| Título | ckolivas lrzip 0.651 NULL Pointer Dereference |
|---|
| Descrição | I found a concurrency npd in ucompthread function.This vulnerability also exists in the latest version of the master branch 1242aec. Details can be found here: https://github.com/ckolivas/lrzip/issues/263 . The root cause of this vulnerability is that sinfo->ucthreads can be concurrently set to NULL while it is being accessed.
Compile Command:
./autogen.sh
CC="gcc -fsanitize=address -fno-omit-frame-pointer -g -O0" CXX="g++ -fsanitize=address -fno-omit-frame-pointer -g -O0" ./configure --enable-static-bin --disable-shared
make -j4
PoC file:
A crafted PoC is available here, please unzip first.
Run Command:
./lrzip -t -p2 ./PoC_NPD
AddressSanitizer:DEADLYSIGNAL
=================================================================
==17356==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x556a62c35ae9 bp 0x7fa73678add0 sp 0x7fa73678ac40 T3)
==17356==The signal is caused by a READ memory access.
==17356==Hint: address points to the zero page.
#0 0x556a62c35ae9 in ucompthread /home/ziiiro/work/eval/vul_repro/lrzip/stream.c:1551
#1 0x7fa739baeac2 in start_thread nptl/pthread_create.c:442
#2 0x7fa739c4084f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ziiiro/work/eval/vul_repro/lrzip/stream.c:1551 in ucompthread
Thread T3 created by T0 here:
#0 0x7fa73a140685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x556a62c3e8a6 in create_pthread /home/ziiiro/work/eval/vul_repro/lrzip/stream.c:125
#2 0x556a62c3e8a6 in fill_buffer /home/ziiiro/work/eval/vul_repro/lrzip/stream.c:1725
#3 0x556a62c3e8a6 in read_stream /home/ziiiro/work/eval/vul_repro/lrzip/stream.c:1811
#4 0x556a62c31361 in unzip_literal /home/ziiiro/work/eval/vul_repro/lrzip/runzip.c:162
#5 0x556a62c31361 in runzip_chunk /home/ziiiro/work/eval/vul_repro/lrzip/runzip.c:325
#6 0x556a62c31361 in runzip_fd /home/ziiiro/work/eval/vul_repro/lrzip/runzip.c:387
#7 0x556a62c1ffe3 in decompress_file /home/ziiiro/work/eval/vul_repro/lrzip/lrzip.c:952
#8 0x556a62c16284 in main /home/ziiiro/work/eval/vul_repro/lrzip/main.c:720
#9 0x7fa739b43d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 |
|---|
| Fonte | ⚠️ https://github.com/user-attachments/files/21726331/PoC_NPD.zip |
|---|
| Utilizador | ziiiro (UID 93755) |
|---|
| Submissão | 05/02/2026 04h41 (há 3 meses) |
|---|
| Moderação | 08/02/2026 09h19 (3 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 344931 [ckolivas lrzip até 0.651 stream.c ucompthread Negação de Serviço] |
|---|
| Pontos | 20 |
|---|