NanaZip UFS Filesystem Parser Integer Divide-By-Zero Vulnerability

A divide-by-zero vulnerability has been identified in NanaZip versions 5.0.1252.0 prior to 6.0.1698.0, specifically within the UFS/UFS2 filesystem image parser. The issue arises when a crafted UFS image is opened, with the superblock field 'fs_ipg' (inodes per cylinder group) set to zero. This unvalidated, attacker-controlled value is used as a divisor, leading to a hardware trap and a crash of the NanaZip process. The vulnerability is present in the function 'GetInodeOffset', where the division by 'fs_ipg' is executed without any prior validation, causing an immediate hardware exception that terminates the process.

Impact

Exploitation of this vulnerability causes a deterministic crash of the NanaZip process, due to the unhandled hardware divide-by-zero exception. This vulnerability does not lead to memory corruption or code execution, as the exception occurs before any memory operations can be performed using the calculated offset.

Reproduction

To reproduce this vulnerability, create a UFS image file with the 'fs_ipg' field set to zero. Then, use NanaZip to open the crafted image file. The vulnerability can be verified by compiling NanaZip with AddressSanitizer enabled, which will report the integer divide-by-zero error when the image is opened.

Remediation

Users can upgrade to NanaZip version 6.0.1698.0 or later, where this vulnerability has been fixed.