Bug 1482295
| Summary: | There is a heap-buffer-overflow in basicio.cpp of exiv2. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | exiv2 | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | dan.cermak, meissner | ||||
| Target Milestone: | rc | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-06 12:46:58 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
You attached POC11 but your comment says {POC9
please refer to the $POC of attachments(POC11). The upstream issue is https://github.com/Exiv2/exiv2/issues/58, has been fixed and backported. Fixed with exiv2-0.27.0-1.el7_6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101 |
Created attachment 1314498 [details] Triggered by "./exiv2 POC11" Description of problem: There is a heap-buffer-overflow in basicio.cpp of exiv2, the vulnerability causes lots of out of bound write in Exiv2::Image::printIFDStructure (). Version-Release number of selected component (if applicable): <= latest version How reproducible: ./exiv2 $POC Steps to Reproduce: The output information is as follows: $./exiv2 POC9 ORF IMAGE *** Error in `./../../../exiv2': malloc(): memory corruption (fast): 0x00000000025be540 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fd3b91c57e5] /lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7fd3b91d0651] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fd3b91d2184] /usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7fd3b9ac4e78] /usr/lib/x86_64-linux-gnu/libstdc++.so.6(_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_+0x9f)[0x7fd3b9b563df] /home/icy/real/exiv2/install/lib/libexiv2.so.26(+0x18c9f1)[0x7fd3b9f459f1] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x20c2)[0x7fd3b9f41652] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7fd3b9f460fa] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7fd3b9fd72c2] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28PgfImage12readMetadataEv+0x56b)[0x7fd3b9ff284b] ./../../../exiv2[0x4276f8] ./../../../exiv2[0x42727c] ./../../../exiv2[0x4073a0] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fd3b916e830] ./../../../exiv2[0x406c89] ======= Memory map: ======== 00400000-00467000 r-xp 00000000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00666000-00667000 r--p 00066000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00667000-00668000 rw-p 00067000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00668000-00678000 rw-p 00000000 00:00 0 025a1000-025d3000 rw-p 00000000 00:00 0 [heap] 7fd3b4000000-7fd3b4021000 rw-p 00000000 00:00 0 7fd3b4021000-7fd3b8000000 ---p 00000000 00:00 0 7fd3b8a33000-7fd3b8d0b000 r--p 00000000 08:01 1048676 /usr/lib/locale/locale-archive 7fd3b8d0b000-7fd3b8d31000 r-xp 00000000 08:01 529101 /lib/x86_64-linux-gnu/libexpat.so.1.6.0 7fd3b8d31000-7fd3b8f31000 ---p 00026000 08:01 529101 /lib/x86_64-linux-gnu/libexpat.so.1.6.0 7fd3b8f31000-7fd3b8f33000 r--p 00026000 08:01 529101 /lib/x86_64-linux-gnu/libexpat.so.1.6.0 7fd3b8f33000-7fd3b8f34000 rw-p 00028000 08:01 529101 /lib/x86_64-linux-gnu/libexpat.so.1.6.0 7fd3b8f34000-7fd3b8f4d000 r-xp 00000000 08:01 529399 /lib/x86_64-linux-gnu/libz.so.1.2.8 7fd3b8f4d000-7fd3b914c000 ---p 00019000 08:01 529399 /lib/x86_64-linux-gnu/libz.so.1.2.8 7fd3b914c000-7fd3b914d000 r--p 00018000 08:01 529399 /lib/x86_64-linux-gnu/libz.so.1.2.8 7fd3b914d000-7fd3b914e000 rw-p 00019000 08:01 529399 /lib/x86_64-linux-gnu/libz.so.1.2.8 7fd3b914e000-7fd3b930e000 r-xp 00000000 08:01 536305 /lib/x86_64-linux-gnu/libc-2.23.so 7fd3b930e000-7fd3b950e000 ---p 001c0000 08:01 536305 /lib/x86_64-linux-gnu/libc-2.23.so 7fd3b950e000-7fd3b9512000 r--p 001c0000 08:01 536305 /lib/x86_64-linux-gnu/libc-2.23.so 7fd3b9512000-7fd3b9514000 rw-p 001c4000 08:01 536305 /lib/x86_64-linux-gnu/libc-2.23.so 7fd3b9514000-7fd3b9518000 rw-p 00000000 00:00 0 7fd3b9518000-7fd3b952e000 r-xp 00000000 08:01 529515 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fd3b952e000-7fd3b972d000 ---p 00016000 08:01 529515 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fd3b972d000-7fd3b972e000 rw-p 00015000 08:01 529515 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fd3b972e000-7fd3b9836000 r-xp 00000000 08:01 536300 /lib/x86_64-linux-gnu/libm-2.23.so 7fd3b9836000-7fd3b9a35000 ---p 00108000 08:01 536300 /lib/x86_64-linux-gnu/libm-2.23.so 7fd3b9a35000-7fd3b9a36000 r--p 00107000 08:01 536300 /lib/x86_64-linux-gnu/libm-2.23.so 7fd3b9a36000-7fd3b9a37000 rw-p 00108000 08:01 536300 /lib/x86_64-linux-gnu/libm-2.23.so 7fd3b9a37000-7fd3b9ba9000 r-xp 00000000 08:01 1059188 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 7fd3b9ba9000-7fd3b9da9000 ---p 00172000 08:01 1059188 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 7fd3b9da9000-7fd3b9db3000 r--p 00172000 08:01 1059188 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 7fd3b9db3000-7fd3b9db5000 rw-p 0017c000 08:01 1059188 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 7fd3b9db5000-7fd3b9db9000 rw-p 00000000 00:00 0 7fd3b9db9000-7fd3ba261000 r-xp 00000000 08:01 2262257 /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0 7fd3ba261000-7fd3ba461000 ---p 004a8000 08:01 2262257 /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0 7fd3ba461000-7fd3ba492000 r--p 004a8000 08:01 2262257 /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0 7fd3ba492000-7fd3ba494000 rw-p 004d9000 08:01 2262257 /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0 7fd3ba494000-7fd3ba4b0000 rw-p 00000000 00:00 0 7fd3ba4b0000-7fd3ba4c8000 r-xp 00000000 08:01 536288 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fd3ba4c8000-7fd3ba6c7000 ---p 00018000 08:01 536288 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fd3ba6c7000-7fd3ba6c8000 r--p 00017000 08:01 536288 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fd3ba6c8000-7fd3ba6c9000 rw-p 00018000 08:01 536288 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fd3ba6c9000-7fd3ba6cd000 rw-p 00000000 00:00 0 7fd3ba6cd000-7fd3ba6d0000 r-xp 00000000 08:01 536294 /lib/x86_64-linux-gnu/libdl-2.23.so 7fd3ba6d0000-7fd3ba8cf000 ---p 00003000 08:01 536294 /lib/x86_64-linux-gnu/libdl-2.23.so 7fd3ba8cf000-7fd3ba8d0000 r--p 00002000 08:01 536294 /lib/x86_64-linux-gnu/libdl-2.23.so 7fd3ba8d0000-7fd3ba8d1000 rw-p 00003000 08:01 536294 /lib/x86_64-linux-gnu/libdl-2.23.so 7fd3ba8d1000-7fd3ba8f7000 r-xp 00000000 08:01 536281 /lib/x86_64-linux-gnu/ld-2.23.so 7fd3baace000-7fd3baad6000 rw-p 00000000 00:00 0 7fd3baaf3000-7fd3baaf6000 rw-p 00000000 00:00 0 7fd3baaf6000-7fd3baaf7000 r--p 00025000 08:01 536281 /lib/x86_64-linux-gnu/ld-2.23.so 7fd3baaf7000-7fd3baaf8000 rw-p 00026000 08:01 536281 /lib/x86_64-linux-gnu/ld-2.23.so 7fd3baaf8000-7fd3baaf9000 rw-p 00000000 00:00 0 7ffc17508000-7ffc17529000 rw-p 00000000 00:00 0 [stack] 7ffc175e1000-7ffc175e3000 r--p 00000000 00:00 0 [vvar] 7ffc175e3000-7ffc175e5000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted GDB debugging information is as follows: (gdb) set args POC9 (gdb) r ... Breakpoint 3, Exiv2::MemIo::read (this=<optimized out>, buf=0x7fffffffc5e0 "\003", rcount=2) at basicio.cpp:1281 1281 std::memcpy(buf, &p_->data_[p_->idx_], allow); (gdb) c 24 Will ignore next 23 crossings of breakpoint 3. Continuing. ORF IMAGE Breakpoint 3, Exiv2::MemIo::read (this=<optimized out>, buf=0x60300000d510 "", rcount=4294967295) at basicio.cpp:1281 1281 std::memcpy(buf, &p_->data_[p_->idx_], allow); (gdb) bt #0 Exiv2::MemIo::read (this=<optimized out>, buf=0x60300000d510 "", rcount=4294967295) at basicio.cpp:1281 #1 0x00007ffff70b0e79 in Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., option=Exiv2::kpsRecursive, start=0, bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:408 #2 0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x61300000de80, io=..., out=..., option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518 #3 0x00007ffff71972ac in Exiv2::OrfImage::printStructure (this=<optimized out>, out=..., option=<optimized out>, depth=<optimized out>) at orfimage.cpp:104 #4 0x00007ffff7198631 in Exiv2::OrfImage::readMetadata (this=<optimized out>) at orfimage.cpp:123 #5 0x00007ffff71c3df6 in Exiv2::PgfImage::readMetadata (this=<optimized out>) at pgfimage.cpp:152 #6 0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289 #7 0x0000000000518489 in Action::Print::run (this=0x60400000da50, path=...) at actions.cpp:244 #8 0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170 (gdb) n ================================================================= ==125397==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000d524 at pc 0x0000004ab7f6 bp 0x7fffffffbbf0 sp 0x7fffffffb3a0 WRITE of size 73 at 0x60300000d524 thread T0 #0 0x4ab7f5 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4ab7f5) #1 0x7ffff6f5b74d (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x2df74d) #2 0x7ffff70b0e78 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434e78) #3 0x7ffff70b90e0 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0) #4 0x7ffff71972ab (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51b2ab) #5 0x7ffff7198630 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51c630) #6 0x7ffff71c3df5 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x547df5) #7 0x518d8b (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b) #8 0x518488 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488) #9 0x4e2ebb (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb) #10 0x7ffff5e29abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #11 0x43b288 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288) 0x60300000d524 is located 0 bytes to the right of 20-byte region [0x60300000d510,0x60300000d524) allocated by thread T0 here: #0 0x4e1842 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1842) #1 0x7ffff70b0c5f (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434c5f) #2 0x7ffff70b90e0 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0) Shadow bytes around the buggy address: 0x0c067fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9aa0: fa fa 00 00[04]fa fa fa 00 00 00 07 fa fa 00 00 0x0c067fff9ab0: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa 0x0c067fff9ac0: 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 0x0c067fff9ad0: fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 0x0c067fff9ae0: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa 0x0c067fff9af0: 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==125397==ABORTING [Inferior 1 (process 125397) exited with code 01] This vulnerability was triggered in Exiv2::Image::printIFDStructure () at basicio.cpp:1281. 1277 long MemIo::read(byte* buf, long rcount) 1278 { 1279 long avail = EXV_MAX(p_->size_ - p_->idx_, 0); 1280 long allow = EXV_MIN(rcount, avail); 1281 std::memcpy(buf, &p_->data_[p_->idx_], allow); 1282 p_->idx_ += allow; 1283 if (rcount > avail) p_->eof_ = true; 1284 return allow; 1285 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.