Details of Elevation of privilege vulnerability in libziparchive
Introduction
An Integer overflow vulnerability in libziparchive when opening a ZIP archive that contains a large number of CD offset and size could allow attackers to trigger an out-of-bounds access or cause a denial of service.
CVE: CVE-2016-6762 BugID: A-31251826 Severity: High Updated Google devices: All Updated AOSP versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 Author: ele7enxxh of Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd
53// The size of the central directory (in bytes).
54uint32_t cd_size;
55// The offset of the start of the central directory, relative
56// to the start of the file.
57uint32_t cd_start_offset;
...
63} __attribute__((packed));
The boundary check of an invalid EOCD record succeed due to the integer overflow in eocd->cd_start_offset + eocd->cd_size, as for the invocation of archive->directory_map.create():
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
121bool FileMap::create(constchar* origFileName, int fd, off64_t offset, size_t length,
The length(eocd->cd_start_offset with aligned/adjusted) and offset(eocd->cd_size with aligned/adjusted) arguments to the mmap function are invalid, which would lead to a heap overflow on when writing past the heap boundary during the invocation of ParseZipArchive().
+ if (eocd->cd_start_offset + eocd->cd_size <= eocd_offset) {
+ android_errorWriteLog(0x534e4554, "31251826");
+ }
+#endif
return kInvalidOffset;
}
if (eocd->num_records == 0) {
Timeline
2016–08-28: Android bug reported to Google 2016-09-20: Android bug confirmed and the severity is set to High 2016-12-05: Android security bulletin released with fix 2016-12-08: Public disclosure