NanaZip UFS Parser Null-Pointer Dereference Vulnerability

A null-pointer dereference vulnerability has been identified in NanaZip versions 5.0.1252.0 prior to 6.0.1698.0. The issue arises in the UFS/UFS2 filesystem image parser when a crafted UFS image is opened with the root inode (inode 2) set as a symlink instead of a directory. The parser fails to verify the inode type, treating it as a directory, which leads to a crash when the symlink's embedded target creates a zero-length buffer. This vulnerability causes an immediate crash, but does not allow code execution, as the dereference occurs at a null address, unmapped in modern operating systems.

Impact

Exploitation of this vulnerability causes a deterministic crash of NanaZip, disrupting the application's operation. However, it does not allow for code execution, as the crash occurs due to accessing a null pointer, which is unmapped on modern operating systems.

Reproduction

To reproduce this vulnerability, create a UFS image file where the root inode (inode 2) is configured as a symlink (IFLNK) with a small embedded target size, instead of being set as a directory (IFDIR). When this crafted image is opened in NanaZip, the UFS parser will incorrectly process the root inode as a directory, leading to a null-pointer dereference and causing the application to crash. This vulnerability can be verified by compiling NanaZip with AddressSanitizer enabled, which will expose the null-pointer dereference as an access violation error.

Remediation

Users can upgrade to NanaZip version 6.0.1698.0 or later, where this vulnerability has been fixed.