Null Pointer Dereference in function Reserve in p7zip when input craft rar file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
p7zip (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Null Pointer Dereference in function ` Reserve` when input craft rar file
To Reproduce
```shell
$sudo apt install p7zip-full
$7z t poc
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=
Scanning the drive for archives:
1 file, 72360 bytes (71 KiB)
Testing archive: poc
Segmentation fault (core dumped)
```
The `MyAlloc` function fails to handle the excessively large size correctly. When the size is too large, `align_alloc` will return 0 :
```shell
[------
RAX: 0x0
RBX: 0x497ac0 --> 0x7ffff745ce00 --> 0x7ffff7336dd8 (:NExt:
RCX: 0x950b9086
RDX: 0x0
RSI: 0x72615207
RDI: 0x2a6157fb10
RBP: 0x2
RSP: 0x7fffffffaff0 --> 0x1
RIP: 0x403b6a (<MyAlloc+14>: call 0x403490 <malloc@plt>)
R8 : 0x100
R9 : 0x72615207
R10: 0x7261520700
R11: 0x6a500007
R12: 0x4fc64b42
R13: 0x497b60 --> 0x10
R14: 0x4a0260 --> 0x7ffff7462508 --> 0x7ffff73d6648 (:QueryInterfac
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[------
0x403b61 <MyAlloc+5>: test rdi,rdi
0x403b64 <MyAlloc+8>: je 0x403b74 <MyAlloc+24>
0x403b66 <MyAlloc+10>: sub rsp,0x8
=> 0x403b6a <MyAlloc+14>: call 0x403490 <malloc@plt>
0x403b6f <MyAlloc+19>: add rsp,0x8
0x403b73 <MyAlloc+23>: ret
0x403b74 <MyAlloc+24>: ret
0x403b75 <SzAlloc>: sub rsp,0x8
Guessed arguments:
arg[0]: 0x2a6157fb10
[------
0000| 0x7fffffffaff0 --> 0x1
0008| 0x7fffffffaff8 --> 0x452aef (<operator new[](unsigned long)+9>: add rsp,0x8)
0016| 0x7fffffffb000 --> 0x4a0260 --> 0x7ffff7462508 --> 0x7ffff73d6648 (:QueryInterfac
0024| 0x7fffffffb008 --> 0x7ffff7335ce7 (:NExt:
0032| 0x7fffffffb010 --> 0x0
0040| 0x7fffffffb018 --> 0x4fc64b42
0048| 0x7fffffffb020 --> 0x5
0056| 0x7fffffffb028 --> 0x4977b0 --> 0xb615b7ad
[------
Legend: code, data, rodata, value
align_alloc (size=0x2a6157fb10) at ../../.
82 return align_alloc(size);
gdb-peda$ ni
gdb-peda$ i r rax
rax 0x0 0x0
```
StackTrace
```shell
[------
RAX: 0x0
RBX: 0x497ac0 --> 0x7ffff745ce00 --> 0x7ffff7336dd8 (:NExt:
RCX: 0x0
RDX: 0x0
RSI: 0x3f000
RDI: 0x0
RBP: 0x2
RSP: 0x7fffffffb010 --> 0x0
RIP: 0x7ffff7335cf2 (:NExt:
R8 : 0xffffffff
R9 : 0x0
R10: 0xfffffffffffff000
R11: 0x4c1000
R12: 0x4fc64b41
R13: 0x497b60 --> 0x10
R14: 0x4a0260 --> 0x7ffff7462508 --> 0x7ffff73d6648 (:QueryInterfac
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[------
0x7ffff7335ce7 <NArchive:
0x7ffff7335cec <NArchive:
0x7ffff7335cf0 <NArchive:
=> 0x7ffff7335cf2 <NArchive:
0x7ffff7335cf8 <NArchive:
0x7ffff7335cff <NArchive:
0x7ffff7335d06 <NArchive:
0x7ffff7335d0d <NArchive:
[------
0000| 0x7fffffffb010 --> 0x0
0008| 0x7fffffffb018 --> 0x4fc64b42
0016| 0x7fffffffb020 --> 0x0
0024| 0x7fffffffb028 --> 0x4977b0 --> 0xb615b7ad
0032| 0x7fffffffb030 --> 0x72615207
0040| 0x7fffffffb038 --> 0x135a7d62
0048| 0x7fffffffb040 --> 0x2e5ee0f8
0056| 0x7fffffffb048 --> 0x9736
[------
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
CRecordVector<
66 T *p = new T[newCapacity];
gdb-peda$ bt
#0 CRecordVector<
#1 NArchive:
#2 0x00007ffff7336cc3 in NArchive:
#3 0x000000000042b7f8 in OpenArchiveSpec (archive=0x497ac0, needPhySize=
openCallbac
#4 0x000000000043040a in CArc::OpenStream2 (this=this@
#5 0x0000000000432313 in CArc::OpenStream (this=this@
#6 0x0000000000433983 in CArchiveLink::Open (this=this@
#7 0x000000000043457c in CArchiveLink::Open2 (this=this@
#8 0x000000000043477e in CArchiveLink::Open3 (this=this@
#9 0x0000000000423ca9 in Extract (codecs=
openCallbac
#10 0x000000000044a181 in Main2 (numArgs=
#11 0x000000000044d2d4 in main (numArgs=
#12 0x00007ffff7a8309b in __libc_start_main (main=0x44d2a1 <main(int, char**)>, argc=0x3, argv=0x7fffffff
stack_
#13 0x000000000040378a in _start ()
```
Environment:
- version : p7zip 16.04
- OS: Ubuntu 20.04 16.04
Credit: 1vanChen of NSFOCUS Security Team
affects: | apport (Ubuntu) → p7zip (Ubuntu) |
Hello 1vanChen, can you please report this issue to the upstream developers? They'll be in the best position to prepare a fix for this issue, which we can then import and release.
Thanks