Hi,
I did some testing of gzip with afl-fuzzing and memory sanitizer and it
ends up finding a use of uninitialized memory on some malformed inputs.
Sample input (base64):
H4sIADAwMDAwMGQAAAA=
With msan this causes:
==21601==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x4affab in inflate_dynamic /f/gzip/gzip-1.9/inflate.c:803:9
#1 0x4affab in inflate_block /f/gzip/gzip-1.9/inflate.c:925
#2 0x4affab in inflate /f/gzip/gzip-1.9/inflate.c:957
#3 0x4c805d in unzip /f/gzip/gzip-1.9/unzip.c:132:19
#4 0x4a1234 in treat_file /f/gzip/gzip-1.9/gzip.c:1002:13
#5 0x49d760 in main /f/gzip/gzip-1.9/gzip.c:670:13
#6 0x7f85c3d724ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
#7 0x41c4d9 in _start (/r/gz/gzip+0x41c4d9)
You can reproduce by building gzip with clang+msan, e.g.
./configure CC=clang LD=clang CFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE"
LDFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE"
And then run the above sample with gzip -dc.
(msan is incompatible with fortify source and some distros set it by
default, so it's better to unset it.)
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
