Bug 1471772

Summary: There is an illegal address access in basicio.cpp of exiv2.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: exiv2Assignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: henri, raphael, v.owl337
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:46:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
Triggered by "./exiv2 POC7" none

Description owl337 2017-07-17 12:23:28 UTC
Created attachment 1299839 [details]
Triggered by "./exiv2 POC7"

Description of problem:

There is an illegal address access in basicio.cpp of exiv2.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC7

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
4150	malloc.c: No such file or directory.
(gdb) bt
#0  0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
#1  0x00007ffff60fba34 in _int_malloc (av=av@entry=0x7ffff643ec00 <main_arena>, bytes=bytes@entry=1600) at malloc.c:3417
#2  0x00007ffff60fe50e in __GI___libc_malloc (bytes=1600) at malloc.c:2895
#3  0x00007ffff60fffb8 in __libc_realloc (bytes=1600, oldmem=0x0) at malloc.c:2976
#4  realloc_hook_ini (ptr=0x0, sz=1600, caller=<optimized out>) at hooks.c:41
#5  0x00007ffff60fec17 in __GI___libc_realloc (oldmem=0x0, bytes=1600) at malloc.c:2965
#6  0x00007ffff60ac1cb in extend_alias_table () at localealias.c:397
#7  read_alias_file (fname=<optimized out>, fname_len=<optimized out>) at localealias.c:319
#8  0x00007ffff60ac3c7 in _nl_expand_alias (name=name@entry=0x7fffffffae30 "en_US.UTF-8") at localealias.c:203
#9  0x00007ffff60aa608 in _nl_find_domain (dirname=dirname@entry=0x7ffff620ea00 <_nl_default_dirname> "/usr/share/locale", locale=locale@entry=0x7fffffffae30 "en_US.UTF-8", 
    domainname=domainname@entry=0x7fffffffae50 "LC_MESSAGES/libc.mo", domainbinding=domainbinding@entry=0x0) at finddomain.c:124
#10 0x00007ffff60a9e72 in __dcigettext (domainname=0x7ffff6206229 <_libc_intl_domainname> "libc", msgid1=0x7ffff6206711 "Cannot allocate memory", msgid2=msgid2@entry=0x0, plural=plural@entry=0, 
    n=n@entry=0, category=category@entry=5) at dcigettext.c:722
#11 0x00007ffff60a8a8f in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5) at dcgettext.c:47
#12 0x00007ffff610558e in __GI___strerror_r (errnum=12, buf=0x7fffffffb0b0 "", buflen=1024) at _strerror.c:71
#13 0x00000000005706ef in Exiv2::strError() ()
#14 0x00000000004c11b8 in Exiv2::FileIo::mmap(bool) ()
#15 0x00000000006b8f3f in Exiv2::TiffImage::readMetadata() ()
#16 0x0000000000464434 in Action::Print::printSummary() ()
#17 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#18 0x0000000000439762 in main ()

icy@ubuntu:~/real/exiv2-asan/install/bin$ ./exiv2 ../../../exiv2_coll4/coll-out1/crashes/id\:000015\,sig\:11\,src\:001021\,op\:flip32\,pos\:47 
==47987==ERROR: AddressSanitizer: SEGV on unknown address 0x00a09ffca08b (pc 0x7efe16b0fec5 bp 0x7ffca809dd00 sp 0x7ffca809d600 T0)
    #0 0x7efe16b0fec4  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434ec4)
    #1 0x7efe16b180e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #2 0x7efe16d28900  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x64d900)
    #3 0x7efe16d205eb  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x6455eb)
    #4 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #5 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #6 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #7 0x7efe15888abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

AddressSanitizer can not provide additional info.

Actual results:


Expected results:


Additional info:


This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 Henri Salo 2017-07-30 12:52:39 UTC
I can confirm that this also segfaults 0.26 upstream release. Did you report this to upstream issue tracker?

Comment 5 Henri Salo 2017-07-30 12:54:16 UTC
Please use CVE-2017-11553 for this issue.

Comment 6 owl337 2017-08-15 02:39:35 UTC
ok(In reply to Henri Salo from comment #4)
> I can confirm that this also segfaults 0.26 upstream release. Did you report
> this to upstream issue tracker?

Could you support a issue tracker link ? Thank you.

Comment 7 Raphaƫl Hertzog 2017-08-31 14:38:33 UTC
I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/54

Comment 8 Henri Salo 2018-10-26 09:04:30 UTC
This has been fixed in upstream.

Comment 10 Jan Grulich 2019-01-28 16:08:23 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 14 errata-xmlrpc 2019-08-06 12:46:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.