CVE-2021-39293

Origin: https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21

Backport note: test case now also deals with prior detection removed
in 483d6d99256b3c486e0c99106e232b4909938328 (v1.14)

From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 18 Aug 2021 11:49:29 -0700
Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation
 check from overflowing

If the indicated directory size in the archive header is so large that
subtracting it from the archive size overflows a uint64, the check that
the indicated number of files in the archive can be effectively
bypassed. Prevent this from happening by checking that the indicated
directory size is less than the size of the archive.

Thanks to the OSS-Fuzz project for discovering this issue and to
Emmanuel Odeke for reporting it.

Fixes #47985
Updates #47801
Fixes CVE-2021-39293

Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
Trust: Cherry Mui <cherryyz@google.com>

Gbp-Pq: Name CVE-2021-39293.patch

diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
index a6b67f32ce24ec237ef10979796a31db2fb26bfc..1d0e2c0dfa7f7840c04ddea4a88c73fc0b2cb9e6 100644 (file)
--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
@@ -91,7 +91,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
        // indicate it contains up to 1 << 128 - 1 files. Since each file has a
        // header which will be _at least_ 30 bytes we can safely preallocate
        // if (data size / 30) >= end.directoryRecords.
-       if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+       if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
                z.File = make([]*File, 0, end.directoryRecords)
        }
        z.Comment = end.comment

diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
index 8e13bb0b61aa2475056e8ec8536d4f63fa355104..1be7073ad58940d1b589964009a6f4f3e5a6e752 100644 (file)
--- a/src/archive/zip/reader_test.go
+++ b/src/archive/zip/reader_test.go
@@ -1105,3 +1105,21 @@ func TestCVE202133196(t *testing.T) {
                t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
        }
 }
+
+func TestCVE202139293(t *testing.T) {
+       // directory size is so large, that the check in Reader.init
+       // overflows when subtracting from the archive size, causing
+       // the pre-allocation check to be bypassed.
+       data := []byte{
+               0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
+               0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+               0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
+               0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+               0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
+               0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
+       }
+       _, err := NewReader(bytes.NewReader(data), int64(len(data)))
+       if err != ErrFormat && !strings.Contains(err.Error(), "TOC declares impossible") {
+               t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
+       }
+}