Submit #304557: blosc c-blosc2 commit 1dd1e55cb329d01c210da77ceb53027853c35b72 heap-buffer-overflowinfo

Title	blosc c-blosc2 commit 1dd1e55cb329d01c210da77ceb53027853c35b72 heap-buffer-overflow
Description	## Description [c-blosc2](https://github.com/Blosc/c-blosc2) has heap-buffer-overflow in in ndlz4_decompress /src/c-blosc2/plugins/codecs/ndlz/ndlz4x4.c:551:3 ## version ```shell commit 1dd1e55cb329d01c210da77ceb53027853c35b72 ``` ## harnss From https://github.com/Blosc/c-blosc2/blob/main/tests/fuzz/fuzz_decompress_chunk.c ```c++ #include <stdint.h> #include <stdlib.h> #include <blosc2.h> #ifdef __cplusplus extern "C" { #endif int LLVMFuzzerTestOneInput(const uint8_t data, size_t size) { size_t nbytes = 0, cbytes = 0, blocksize = 0; void output = NULL; if (size < BLOSC_MIN_HEADER_LENGTH) { return 0; } blosc2_init(); blosc2_set_nthreads(1); blosc1_cbuffer_sizes(data, &nbytes, &cbytes, &blocksize); if (cbytes != size \|\| nbytes == 0) { blosc2_destroy(); return 0; } if (blosc1_cbuffer_validate(data, size, &nbytes) != 0) { /* Unexpected `nbytes` specified in blosc header / blosc2_destroy(); return 0; } output = malloc(cbytes); if (output != NULL) { blosc2_decompress(data, (int32_t)size, output, (int32_t)cbytes); free(output); } blosc2_destroy(); return 0; } #ifdef __cplusplus } #endif ``` ## Proof of Concept The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1T1k3UeS09m65LjVXExUuZfedNQPWQWCo?usp=sharing ```shell $ ./decompress_chunk_fuzzer e3c00ccb-ca56-4034-b938-b6517aa30489 INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 2328468384 INFO: Loaded 1 modules (47965 inline 8-bit counters): 47965 [0xc89df0, 0xc9594d), INFO: Loaded 1 PC tables (47965 PCs): 47965 [0xc95950,0xd50f20), ./decompress_chunk_fuzzer: Running 1 inputs 1 time(s) each. Running: e3c00ccb-ca56-4034-b938-b6517aa30489 ================================================================= ==4116429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000039b4 at pc 0x00000053f3ee bp 0x7fffffffd390 sp 0x7fffffffcb60 WRITE of size 57344 at 0x6210000039b4 thread T0 #0 0x53f3ed in __asan_memset /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 #1 0xa177bb in ndlz4_decompress /src/c-blosc2/plugins/codecs/ndlz/ndlz4x4.c:551:3 #2 0x596f49 in blosc_d /src/c-blosc2/blosc/blosc2.c:1870:24 #3 0x5a1189 in serial_blosc /src/c-blosc2/blosc/blosc2.c:1971:16 #4 0x5a1189 in do_job /src/c-blosc2/blosc/blosc2.c:2138:15 #5 0x58f209 in blosc_run_decompression_with_context /src/c-blosc2/blosc/blosc2.c:2920:13 #6 0x58f775 in blosc2_decompress /src/c-blosc2/blosc/blosc2.c:2998:12 #7 0x57d410 in LLVMFuzzerTestOneInput /src/c-blosc2/tests/fuzz/fuzz_decompress_chunk.c:34:5 #8 0x44eb03 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #9 0x429c92 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #10 0x434d71 in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #11 0x468ea2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #13 0x41fe5d in _start (/home/zhangwei28/80result/c-blosc2/decompress_chunk_fuzzer+0x41fe5d) 0x6210000039b4 is located 0 bytes to the right of 4276-byte region [0x621000002900,0x6210000039b4) allocated by thread T0 here: #0 0x5408c7 in posix_memalign /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5993e3 in my_malloc /src/c-blosc2/blosc/blosc2.c:188:9 #2 0x5993e3 in init_thread_context /src/c-blosc2/blosc/blosc2.c:2028:25 #3 0x59911d in create_thread_context /src/c-blosc2/blosc/blosc2.c:2065:12 #4 0x5a0a9b in do_job /src/c-blosc2/blosc/blosc2.c:2131:33 #5 0x58f209 in blosc_run_decompression_with_context /src/c-blosc2/blosc/blosc2.c:2920:13 #6 0x58f775 in blosc2_decompress /src/c-blosc2/blosc/blosc2.c:2998:12 #7 0x57d410 in LLVMFuzzerTestOneInput /src/c-blosc2/tests/fuzz/fuzz_decompress_chunk.c:34:5 #8 0x44eb03 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #9 0x429c92 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #10 0x434d71 in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #11 0x468ea2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 in __asan_memset Shadow bytes around the buggy address: 0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fff8730: 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa 0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4116429==ABORTING ```
Source	⚠️ https://drive.google.com/drive/folders/1T1k3UeS09m65LjVXExUuZfedNQPWQWCo?usp=sharing
User	Anonymous User
Submission	03/26/2024 08:52 AM (1 Year ago)
Moderation	04/02/2024 06:35 PM (7 days later)
Status	Accepted
VulDB Entry	259051 [c-blosc2 up to 2.13.2 ndlz4x4.c ndlz4_decompress heap-based overflow]
Points	20

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!