public inbox for bzip2-devel@sourceware.org
 help / color / mirror / Atom feed
From: Mark Wielaard <mark@klomp.org>
To: bzip2-devel@sourceware.org
Cc: Julian Seward <jseward@acm.org>
Subject: Re: bzip2 1.0.7 released
Date: Tue, 01 Jan 2019 00:00:00 -0000	[thread overview]
Message-ID: <20190627205837.GD9273@wildebeest.org> (raw)
In-Reply-To: <b8aab785a67113e4f50c54a6cb59129c11f805b6.camel@klomp.org>

Hi,

On Thu, Jun 27, 2019 at 08:54:08PM +0200, Mark Wielaard wrote:
> * Make sure nSelectors is not out of range (CVE-2019-12900)

Well, that was quick... There is already a regression report about
this fix. See https://bugs.launchpad.net/ubuntu/+source/bzip2/+bug/1834494

The fix itself is certainly correct:

diff --git a/decompress.c b/decompress.c
index ab6a624..f3db91d 100644
--- a/decompress.c
+++ b/decompress.c
@@ -280,21 +280,21 @@ Int32 BZ2_decompress ( DState* s )
                if (uc == 1) s->inUse[i * 16 + j] = True;
             }
       makeMaps_d ( s );
       if (s->nInUse == 0) RETURN(BZ_DATA_ERROR);
       alphaSize = s->nInUse+2;
 
       /*--- Now the selectors ---*/
       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
       for (i = 0; i < nSelectors; i++) {
          j = 0;
          while (True) {
             GET_BIT(BZ_X_SELECTOR_3, uc);
             if (uc == 0) break;
             j++;
             if (j >= nGroups) RETURN(BZ_DATA_ERROR);
          }
          s->selectorMtf[i] = j;
       }

Because if nSelectors would be > BZ_MAX_SELECTORS it would write over
memory after the selectorMtf array.

The problem with the file in the report is that it does contain some
nSelectors that are slightly larger than BZ_MAX_SELECTORS.

The test file can be found here:
https://developer.nvidia.com/embedded/dlc/l4t-jetson-xavier-driver-package-31-1-0

The fix is simple:

diff --git a/bzlib_private.h b/bzlib_private.h
index 7975552..ef870d9 100644
--- a/bzlib_private.h
+++ b/bzlib_private.h
@@ -122,7 +122,7 @@ extern void bz_internal_error ( int errcode );
 #define BZ_G_SIZE   50
 #define BZ_N_ITERS  4
 
-#define BZ_MAX_SELECTORS (2 + (900000 / BZ_G_SIZE))
+#define BZ_MAX_SELECTORS (7 + (900000 / BZ_G_SIZE))
 
 
 
But of course I cannot tell why increasing the max with 5 is correct.
It might well be that the file is invalid. Before the fix bunzip2
would overwrite some memory after the selectorMtf array. So it might
be the file decompressed by accident in the past.

I'll look a but deeper, but if people have a clue what exactly is
going on that would be appreciated.

Cheers,

Mark

  reply	other threads:[~2019-06-27 20:58 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-01  0:00 Mark Wielaard
2019-01-01  0:00 ` Mark Wielaard [this message]
2019-01-01  0:00   ` Jeffrey Walton
2019-01-01  0:00   ` Mark Wielaard
2019-01-01  0:00     ` Federico Mena Quintero
2019-01-01  0:00       ` Julian Seward
2019-01-01  0:00         ` Mark Wielaard
2019-01-01  0:00           ` Alternative nSelectors patch (Was: bzip2 1.0.7 released) Mark Wielaard
2019-01-01  0:00             ` Julian Seward
2019-01-01  0:00               ` Mark Wielaard
2019-01-01  0:00                 ` Mark Wielaard
2019-01-01  0:00           ` bzip2 test suite " Mark Wielaard
2019-01-01  0:00           ` bzip2 1.0.7 released Mark Wielaard
2019-01-01  0:00             ` Federico Mena Quintero
2019-01-01  0:00               ` Mark Wielaard
2019-01-01  0:00   ` Federico Mena Quintero

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190627205837.GD9273@wildebeest.org \
    --to=mark@klomp.org \
    --cc=bzip2-devel@sourceware.org \
    --cc=jseward@acm.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).