Bug 1470946
Summary: | There is a heap-buffer-overflow in image.cpp of exiv2. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
Component: | exiv2 | Assignee: | Jan Grulich <jgrulich> | ||||
Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.5-Alt | CC: | dan.cermak, raphael | ||||
Target Milestone: | rc | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-08-06 12:46:47 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1474329 | ||||||
Attachments: |
|
Please, report this issue to upstream. Thanks! I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/52 Fixed with exiv2-0.27.0-1.el7_6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101 |
Created attachment 1298133 [details] Triggered by "./exiv2 $POC" Description of problem: There is a heap-buffer-overflow in Exiv2::Image::printIFDStructure of image.cpp in exiv2. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./exiv2 $POC Steps to Reproduce: The output information is as follows: $./exiv2 POC5 *** Error in `/home/icy/real/exiv2/bin/.libs/lt-exiv2': free(): invalid next size (fast): 0x00000000015597b0 *** Aborted GDB debugging information is as follows: (gdb) set args POC5 (gdb) r ... Breakpoint 5, Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., option=Exiv2::kpsRecursive, start=0, bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:404 404 std::memcpy(buf.pData_,dir.pData_+8,4); // copy dir[8:11] into buffer (short strings) (gdb) bt #0 Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., option=Exiv2::kpsRecursive, start=0, bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:404 #1 0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x61300000de80, io=..., out=..., option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518 #2 0x00007ffff71972ac in Exiv2::OrfImage::printStructure (this=<optimized out>, out=..., option=<optimized out>, depth=<optimized out>) at orfimage.cpp:104 #3 0x00007ffff7198631 in Exiv2::OrfImage::readMetadata (this=<optimized out>) at orfimage.cpp:123 #4 0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289 #5 0x0000000000518489 in Action::Print::run (this=0x60400000d950, path=...) at actions.cpp:244 #6 0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170 (gdb) s ================================================================= ==46719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed93 at pc 0x7ffff70b7adb bp 0x7fffffffbe10 sp 0x7fffffffbe08 WRITE of size 4 at 0x60200000ed93 thread T0 #0 0x7ffff70b7ada (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43bada) #1 0x7ffff70b90e0 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0) #2 0x7ffff71972ab (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51b2ab) #3 0x7ffff7198630 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51c630) #4 0x518d8b (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b) #5 0x518488 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488) #6 0x4e2ebb (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb) #7 0x7ffff5e29abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #8 0x43b288 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288) 0x60200000ed93 is located 2 bytes to the right of 1-byte region [0x60200000ed90,0x60200000ed91) allocated by thread T0 here: #0 0x4e1842 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1842) #1 0x7ffff70b0c5f (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434c5f) #2 0x7ffff70b90e0 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0) Shadow bytes around the buggy address: 0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9db0: fa fa[01]fa fa fa 00 fa fa fa 00 fa fa fa 00 fa 0x0c047fff9dc0: fa fa 06 fa fa fa 00 04 fa fa 00 04 fa fa 00 04 0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04 0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04 0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==46719==ABORTING [Inferior 1 (process 46719) exited with code 01] This vulnerability was triggered in Exiv2::Image::printIFDStructure () at image.cpp:404. 338 void Image::printIFDStructure(BasicIo& io, std::ostream& out, Exiv2::PrintStructureOption option,uint32_t start,bool bSwap,char c,int depth) { ... 399 : 1 400 ; 401 402 // if ( offset > io.size() ) offset = 0; // Denial of service? 403 DataBuf buf(size*count + pad+20); // allocate a buffer 404 std::memcpy(buf.pData_,dir.pData_+8,4); // copy dir[8:11] into buffer (short strings) 405 if ( count*size > 4 ) { // read into buffer 406 size_t restore = io.tell(); // save 407 io.seek(offset,BasicIo::beg); // position 408 io.read(buf.pData_,count*size);// read ... } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.