Memory corruption in RAR decoder
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libarchive (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Hi,
There are some crashes and memory corruption issues in
libarchive's RAR decoder. Most notably, I have observed some
double-frees and heap use-after-frees, both reading and writing. These
have not been detected by previous fuzzing runs because of the CRC
checks in the RAR parser.
The memory corruption seems to arise in ppmd7 decoding. The code can
be made to read and write addresses that are at least partially
attacker controlled, but the decoder is complex and I don't have the
time to investigate fully whether the level of control is sufficient
to lead to code execution. My gut feeling is that someone more skilled
than I could cause arbitrary code execution, but I cannot say for
certain.
This bug can be used to crash bsdtar and other programs that use
libarchive, such as file-roller.
I have attached some test cases that demonstrate this.
They run as follows:
xxd -r testcase.rar.txt testcase.rar
bsdtar -Oxf testcase.rar
The test cases are:
- oob-read.txt - Ppmd7_DecodeSymbol does an out-of-bounds read and
crashes. (No UAF.)
- uaf-read.txt - this heap UAF causes an out-of-bounds read in
Ppmd7_
- double-free.txt - this test case causes a double-free
- uaf-rw.txt - this shows reads and writes into a previously freed
heap region.
I've tested all of these on the version of bsdtar that ships with
Ubuntu 18.04 Bionic and also with a build of libarchive from git. My
analysis of their behaviour comes from running them under valgrind and
ASAN. If you have any trouble reproducing them let me know.
The crashes were found with afl-fuzz and the FairFuzz extension.
I've also reported this to the OSS-Fuzz contacts for the upstream project.
Hi Daniel, very nice findings. Have you had any feedback from upstream authors yet?
How did you manage the CRC? Did you defeat that in the sources or did you compute 'correct' CRCs for the inputs? Is this work that can be fed to Hanno or the upstream authors to encourage far wider use of fuzzing?
Have you had sufficient core time to get a feeling for how hardened this project is?
Thanks