time)

Thanks for the quick fix and the explanation. I confirm it makes valgrind happy again.

Steve Beattie · Answer 15 · Fri Apr 07 2023 15:40:39 GMT+0800 (China Standard Time)

FYI, multiple CVEs were assigned for the issues raised here:

CVE-2023-29416: for the libsais related crashes 1 and 2.
CVE-2023-29419 for crash 3
CVE-2023-29420 for crash 4
CVE-2023-29418 for crash 5

(I'm not the person who assigned these, I just noticed them while triaging new CVEs.)