A crafted bz3 archive hangs the process

Question

A crafted bz3 archive hangs the process

asarubbo opened this issue a year ago · comments

Hello,

the attached testcase is able to hang the process:

~ # ps aux | grep bzip3 | grep -v grep
root     36808  100  0.0 21474991596 74724 pts/0 R+ 08:49  14:07 /usr/bin/bzip3 -t 4.crashes.bz3

~ # ps -eo pid,etimes | grep 36808
36808     852

I can reproduce the issue on both v1.2.2 and v1.2.2.r21-ge17c8da (e17c8da)

I can also reproduce with a binary not compiled with Asan.

To reproduce:

bzip3 -t $TESTCASE

Testcase:
4.crashes.bz3.zip

Kamila Szewczyk · Answer 1 · Thu Mar 23 2023 19:12:17 GMT+0800 (China Standard Time)

Will take a look later.

Kamila Szewczyk · Answer 2 · Thu Mar 23 2023 19:17:47 GMT+0800 (China Standard Time)

Hangs in libsais_unbwt_decode_1.
Won't fix. When reporting future issues please make sure that you're reporting a problem with bzip3, not libsais.

Agostino Sarubbo · Answer 3 · Mon Mar 27 2023 15:16:37 GMT+0800 (China Standard Time)

Based on the statement here IlyaGrebnov/libsais#13 (comment) can you clarify if this is an issue in bzip3 and if bfa5bf8 is the fix?

Kamila Szewczyk · Answer 4 · Mon Mar 27 2023 19:47:49 GMT+0800 (China Standard Time)

Yes. There was an extra I/O issue that needed addressing in 56c24ca.

Steve Beattie · Answer 5 · Fri Apr 07 2023 15:46:35 GMT+0800 (China Standard Time)

This issue was assigned CVE-2023-29415.

(I did not assign the CVE, I just noticed it while triaging new CVEs.)

Kamila Szewczyk · Answer 6 · Fri Apr 07 2023 15:52:42 GMT+0800 (China Standard Time)

@stevebeattie The CVE description is just plain wrong:

because bzip3 does not follow the required procedure for interacting with libsais.

The libsais documentation never states that it expects a zeroed temporary array.

Steve Beattie · Answer 7 · Fri Apr 07 2023 16:08:00 GMT+0800 (China Standard Time)

I agree. Looking at the (bottom of the) NVD page it seems it was allocated by MITRE, likely from a submission through their webform. You can request to update the description through the same form (though as a piece of advice, keep a record for yourself of what you send them as their ticketing response does not send you a copy of what you submitted, and there can be a delay on when they respond to you).

Kamila Szewczyk · Answer 8 · Fri Apr 07 2023 16:12:53 GMT+0800 (China Standard Time)

https://www.cve.org/CVERecord?id=CVE-2023-29417 is also hilarious to me, as bz3_decompress takes the output buffer as parameter and its capacity meaning that obviously when you claim that the buffer you passed has greater capacity than it actually has, the library is going to crash. Of course, you could open such a bug against e.g. glibc because memcpy will keep copying past the end of buffer when the size you passed to it is bogus.

Because it appears to me that these two CVEs were filed with more attention seeking and less reasonable thinking, I think that I will not bother to ask for them to be updated, because everyone who knows C to some extent and bothers to read libsais documentation will know that they're plain invalid.