New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Verified
Owner: ----
Closed: Sep 2017
Cc:
Type: Bug-Security



Sign in to add a comment
link

Issue 573: libarchive: Heap-buffer-overflow in read_header

Reported by ClusterFuzz-External, Feb 8 2017 Project Member

Issue description

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=6650271522357248

Project: libarchive
Fuzzer: libFuzzer_libarchive_fuzzer
Fuzz target binary: libarchive_fuzzer
Job Type: libfuzzer_asan_libarchive
Platform Id: linux

Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x6140000009f8
Crash State:
  read_header
  archive_read_format_rar_read_header
  _archive_read_next_header2
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz-external.appspot.com/revisions?job=libfuzzer_asan_libarchive&range=201605242342:201605251739

Reproducer Testcase: https://clusterfuzz-external.appspot.com/download/AMIfv97rwOiKmLzylueTT6ylG6QJLF2rjKWr3ngbOXaajcTodGLnleZckrccCdO3D4PFfEnwJNpFqjlRK4vpQ-X1TLCH2bbNjip2SKBOOL5nVWxWO6q6i-1d1J4ZYvM_fgDitnw5_ku5Jnpl_iUFysNmZMp7LjTiJXagt1vPaw_k7QWGahpfJMKThxIhd3djP__j56mOC0dM0qlPxwEdIZ0nX8PUv6wVtG5rhw41P0_hddoRlxK1LBreSpl4OEafco-1IqrC8p5JR57pEF9PaPTyteM5Irb95WEZF3HGil366-_8WpLRA5fzAlVMV_RzFohHZt3J5FjNSaHqY5bYoyDStgS5CMmFQVSf4nO1ej9KBhqipXmUhHOxnBSjrBlM56HUngmDIi23w-tAQSVrBSl3d6VqNMy26g5n3XC6qmBB89Gu4Br2LaE?testcase_id=6650271522357248


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.
 

Comment 1 by ochang@google.com, Feb 24 2017

Project Member
Labels: Engine-libfuzzer

Comment 2 by kcc@google.com, Mar 9 2017

Project Member
Cc: palmer@google.com

Comment 3 by ClusterFuzz-External, Mar 16 2017

Project Member
Labels: OS-Linux

Comment 4 by sheriffbot@chromium.org, May 2 2017

Project Member
Labels: Deadline-Approaching
This bug is approaching its deadline for being fixed, and will be automatically derestricted within 7 days. If a fix is planned within 2 weeks after the deadline has passed, a grace extension can be granted.

- Your friendly Sheriffbot

Comment 5 by sheriffbot@chromium.org, May 9 2017

Project Member
Labels: -restrict-view-commit -deadline-approaching Deadline-Exceeded
This bug has exceeded our disclosure deadline. It has been opened to the public.

- Your friendly Sheriffbot

Comment 6 by ClusterFuzz-External, Jul 25 2017

Project Member
Status: WontFix (was: New)
ClusterFuzz testcase 6650271522357248 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 7 by ochang@google.com, Jul 25 2017

Project Member
Status: New (was: WontFix)
Re-opening these bugs as this was likely a mistake on ClusterFuzz's part. Sorry for the noise!

Comment 8 by ClusterFuzz-External, Sep 5 2017

Project Member
Labels: ReleaseBlock-Stable ClusterFuzz-Top-Crash
Testcase 6650271522357248 is a top crash on ClusterFuzz for linux platform. Marking this crash as a stable release blocker. If this is incorrect, remove the ReleaseBlock label.

Comment 9 by aarya@google.com, Sep 5 2017

Project Member
Labels: -ReleaseBlock-Stable
ReleaseBlock label don't apply to OSS-Fuzz, only to Chromium issue tracker.

However this is a top crash for your project, so please prioritize fixing this.

Comment 10 by ClusterFuzz-External, Sep 10 2017

Project Member
ClusterFuzz has detected this issue as fixed in range 201709090451:201709100450.

Detailed report: https://oss-fuzz.com/testcase?key=6650271522357248

Project: libarchive
Fuzzer: libFuzzer_libarchive_fuzzer
Fuzz target binary: libarchive_fuzzer
Job Type: libfuzzer_asan_libarchive
Platform Id: linux

Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x6140000009f8
Crash State:
  read_header
  archive_read_format_rar_read_header
  _archive_read_next_header2
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_libarchive&range=201605242342:201605251739
Fixed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_libarchive&range=201709090451:201709100450

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=6650271522357248

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 11 by ClusterFuzz-External, Sep 10 2017

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: New)
ClusterFuzz testcase 6650271522357248 is verified as fixed, so closing issue as verified.

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

Sign in to add a comment