Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/zip: slice out of bounds in NewReader at tip #59810

Closed
catenacyber opened this issue Apr 24, 2023 · 3 comments
Closed

archive/zip: slice out of bounds in NewReader at tip #59810

catenacyber opened this issue Apr 24, 2023 · 3 comments
Labels
FrozenDueToAge

Comments

@catenacyber
Copy link
Contributor

catenacyber commented Apr 24, 2023
edited

What version of Go are you using (go version)?

$ go version
go version go1.19 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/root/.go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/root/.go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/src/ngolo-fuzzing/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2481516251=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Run https://go.dev/play/p/hLbhCDy4umq?v=gotip

What did you expect to see?

The program finishing and printing Hello

What did you see instead?

panic: runtime error: slice bounds out of range [:-9223372036854773665]

goroutine 1 [running]:
io.(*SectionReader).Read(0xc0000cc000?, {0xc0000cc000?, 0xc0000a6aa8?, 0x40b8a5?})
	/usr/local/go-faketime/src/io/io.go:511 +0x7f
io.ReadAtLeast({0x4dff98, 0xc0000ac150}, {0xc0000cc000, 0x2e, 0x2e}, 0x2e)
	/usr/local/go-faketime/src/io/io.go:332 +0x90
io.ReadFull(...)
	/usr/local/go-faketime/src/io/io.go:351
archive/zip.readDirectoryHeader(0xc0000a6cd0, {0x4dff98, 0xc0000ac150})
	/usr/local/go-faketime/src/archive/zip/reader.go:358 +0x70
archive/zip.readDirectoryEnd({0x4dfed8, 0xc0000ac120}, 0x107f)
	/usr/local/go-faketime/src/archive/zip/reader.go:633 +0x676
archive/zip.(*Reader).init(0xc0000be000, {0x4dfed8?, 0xc0000ac120}, 0x107f)
	/usr/local/go-faketime/src/archive/zip/reader.go:119 +0x50
archive/zip.NewReader({0x4dfed8, 0xc0000ac120}, 0x107f)
	/usr/local/go-faketime/src/archive/zip/reader.go:112 +0x5e
main.main()
	/tmp/sandbox2951848341/prog.go:12 +0x17e

Found by https://github.com/catenacyber/ngolo-fuzzing with oss-fuzz :
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58289

Regression range is 9894ded:8354f6b5bb5baf03cb64dbf736c276f297ebea96
@catenacyber
Copy link
Contributor Author

cc @rolandshoemaker

@catenacyber
Copy link
Contributor Author

By the way, this POC does not respect the documentation about zip.NewReader size argument, but

  • Maybe another POC can panic he same way while respecting the documentation
  • A better error can be returned anyways

@rolandshoemaker
Copy link
Member

Fixed by http://go.dev/cl/488195, thanks!

@golang golang locked and limited conversation to collaborators Apr 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rolandshoemaker @gopherbot @catenacyber