Submit #632368: LRZIP LRZIP version 0.6.5+ (commit 1242aec) compiled on Feb 7 2025 and the newest master version. Null Pointer Dereferenceinfo

TitelLRZIP LRZIP version 0.6.5+ (commit 1242aec) compiled on Feb 7 2025 and the newest master version. Null Pointer Dereference
Beschreibung# LRZIP Null Pointer Dereference in Command Line Parsing ## Summary During fuzzing of the lrzip compression tool, a critical null pointer dereference vulnerability was discovered in the command line argument parsing functionality. The vulnerability occurs when processing malformed command line arguments that lead to null pointer access during string-to-integer conversion operations. This vulnerability affects the main argument parsing routine and can be triggered by specially crafted input parameters. ## Technical Details - **Vulnerability Type**: Null Pointer Dereference - **Affected Component**: LRZIP - Command Line Parser - **Affected Function**: `__GI_____strtol_l_internal` - **Source File**: `strtol_l.c` - **Line Number**: 291 - **Signal**: SIGSEGV (11) - **Memory Access**: READ from null address (0x000000000000) - **Crash Location**: main.c:440 (strtol function call) ## Mechanism and Root Cause This null pointer dereference vulnerability is caused by insufficient input validation in the command line argument parsing logic within lrzip's main function. The root cause lies in passing a null pointer to the `strtol` function during command line option processing. The vulnerability manifests through the following sequence: 1. **Argument Processing**: lrzip processes command line arguments in main.c 2. **Parameter Parsing**: At line 440 in main.c, the code attempts to convert a string argument to an integer using `strtol` 3. **Null Pointer Pass**: A null pointer is passed as the string argument to `strtol` 4. **Library Function Call**: `strtol` internally calls `__GI_____strtol_l_internal` at strtol_l.c:291 5. **Null Dereference**: The function attempts to read from address 0x000000000000, causing SIGSEGV The call chain demonstrates the vulnerability path: ``` main() → strtol() → __GI_____strtol_l_internal() → null dereference ``` This suggests inadequate validation of command line arguments before passing them to string conversion functions. ## AddressSanitizer Report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==3761838==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd71491c580 bp 0x7ffd2cc70be0 sp 0x7ffd2cc70a00 T0) ==3761838==The signal is caused by a READ memory access. ==3761838==Hint: address points to the zero page. #0 0x7fd71491c580 in __GI_____strtol_l_internal stdlib/../stdlib/strtol_l.c:291:10 #1 0x55c2d81e0f13 in __interceptor_strtol (/workspace/fuzzdir/fz-lrzip/fz-lrzip/lrzip+0xb4f13) (BuildId: da07035d772ddd7bf34652e6d65e88ec1c55b711) #2 0x55c2d82341e3 in main /workspace/program/Supplementary-Compilation/lrzip-1242aec-Feb7/main.c:440:33 #3 0x7fd7148fed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #4 0x7fd7148fee3f in __libc_start_main csu/../csu/libc-start.c:392:3 #5 0x55c2d815c6d4 in _start (/workspace/fuzzdir/fz-lrzip/fz-lrzip/lrzip+0x306d4) (BuildId: da07035d772ddd7bf34652e6d65e88ec1c55b711) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV stdlib/../stdlib/strtol_l.c:291:10 in __GI_____strtol_l_internal ==3761838==ABORTING ``` ## Proof of Concept The vulnerability can be triggered using the malformed input file provided as [`POC_lrzip_null_dereference`](https://drive.google.com/file/d/1EFbiiM1d7Ozb0ucZt6zRO3ngU8ugUnCn/view?usp=sharing) along with specific command line arguments. ## Reproduction Steps 1. Compile lrzip with AddressSanitizer enabled 2. Execute: `lrzip --level -2 -i POC_lrzip_null_dereference` 3. The program will crash with a null pointer dereference in the command line parsing function ## Affected Versions LRZIP version 0.6.5+ (commit 1242aec) compiled on Feb 7 2025 and the newest master version. **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Quelle⚠️ https://github.com/ckolivas/lrzip/issues/264
Benutzer
 xdcao (UID 88377)
Einreichung12.08.2025 09:30 (vor 9 Monaten)
Moderieren24.08.2025 16:30 (12 days later)
StatusAkzeptiert
VulDB Eintrag321232 [ckolivas lrzip bis 0.651 strtol_l.c __GI_____strtol_l_internal Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Want to stay up to date on a daily basis?

Enable the mail alert feature now!