Submit #304556: blosc c-blosc2 1dd1e55cb329d01c210da77ceb53027853c35b72 heap-buffer-overflowinfo

Titleblosc c-blosc2 1dd1e55cb329d01c210da77ceb53027853c35b72 heap-buffer-overflow
Description## Description [c-blosc2](https://github.com/Blosc/c-blosc2) has heap-buffer-overflow in ndlz8_decompress /src/c-blosc2/plugins/codecs/ndlz/ndlz8x8.c:468:3 ## version ```shell commit 1dd1e55cb329d01c210da77ceb53027853c35b72 ``` ## harnss From https://github.com/Blosc/c-blosc2/blob/main/tests/fuzz/fuzz_decompress_chunk.c ```c++ #include <stdint.h> #include <stdlib.h> #include <blosc2.h> #ifdef __cplusplus extern "C" { #endif int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { size_t nbytes = 0, cbytes = 0, blocksize = 0; void *output = NULL; if (size < BLOSC_MIN_HEADER_LENGTH) { return 0; } blosc2_init(); blosc2_set_nthreads(1); blosc1_cbuffer_sizes(data, &nbytes, &cbytes, &blocksize); if (cbytes != size || nbytes == 0) { blosc2_destroy(); return 0; } if (blosc1_cbuffer_validate(data, size, &nbytes) != 0) { /* Unexpected `nbytes` specified in blosc header */ blosc2_destroy(); return 0; } output = malloc(cbytes); if (output != NULL) { blosc2_decompress(data, (int32_t)size, output, (int32_t)cbytes); free(output); } blosc2_destroy(); return 0; } #ifdef __cplusplus } #endif ``` ## Proof of Concept The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1T1k3UeS09m65LjVXExUuZfedNQPWQWCo?usp=sharing ```shell $ ./decompress_chunk_fuzzer dbb107d7-a7e3-4c4c-a758-8abf63983136 INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 2069136812 INFO: Loaded 1 modules (47965 inline 8-bit counters): 47965 [0xc89df0, 0xc9594d), INFO: Loaded 1 PC tables (47965 PCs): 47965 [0xc95950,0xd50f20), ./decompress_chunk_fuzzer: Running 1 inputs 1 time(s) each. Running: dbb107d7-a7e3-4c4c-a758-8abf63983136 ================================================================= ==4100452==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001a4 at pc 0x00000053f3ee bp 0x7fffffffd440 sp 0x7fffffffcc10 WRITE of size 134217728 at 0x6140000001a4 thread T0 #0 0x53f3ed in __asan_memset /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 #1 0xa224b9 in ndlz8_decompress /src/c-blosc2/plugins/codecs/ndlz/ndlz8x8.c:468:3 #2 0x596f49 in blosc_d /src/c-blosc2/blosc/blosc2.c:1870:24 #3 0x5a1189 in serial_blosc /src/c-blosc2/blosc/blosc2.c:1971:16 #4 0x5a1189 in do_job /src/c-blosc2/blosc/blosc2.c:2138:15 #5 0x58f209 in blosc_run_decompression_with_context /src/c-blosc2/blosc/blosc2.c:2920:13 #6 0x58f775 in blosc2_decompress /src/c-blosc2/blosc/blosc2.c:2998:12 #7 0x57d410 in LLVMFuzzerTestOneInput /src/c-blosc2/tests/fuzz/fuzz_decompress_chunk.c:34:5 #8 0x44eb03 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #9 0x429c92 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #10 0x434d71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #11 0x468ea2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #13 0x41fe5d in _start (/home/zhangwei28/80result/c-blosc2/decompress_chunk_fuzzer+0x41fe5d) 0x6140000001a4 is located 0 bytes to the right of 356-byte region [0x614000000040,0x6140000001a4) allocated by thread T0 here: #0 0x5408c7 in posix_memalign /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5993e3 in my_malloc /src/c-blosc2/blosc/blosc2.c:188:9 #2 0x5993e3 in init_thread_context /src/c-blosc2/blosc/blosc2.c:2028:25 #3 0x59911d in create_thread_context /src/c-blosc2/blosc/blosc2.c:2065:12 #4 0x5a0a9b in do_job /src/c-blosc2/blosc/blosc2.c:2131:33 #5 0x58f209 in blosc_run_decompression_with_context /src/c-blosc2/blosc/blosc2.c:2920:13 #6 0x58f775 in blosc2_decompress /src/c-blosc2/blosc/blosc2.c:2998:12 #7 0x57d410 in LLVMFuzzerTestOneInput /src/c-blosc2/tests/fuzz/fuzz_decompress_chunk.c:34:5 #8 0x44eb03 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #9 0x429c92 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #10 0x434d71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #11 0x468ea2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 in __asan_memset Shadow bytes around the buggy address: 0x0c287fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c287fff8030: 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4100452==ABORTING ```
Source⚠️ https://drive.google.com/drive/folders/1T1k3UeS09m65LjVXExUuZfedNQPWQWCo?usp=sharing
Submission03/26/2024 08:50 AM (2 months ago)
Moderation04/02/2024 06:34 PM (7 days later)
StatusAccepted
VulDB Entry259050

Interested in the pricing of exploits?

See the underground prices here!