View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000605 | file | General | public | 2025-01-04 09:26 | 2025-02-10 07:30 |
| Reporter | YancyLii | Assigned To | christos | ||
| Priority | high | Severity | major | Reproducibility | always |
| Status | assigned | Resolution | open | ||
| Product Version | 5.45 | ||||
| Summary | 0000605: Uncontrolled Memory Allocation in | ||||
| Description | A potential out-of-memory crash occurs in the libmagic project when processing malformed input through the function uncompressxzlib. The issue is triggered by the absence of proper input validation or resource limits, causing the liblzma library to attempt a massive memory allocation (malloc(2147483648) = 2GB) and crash. | ||||
| Steps To Reproduce | 1. Download the tar.gz file and decompress it, then (sudo) execute shell script 2. ./Test_libmagic_1 oom-fed84141c516fcdbb9961ba3a30fa85e41e569a1 3. Observe the error message | ||||
| Tags | libmagic | ||||
|
|
|
|
|
Can't reproduce: [1:57pm] 345>limit memoryuse 500m [1:57pm] 346>./Test_libmagic_1 oom-fed84141c516fcdbb9961ba3a30fa85e41e569a1 INFO: Seed: 12437783 INFO: Loaded 1 modules (8 inline 8-bit counters): 8 [0x5c3215, 0x5c321d), INFO: Loaded 1 PC tables (8 PCs): 8 [0x597a80,0x597b00), ./Test_libmagic_1: Running 1 inputs 1 time(s) each. Running: oom-fed84141c516fcdbb9961ba3a30fa85e41e569a1 Executed oom-fed84141c516fcdbb9961ba3a30fa85e41e569a1 in 12 ms *** *** NOTE: fuzzing was not performed, you have only *** executed the target code on a fixed set of inputs. *** |
|
|
I execute the code above in the following environment: + platform: wsl ubuntu 24.04 + code: git rev-parse HEAD --> 2305f6bd88ff3f6f40df1c30707420101e2d7639 The error message is: INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 3612354078 INFO: Loaded 1 modules (10 inline 8-bit counters): 10 [0x555dc7f82175, 0x555dc7f8217f), INFO: Loaded 1 PC tables (10 PCs): 10 [0x555dc7f82180,0x555dc7f82220), ./Test_libmagic_1: Running 1 inputs 1 time(s) each. Running: oom-fed84141c516fcdbb9961ba3a30fa85e41e569a1 ==49564== ERROR: libFuzzer: out-of-memory (malloc(2147483648)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x555dc7ee0495 in __sanitizer_print_stack_trace (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x111495) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000001 0x555dc7e3696c in fuzzer::PrintStackTrace() (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x6796c) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000002 0x555dc7e1b839 in fuzzer::Fuzzer::HandleMalloc(unsigned long) (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x4c839) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000003 0x555dc7e1b73f in fuzzer::MallocHook(void const volatile*, unsigned long) (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x4c73f) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000004 0x555dc7ee7c76 in __sanitizer::RunMallocHooks(void*, unsigned long) (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x118c76) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000005 0x555dc7e39f37 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x6af37) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000006 0x555dc7e39887 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x6a887) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000007 0x555dc7ed57f2 in malloc (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x1067f2) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000008 0x7fb31dfb6a1f in lzma_alloc /build/xz-utils-T2haHW/xz-utils-5.6.1+really5.4.5/debian/normal-build/src/liblzma/../../../../src/liblzma/common/common.c:51:9 #9 0x7fb31dfb6a1f in lzma_lz_decoder_init /build/xz-utils-T2haHW/xz-utils-5.6.1+really5.4.5/debian/normal-build/src/liblzma/../../../../src/liblzma/lz/lz_decoder.c:266:7 0000010 0x7fb31dfa57f9 in alone_decode /build/xz-utils-T2haHW/xz-utils-5.6.1+really5.4.5/debian/normal-build/src/liblzma/../../../../src/liblzma/common/alone_decoder.c:155:3 0000011 0x7fb31dfab37c in auto_decode /build/xz-utils-T2haHW/xz-utils-5.6.1+really5.4.5/debian/normal-build/src/liblzma/../../../../src/liblzma/common/auto_decoder.c:86:24 0000012 0x7fb31dfa67f6 in lzma_code /build/xz-utils-T2haHW/xz-utils-5.6.1+really5.4.5/debian/normal-build/src/liblzma/../../../../src/liblzma/common/common.c:288:17 0000013 0x555dc7f1cbe8 in uncompressxzlib /home/liyan/Test_libmagic_4/file/build/src/../../src/compress.c:719:7 0000014 0x555dc7f1d3dc in uncompressbuf /home/liyan/Test_libmagic_4/file/build/src/../../src/compress.c:1149:11 0000015 0x555dc7f1d3dc in file_zmagic /home/liyan/Test_libmagic_4/file/build/src/../../src/compress.c:325:9 0000016 0x555dc7f201bd in file_buffer /home/liyan/Test_libmagic_4/file/build/src/../../src/funcs.c:369:7 0000017 0x555dc7f1657b in magic_buffer /home/liyan/Test_libmagic_4/file/build/src/../../src/magic.c:559:6 0000018 0x555dc7f15acb in LLVMFuzzerTestOneInput (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x146acb) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000019 0x555dc7e1de84 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x4ee84) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000020 0x555dc7e070f6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x380f6) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000021 0x555dc7e0cc96 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x3dc96) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000022 0x555dc7e37356 in main (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x68356) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) 0000023 0x7fb31dc6a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 0000024 0x7fb31dc6a28a in __libc_start_main csu/../csu/libc-start.c:360:3 0000025 0x555dc7e01c94 in _start (/home/liyan/Test_libmagic_4/Test_libmagic_1+0x32c94) (BuildId: db96384109054e9e49dbf891a4c305a8e831e8dd) SUMMARY: libFuzzer: out-of-memory |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-01-04 09:26 | YancyLii | New Issue | |
| 2025-01-04 09:26 | YancyLii | Tag Attached: libmagic | |
| 2025-01-04 09:26 | YancyLii | File Added: Test_libmagic_oom.tar.gz | |
| 2025-01-30 18:57 | christos | Assigned To | => christos |
| 2025-01-30 18:57 | christos | Status | new => assigned |
| 2025-01-30 18:58 | christos | Status | assigned => feedback |
| 2025-01-30 18:58 | christos | Note Added: 0004173 | |
| 2025-02-10 07:30 | YancyLii | Note Added: 0004180 | |
| 2025-02-10 07:30 | YancyLii | Status | feedback => assigned |
