1482296 – There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1482296 - There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2

Summary: There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	exiv2
Sub Component:
Version:	7.5-Alt
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Grulich
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-17 01:30 UTC by owl337
Modified:	2019-08-06 12:47 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 12:46:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Triggered by "./exiv2 POC12" (133 bytes, application/x-rar) 2017-08-17 01:30 UTC, owl337	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2101	0	None	None	None	2019-08-06 12:47:08 UTC

Description owl337 2017-08-17 01:30:51 UTC

Created attachment 1314499 [details]
Triggered by "./exiv2 POC12"

Description of problem:

 There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2

Version-Release number of selected component (if applicable):

<=latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:

$./exiv2 POC12
*** Error in `/home/icy/real/exiv2/install/bin/exiv2': malloc(): smallbin double linked list corrupted: 0x000000000068bc80 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff66cb7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7ffff66d6651]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff66d8184]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7ffff6fcae78]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZNK5Exiv26FileIo4pathB5cxx11Ev+0xc9)[0x7ffff7371a49]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x4632)[0x7ffff7449bc2]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7ffff744c0fa]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7ffff74dd2c2]
/home/icy/real/exiv2/install/bin/exiv2[0x4276f8]
/home/icy/real/exiv2/install/bin/exiv2[0x42727c]
/home/icy/real/exiv2/install/bin/exiv2[0x4073a0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6674830]
/home/icy/real/exiv2/install/bin/exiv2[0x406c89]
======= Memory map: ========
00400000-00467000 r-xp 00000000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00666000-00667000 r--p 00066000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00667000-00668000 rw-p 00067000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00668000-006aa000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff5f39000-7ffff6211000 r--p 00000000 08:01 1048676                    /usr/lib/locale/locale-archive
7ffff6211000-7ffff6237000 r-xp 00000000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7ffff6237000-7ffff6437000 ---p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7ffff6437000-7ffff6439000 r--p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7ffff6439000-7ffff643a000 rw-p 00028000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7ffff643a000-7ffff6453000 r-xp 00000000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff6453000-7ffff6652000 ---p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff6652000-7ffff6653000 r--p 00018000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff6653000-7ffff6654000 rw-p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff6654000-7ffff6814000 r-xp 00000000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6814000-7ffff6a14000 ---p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6a14000-7ffff6a18000 r--p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6a18000-7ffff6a1a000 rw-p 001c4000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6a1a000-7ffff6a1e000 rw-p 00000000 00:00 0 
7ffff6a1e000-7ffff6a34000 r-xp 00000000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6a34000-7ffff6c33000 ---p 00016000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6c33000-7ffff6c34000 rw-p 00015000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6c34000-7ffff6d3c000 r-xp 00000000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7ffff6d3c000-7ffff6f3b000 ---p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7ffff6f3b000-7ffff6f3c000 r--p 00107000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7ffff6f3c000-7ffff6f3d000 rw-p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7ffff6f3d000-7ffff70af000 r-xp 00000000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7ffff70af000-7ffff72af000 ---p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7ffff72af000-7ffff72b9000 r--p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7ffff72b9000-7ffff72bb000 rw-p 0017c000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7ffff72bb000-7ffff72bf000 rw-p 00000000 00:00 0 
7ffff72bf000-7ffff7767000 r-xp 00000000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7ffff7767000-7ffff7967000 ---p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7ffff7967000-7ffff7998000 r--p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7ffff7998000-7ffff799a000 rw-p 004d9000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7ffff799a000-7ffff79b6000 rw-p 00000000 00:00 0 
7ffff79b6000-7ffff79ce000 r-xp 00000000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff79ce000-7ffff7bcd000 ---p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bcd000-7ffff7bce000 r--p 00017000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bce000-7ffff7bcf000 rw-p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bcf000-7ffff7bd3000 rw-p 00000000 00:00 0 
7ffff7bd3000-7ffff7bd6000 r-xp 00000000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff7bd6000-7ffff7dd5000 ---p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff7dd5000-7ffff7dd6000 r--p 00002000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff7dd6000-7ffff7dd7000 rw-p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fd0000-7ffff7fd8000 rw-p 00000000 00:00 0 
7ffff7ff5000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff6689428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

The gdb debugging information is as follows:

(gdb) set args POC12
(gdb) r
...
Breakpoint 2, malloc_printerr (ar_ptr=0x7fffffffd250, ptr=0x68bc80, 
    str=0x7ffff67e52c8 "malloc(): smallbin double linked list corrupted", action=3) at malloc.c:5006
5006	malloc.c: No such file or directory.
(gdb) bt 
#0  malloc_printerr (ar_ptr=0x7fffffffd250, ptr=0x68bc80, 
    str=0x7ffff67e52c8 "malloc(): smallbin double linked list corrupted", action=3) at malloc.c:5006
#1  _int_malloc (av=av@entry=0x7ffff6a18b20 <main_arena>, bytes=bytes@entry=51) at malloc.c:3386
#2  0x00007ffff66d8184 in __GI___libc_malloc (bytes=51) at malloc.c:2913
#3  0x00007ffff6fcae78 in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#4  0x00007ffff7371a49 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*> (this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.tcc:223
#5  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*> (
    this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:195
#6  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*> (
    this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:214
#7  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string (this=0x7fffffffd468, 
    __str=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:400
#8  Exiv2::FileIo::path[abi:cxx11]() const (this=<optimized out>) at basicio.cpp:1031
#9  0x00007ffff7449bc2 in Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., 
    option=<optimized out>, start=<optimized out>, bSwap=<optimized out>, c=<optimized out>, depth=<optimized out>)
    at image.cpp:498
#10 0x00007ffff744c0fa in Exiv2::Image::printTiffStructure (this=0x68bab0, io=..., out=..., option=Exiv2::kpsRecursive, 
    depth=<optimized out>, offset=<optimized out>) at image.cpp:518
#11 0x00007ffff74dd2c2 in Exiv2::OrfImage::readMetadata (this=0x68bab0) at orfimage.cpp:123
#12 0x00000000004276f8 in Action::Print::printSummary (this=0x68cc30) at actions.cpp:289
---Type <return> to continue, or q <return> to quit---
Python Exception <class 'gdb.error'> There is no member named _M_dataplus.: 
#13 0x000000000042727c in Action::Print::run (this=0x68cc30, path=) at actions.cpp:244
#14 0x00000000004073a0 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170
(gdb) n
5007	in malloc.c
(gdb) 
5006	in malloc.c
(gdb) 
*** Error in `/home/icy/real/exiv2/install/bin/exiv2': malloc(): smallbin double linked list corrupted: 0x000000000068bc80 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff66cb7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7ffff66d6651]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff66d8184]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7ffff6fcae78]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZNK5Exiv26FileIo4pathB5cxx11Ev+0xc9)[0x7ffff7371a49]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x4632)[0x7ffff7449bc2]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7ffff744c0fa]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7ffff74dd2c2]
/home/icy/real/exiv2/install/bin/exiv2[0x4276f8]
/home/icy/real/exiv2/install/bin/exiv2[0x42727c]
/home/icy/real/exiv2/install/bin/exiv2[0x4073a0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6674830]
/home/icy/real/exiv2/install/bin/exiv2[0x406c89]
======= Memory map: ========
00400000-00467000 r-xp 00000000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00666000-00667000 r--p 00066000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00667000-00668000 rw-p 00067000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00668000-006aa000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
...
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff6689428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

This vulnerability was triggered in Exiv2::FileIo::path[abi:cxx11]() const (this=0x68ccb0) at basicio.cpp:1031
...
1026	#ifdef EXV_UNICODE_PATH
1027	        if (p_->wpMode_ == Impl::wpUnicode) {
1028	            return ws2s(p_->wpath_);
1029	        }
1030	#endif
1031	        return p_->path_;
1032	    }
1033	
1034	#ifdef EXV_UNICODE_PATH
1035	    std::wstring FileIo::wpath() const


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Marcus Meissner 2017-08-19 11:02:14 UTC

POC12 is the same binary as POC13 from bug 1482423

Comment 3 owl337 2017-08-19 13:43:58 UTC

I will check it as soon as possible.

Comment 4 owl337 2017-08-19 15:03:22 UTC

Sorry for this mistake. POC12 is no problem, it is because POC13 is duplicated with POC12, I have update the POC13 in  bug 1482423.

Comment 5 Raphaël Hertzog 2017-08-31 15:12:03 UTC

I reported this issue to uptsream: https://github.com/Exiv2/exiv2/issues/59

Comment 7 Jan Grulich 2019-01-28 16:08:15 UTC

Fixed with exiv2-0.27.0-1.el7_6.

Comment 11 errata-xmlrpc 2019-08-06 12:46:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101

Note You need to log in before you can comment on or make changes to this bug.