Ubuntu
p7zip package

Null Pointer Dereference in function Reserve in p7zip when input craft rar file

Bug #1923527 reported by ivanchen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
p7zip (Ubuntu)
New
Undecided
Unassigned

Bug Description

Null Pointer Dereference in function ` Reserve` when input craft rar file

To Reproduce

```shell
 $sudo apt install p7zip-full
 $7z t poc

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Xeon(R) CPU E5-2697 v3 @ 2.60GHz (306F2),ASM,AES-NI)

Scanning the drive for archives:
1 file, 72360 bytes (71 KiB)

Testing archive: poc
Segmentation fault (core dumped)
```

The `MyAlloc` function fails to handle the excessively large size correctly. When the size is too large, `align_alloc` will return 0 :

```shell
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x497ac0 --> 0x7ffff745ce00 --> 0x7ffff7336dd8 (:NExt::CHandler::QueryInterface(GUID const&, void**)>: 0x440000000002c748)
RCX: 0x950b9086
RDX: 0x0
RSI: 0x72615207
RDI: 0x2a6157fb10
RBP: 0x2
RSP: 0x7fffffffaff0 --> 0x1
RIP: 0x403b6a (<MyAlloc+14>: call 0x403490 <malloc@plt>)
R8 : 0x100
R9 : 0x72615207
R10: 0x7261520700
R11: 0x6a500007
R12: 0x4fc64b42
R13: 0x497b60 --> 0x10
R14: 0x4a0260 --> 0x7ffff7462508 --> 0x7ffff73d6648 (:QueryInterface(GUID const&, void**)>: 0x440000000002c748)
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x403b61 <MyAlloc+5>: test rdi,rdi
   0x403b64 <MyAlloc+8>: je 0x403b74 <MyAlloc+24>
   0x403b66 <MyAlloc+10>: sub rsp,0x8
=> 0x403b6a <MyAlloc+14>: call 0x403490 <malloc@plt>
   0x403b6f <MyAlloc+19>: add rsp,0x8
   0x403b73 <MyAlloc+23>: ret
   0x403b74 <MyAlloc+24>: ret
   0x403b75 <SzAlloc>: sub rsp,0x8
Guessed arguments:
arg[0]: 0x2a6157fb10
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffaff0 --> 0x1
0008| 0x7fffffffaff8 --> 0x452aef (<operator new[](unsigned long)+9>: add rsp,0x8)
0016| 0x7fffffffb000 --> 0x4a0260 --> 0x7ffff7462508 --> 0x7ffff73d6648 (:QueryInterface(GUID const&, void**)>: 0x440000000002c748)
0024| 0x7fffffffb008 --> 0x7ffff7335ce7 (:NExt::CHandler::Open2(IInStream*)+1447>: 0xec83491024448948)
0032| 0x7fffffffb010 --> 0x0
0040| 0x7fffffffb018 --> 0x4fc64b42
0048| 0x7fffffffb020 --> 0x5
0056| 0x7fffffffb028 --> 0x4977b0 --> 0xb615b7ad
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
align_alloc (size=0x2a6157fb10) at ../../../../C/Alloc.c:82
82 return align_alloc(size);
gdb-peda$ ni
gdb-peda$ i r rax
rax 0x0 0x0
```

 StackTrace

```shell
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x497ac0 --> 0x7ffff745ce00 --> 0x7ffff7336dd8 (:NExt::CHandler::QueryInterface(GUID const&, void**)>: 0x440000000002c748)
RCX: 0x0
RDX: 0x0
RSI: 0x3f000
RDI: 0x0
RBP: 0x2
RSP: 0x7fffffffb010 --> 0x0
RIP: 0x7ffff7335cf2 (:NExt::CHandler::Open2(IInStream*)+1458>: 0x40c7ffffffff00c7)
R8 : 0xffffffff
R9 : 0x0
R10: 0xfffffffffffff000
R11: 0x4c1000
R12: 0x4fc64b41
R13: 0x497b60 --> 0x10
R14: 0x4a0260 --> 0x7ffff7462508 --> 0x7ffff73d6648 (:QueryInterface(GUID const&, void**)>: 0x440000000002c748)
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7335ce7 <NArchive::NExt::CHandler::Open2(IInStream*)+1447>: mov QWORD PTR [rsp+0x10],rax
   0x7ffff7335cec <NArchive::NExt::CHandler::Open2(IInStream*)+1452>: sub r12,0x1
   0x7ffff7335cf0 <NArchive::NExt::CHandler::Open2(IInStream*)+1456>: js 0x7ffff7335d20 <NArchive::NExt::CHandler::Open2(IInStream*)+1504>
=> 0x7ffff7335cf2 <NArchive::NExt::CHandler::Open2(IInStream*)+1458>: mov DWORD PTR [rax],0xffffffff
   0x7ffff7335cf8 <NArchive::NExt::CHandler::Open2(IInStream*)+1464>: mov DWORD PTR [rax+0x4],0xffffffff
   0x7ffff7335cff <NArchive::NExt::CHandler::Open2(IInStream*)+1471>: mov DWORD PTR [rax+0x8],0xffffffff
   0x7ffff7335d06 <NArchive::NExt::CHandler::Open2(IInStream*)+1478>: mov DWORD PTR [rax+0xc],0x0
   0x7ffff7335d0d <NArchive::NExt::CHandler::Open2(IInStream*)+1485>: mov DWORD PTR [rax+0x48],0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb010 --> 0x0
0008| 0x7fffffffb018 --> 0x4fc64b42
0016| 0x7fffffffb020 --> 0x0
0024| 0x7fffffffb028 --> 0x4977b0 --> 0xb615b7ad
0032| 0x7fffffffb030 --> 0x72615207
0040| 0x7fffffffb038 --> 0x135a7d62
0048| 0x7fffffffb040 --> 0x2e5ee0f8
0056| 0x7fffffffb048 --> 0x9736
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
CRecordVector<NArchive::NExt::CNode>::Reserve (newCapacity=0x4fc64b42, this=0x497b00) at ../../../../CPP/Common/MyVector.h:66
66 T *p = new T[newCapacity];
gdb-peda$ bt
#0 CRecordVector<NArchive::NExt::CNode>::Reserve (newCapacity=0x4fc64b42, this=0x497b00) at ../../../../CPP/Common/MyVector.h:66
#1 NArchive::NExt::CHandler::Open2 (this=this@entry=0x497ac0, inStream=inStream@entry=0x4a0260) at ../../../../CPP/7zip/Archive/ExtHandler.cpp:1239
#2 0x00007ffff7336cc3 in NArchive::NExt::CHandler::Open (this=0x497ac0, stream=0x4a0260, callback=0x496c70) at ../../../../CPP/7zip/Archive/ExtHandler.cpp:1572
#3 0x000000000042b7f8 in OpenArchiveSpec (archive=0x497ac0, needPhySize=<optimized out>, stream=<optimized out>, maxCheckStartPosition=maxCheckStartPosition@entry=0x7fffffffbbb0,
    openCallback=<optimized out>, extractCallback=extractCallback@entry=0x4a2260) at ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1537
#4 0x000000000043040a in CArc::OpenStream2 (this=this@entry=0x7fffffffbea0, op=...) at ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2143
#5 0x0000000000432313 in CArc::OpenStream (this=this@entry=0x7fffffffbea0, op=...) at ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2901
#6 0x0000000000433983 in CArchiveLink::Open (this=this@entry=0x7fffffffc250, op=...) at ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3254
#7 0x000000000043457c in CArchiveLink::Open2 (this=this@entry=0x7fffffffc250, op=..., callbackUI=callbackUI@entry=0x4a0938) at ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3292
#8 0x000000000043477e in CArchiveLink::Open3 (this=this@entry=0x7fffffffc250, op=..., callbackUI=callbackUI@entry=0x4a0938) at ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3356
#9 0x0000000000423ca9 in Extract (codecs=codecs@entry=0x496670, types=..., excludedFormats=..., arcPaths=..., arcPathsFull=..., wildcardCensor=..., options=...,
    openCallback=<optimized out>, extractCallback=<optimized out>, hash=<optimized out>, errorMessage=..., st=...) at ../../../../CPP/7zip/UI/Common/Extract.cpp:362
#10 0x000000000044a181 in Main2 (numArgs=numArgs@entry=0x3, args=args@entry=0x7fffffffcc18) at ../../../../CPP/Common/MyVector.h:455
#11 0x000000000044d2d4 in main (numArgs=numArgs@entry=0x3, args=args@entry=0x7fffffffcc18) at ../../../../CPP/7zip/UI/Console/MainAr.cpp:66
#12 0x00007ffff7a8309b in __libc_start_main (main=0x44d2a1 <main(int, char**)>, argc=0x3, argv=0x7fffffffcc18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffcc08) at ../csu/libc-start.c:308
#13 0x000000000040378a in _start ()
```

Environment:

- version : p7zip 16.04
- OS: Ubuntu 20.04 16.04

Credit: 1vanChen of NSFOCUS Security Team

Revision history for this message
ivanchen (ivanchen-cc) wrote :
ivanchen (ivanchen-cc)
affects: apport (Ubuntu) → p7zip (Ubuntu)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello 1vanChen, can you please report this issue to the upstream developers? They'll be in the best position to prepare a fix for this issue, which we can then import and release.

Thanks

Revision history for this message
ivanchen (ivanchen-cc) wrote :

It seems that the developers of p7zip have stopped maintaining it since 2017.
I have reported the problem to redhat, and their team has fixed the problem(https://src.fedoraproject.org/rpms/p7zip/c/527ebaad940476d4b3864afb90ad99485f685cfb?branch=rawhide).

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, given the public commits, I'm making this issue public.

information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.