subject:"Bug#874060\: unrar\-free\: CVE\-2017\-14122\: stack overread vulnerability"

Bug#874060: unrar-free: CVE-2017-14122: stack overread vulnerability

2017-10-14 Thread Ying-Chun Liu (PaulLiu)

On 2017年10月14日 21:43, Ying-Chun Liu (PaulLiu) wrote:
> Hi Salvatore,
> 
> How to reproduce your bug?
> 
> I'm currently using valgrind with the rar file you provided. And found
> that there are some unconditional jump based some uninit value. Please
> see the attachment [1].
> 
> After fixing that [2], valgrind is happy now without any errors.
> Not sure if this is related to this bug.
> 
> Attaching the autopkgtest scripts [3] for testing the package.
> 
> If this looks good for you I'll upload this soon.
> 
> [1] val_log1.txt
> [2] 0002-CVE-2017-14122.patch
> [3] 0003-CVE-2017-14122
> 
> Yours Sincerely,
> Paul
> 

I'm not quite familiar on how to use asan. Need some instructions.

But here are some relations:

In the bug report.
==2585==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff76184120 at pc 0x00445d25 bp 0x7fff76183ef0 sp 0x7fff761836a0
READ of size 519 at 0x7fff76184120 thread T0
#0 0x445d24 in __interceptor_strchr.part.33
(/r/unrar-gpl/unrar+0x445d24)
#1 0x516d0d in stricomp /f/unrar-gpl/unrar/src/unrarlib.c:851:19
#2 0x511613 in ExtrFile /f/unrar-gpl/unrar/src/unrarlib.c:745:20
#3 0x510b02 in urarlib_get /f/unrar-gpl/unrar/src/unrarlib.c:303:13
#4 0x50b249 in unrar_extract_file /f/unrar-gpl/unrar/src/unrar.c:343:8
#5 0x50be32 in unrar_extract /f/unrar-gpl/unrar/src/unrar.c:483:9
#6 0x50c69c in main /f/unrar-gpl/unrar/src/unrar.c:556:14
#7 0x7f632d3834f0 in __libc_start_main (/lib64/libc.so.6+0x204f0)
#8 0x419e19 in _start (/r/unrar-gpl/unrar+0x419e19)

And in the valgrind. There is
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x4C2F405: __strncpy_sse2_unaligned (vg_replace_strmem.c:552)
==4627==by 0x10C7DB: strncpy (string3.h:126)
==4627==by 0x10C7DB: stricomp (unrarlib.c:852)
==4627==by 0x10E6D9: ExtrFile (unrarlib.c:745)
==4627==by 0x10EA7B: urarlib_get (unrarlib.c:303)
==4627==by 0x10A70F: unrar_extract_file (unrar.c:343)
==4627==by 0x10AA03: unrar_extract (unrar.c:487)
==4627==by 0x109CB4: main (unrar.c:561)

Seems to be just the same place.

Yours Sincerely,
Paul

-- 
PaulLiu (劉穎駿)
E-mail: Ying-Chun Liu (PaulLiu) 



signature.asc
Description: OpenPGP digital signature

Bug#874060: unrar-free: CVE-2017-14122: stack overread vulnerability

2017-10-14 Thread Ying-Chun Liu (PaulLiu)

Hi Salvatore,

How to reproduce your bug?

I'm currently using valgrind with the rar file you provided. And found
that there are some unconditional jump based some uninit value. Please
see the attachment [1].

After fixing that [2], valgrind is happy now without any errors.
Not sure if this is related to this bug.

Attaching the autopkgtest scripts [3] for testing the package.

If this looks good for you I'll upload this soon.

[1] val_log1.txt
[2] 0002-CVE-2017-14122.patch
[3] 0003-CVE-2017-14122

Yours Sincerely,
Paul

-- 
PaulLiu (劉穎駿)
E-mail: Ying-Chun Liu (PaulLiu) 
==4627== Memcheck, a memory error detector
==4627== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4627== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==4627== Command: /usr/bin/unrar-free x unrar-gpl-stack-overread.rar
==4627== Parent PID: 11514
==4627== 
==4627== Use of uninitialised value of size 8
==4627==at 0x10BCE7: CalcCRC32 (unrarlib.c:2180)
==4627==by 0x10BCE7: ReadHeader (unrarlib.c:627)
==4627==by 0x10C090: ReadBlock (unrarlib.c:506)
==4627==by 0x10C5A5: urarlib_list (unrarlib.c:389)
==4627==by 0x10A911: unrar_extract (unrar.c:425)
==4627==by 0x109CB4: main (unrar.c:561)
==4627==  Uninitialised value was created by a stack allocation
==4627==at 0x10BAE0: ReadHeader (unrarlib.c:596)
==4627== 
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x10BFEB: ReadBlock (unrarlib.c:509)
==4627==by 0x10C5A5: urarlib_list (unrarlib.c:389)
==4627==by 0x10A911: unrar_extract (unrar.c:425)
==4627==by 0x109CB4: main (unrar.c:561)
==4627==  Uninitialised value was created by a stack allocation
==4627==at 0x10BAE0: ReadHeader (unrarlib.c:596)
==4627== 
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x10C022: ReadBlock (unrarlib.c:514)
==4627==by 0x10C5A5: urarlib_list (unrarlib.c:389)
==4627==by 0x10A911: unrar_extract (unrar.c:425)
==4627==by 0x109CB4: main (unrar.c:561)
==4627==  Uninitialised value was created by a stack allocation
==4627==at 0x10BAE0: ReadHeader (unrarlib.c:596)
==4627== 
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x4C2BACC: malloc (vg_replace_malloc.c:298)
==4627==by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
==4627==by 0x10C282: ReadBlock (unrarlib.c:538)
==4627==by 0x10C5A5: urarlib_list (unrarlib.c:389)
==4627==by 0x10A911: unrar_extract (unrar.c:425)
==4627==by 0x109CB4: main (unrar.c:561)
==4627==  Uninitialised value was created by a stack allocation
==4627==at 0x10BAE0: ReadHeader (unrarlib.c:596)
==4627== 
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x4E9FA54: fread (iofread.c:35)
==4627==by 0x10C2A4: fread (stdio2.h:295)
==4627==by 0x10C2A4: ReadBlock (unrarlib.c:539)
==4627==by 0x10C5A5: urarlib_list (unrarlib.c:389)
==4627==by 0x10A911: unrar_extract (unrar.c:425)
==4627==by 0x109CB4: main (unrar.c:561)
==4627==  Uninitialised value was created by a stack allocation
==4627==at 0x10BAE0: ReadHeader (unrarlib.c:596)
==4627== 
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x4EAA9C8: _IO_file_xsgetn (fileops.c:1386)
==4627==by 0x4E9FAD8: fread (iofread.c:38)
==4627==by 0x10C2A4: fread (stdio2.h:295)
==4627==by 0x10C2A4: ReadBlock (unrarlib.c:539)
==4627==by 0x10C5A5: urarlib_list (unrarlib.c:389)
==4627==by 0x10A911: unrar_extract (unrar.c:425)
==4627==by 0x109CB4: main (unrar.c:561)
==4627==  Uninitialised value was created by a stack allocation
==4627==at 0x10BAE0: ReadHeader (unrarlib.c:596)
==4627== 
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x4EAA9E0: _IO_file_xsgetn (fileops.c:1389)
==4627==by 0x4E9FAD8: fread (iofread.c:38)
==4627==by 0x10C2A4: fread (stdio2.h:295)
==4627==by 0x10C2A4: ReadBlock (unrarlib.c:539)
==4627==by 0x10C5A5: urarlib_list (unrarlib.c:389)
==4627==by 0x10A911: unrar_extract (unrar.c:425)
==4627==by 0x109CB4: main (unrar.c:561)
==4627==  Uninitialised value was created by a stack allocation
==4627==at 0x10BAE0: ReadHeader (unrarlib.c:596)
==4627== 
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x4EAAA2C: _IO_file_xsgetn (fileops.c:1420)
==4627==by 0x4E9FAD8: fread (iofread.c:38)
==4627==by 0x10C2A4: fread (stdio2.h:295)
==4627==by 0x10C2A4: ReadBlock (unrarlib.c:539)
==4627==by 0x10C5A5: urarlib_list (unrarlib.c:389)
==4627==by 0x10A911: unrar_extract (unrar.c:425)
==4627==by 0x109CB4: main (unrar.c:561)
==4627==  Uninitialised value was created by a stack allocation
==4627==at 0x10BAE0: ReadHeader (unrarlib.c:596)
==4627== 
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==at 0x4E9FB27: fread (iofread.c:40)
==4627==

Bug#874060: unrar-free: CVE-2017-14122: stack overread vulnerability

Bug#874060: unrar-free: CVE-2017-14122: stack overread vulnerability

2 matches

Site Navigation

Mail list logo

Footer information