Bug 1482296
| Summary: | There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | exiv2 | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | dan.cermak, meissner, raphael | ||||
| Target Milestone: | rc | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-06 12:46:58 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
POC12 is the same binary as POC13 from bug 1482423 I will check it as soon as possible. Sorry for this mistake. POC12 is no problem, it is because POC13 is duplicated with POC12, I have update the POC13 in bug 1482423. I reported this issue to uptsream: https://github.com/Exiv2/exiv2/issues/59 Fixed with exiv2-0.27.0-1.el7_6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101 |
Created attachment 1314499 [details] Triggered by "./exiv2 POC12" Description of problem: There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2 Version-Release number of selected component (if applicable): <=latest version How reproducible: ./exiv2 $POC Steps to Reproduce: $./exiv2 POC12 *** Error in `/home/icy/real/exiv2/install/bin/exiv2': malloc(): smallbin double linked list corrupted: 0x000000000068bc80 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff66cb7e5] /lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7ffff66d6651] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff66d8184] /usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7ffff6fcae78] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZNK5Exiv26FileIo4pathB5cxx11Ev+0xc9)[0x7ffff7371a49] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x4632)[0x7ffff7449bc2] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7ffff744c0fa] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7ffff74dd2c2] /home/icy/real/exiv2/install/bin/exiv2[0x4276f8] /home/icy/real/exiv2/install/bin/exiv2[0x42727c] /home/icy/real/exiv2/install/bin/exiv2[0x4073a0] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6674830] /home/icy/real/exiv2/install/bin/exiv2[0x406c89] ======= Memory map: ======== 00400000-00467000 r-xp 00000000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00666000-00667000 r--p 00066000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00667000-00668000 rw-p 00067000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00668000-006aa000 rw-p 00000000 00:00 0 [heap] 7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 7ffff5f39000-7ffff6211000 r--p 00000000 08:01 1048676 /usr/lib/locale/locale-archive 7ffff6211000-7ffff6237000 r-xp 00000000 08:01 529101 /lib/x86_64-linux-gnu/libexpat.so.1.6.0 7ffff6237000-7ffff6437000 ---p 00026000 08:01 529101 /lib/x86_64-linux-gnu/libexpat.so.1.6.0 7ffff6437000-7ffff6439000 r--p 00026000 08:01 529101 /lib/x86_64-linux-gnu/libexpat.so.1.6.0 7ffff6439000-7ffff643a000 rw-p 00028000 08:01 529101 /lib/x86_64-linux-gnu/libexpat.so.1.6.0 7ffff643a000-7ffff6453000 r-xp 00000000 08:01 529399 /lib/x86_64-linux-gnu/libz.so.1.2.8 7ffff6453000-7ffff6652000 ---p 00019000 08:01 529399 /lib/x86_64-linux-gnu/libz.so.1.2.8 7ffff6652000-7ffff6653000 r--p 00018000 08:01 529399 /lib/x86_64-linux-gnu/libz.so.1.2.8 7ffff6653000-7ffff6654000 rw-p 00019000 08:01 529399 /lib/x86_64-linux-gnu/libz.so.1.2.8 7ffff6654000-7ffff6814000 r-xp 00000000 08:01 536305 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff6814000-7ffff6a14000 ---p 001c0000 08:01 536305 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff6a14000-7ffff6a18000 r--p 001c0000 08:01 536305 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff6a18000-7ffff6a1a000 rw-p 001c4000 08:01 536305 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff6a1a000-7ffff6a1e000 rw-p 00000000 00:00 0 7ffff6a1e000-7ffff6a34000 r-xp 00000000 08:01 529515 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff6a34000-7ffff6c33000 ---p 00016000 08:01 529515 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff6c33000-7ffff6c34000 rw-p 00015000 08:01 529515 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff6c34000-7ffff6d3c000 r-xp 00000000 08:01 536300 /lib/x86_64-linux-gnu/libm-2.23.so 7ffff6d3c000-7ffff6f3b000 ---p 00108000 08:01 536300 /lib/x86_64-linux-gnu/libm-2.23.so 7ffff6f3b000-7ffff6f3c000 r--p 00107000 08:01 536300 /lib/x86_64-linux-gnu/libm-2.23.so 7ffff6f3c000-7ffff6f3d000 rw-p 00108000 08:01 536300 /lib/x86_64-linux-gnu/libm-2.23.so 7ffff6f3d000-7ffff70af000 r-xp 00000000 08:01 1059188 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 7ffff70af000-7ffff72af000 ---p 00172000 08:01 1059188 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 7ffff72af000-7ffff72b9000 r--p 00172000 08:01 1059188 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 7ffff72b9000-7ffff72bb000 rw-p 0017c000 08:01 1059188 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 7ffff72bb000-7ffff72bf000 rw-p 00000000 00:00 0 7ffff72bf000-7ffff7767000 r-xp 00000000 08:01 2262257 /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0 7ffff7767000-7ffff7967000 ---p 004a8000 08:01 2262257 /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0 7ffff7967000-7ffff7998000 r--p 004a8000 08:01 2262257 /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0 7ffff7998000-7ffff799a000 rw-p 004d9000 08:01 2262257 /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0 7ffff799a000-7ffff79b6000 rw-p 00000000 00:00 0 7ffff79b6000-7ffff79ce000 r-xp 00000000 08:01 536288 /lib/x86_64-linux-gnu/libpthread-2.23.so 7ffff79ce000-7ffff7bcd000 ---p 00018000 08:01 536288 /lib/x86_64-linux-gnu/libpthread-2.23.so 7ffff7bcd000-7ffff7bce000 r--p 00017000 08:01 536288 /lib/x86_64-linux-gnu/libpthread-2.23.so 7ffff7bce000-7ffff7bcf000 rw-p 00018000 08:01 536288 /lib/x86_64-linux-gnu/libpthread-2.23.so 7ffff7bcf000-7ffff7bd3000 rw-p 00000000 00:00 0 7ffff7bd3000-7ffff7bd6000 r-xp 00000000 08:01 536294 /lib/x86_64-linux-gnu/libdl-2.23.so 7ffff7bd6000-7ffff7dd5000 ---p 00003000 08:01 536294 /lib/x86_64-linux-gnu/libdl-2.23.so 7ffff7dd5000-7ffff7dd6000 r--p 00002000 08:01 536294 /lib/x86_64-linux-gnu/libdl-2.23.so 7ffff7dd6000-7ffff7dd7000 rw-p 00003000 08:01 536294 /lib/x86_64-linux-gnu/libdl-2.23.so 7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 536281 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7fd0000-7ffff7fd8000 rw-p 00000000 00:00 0 7ffff7ff5000-7ffff7ff8000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 536281 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 536281 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00007ffff6689428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. The gdb debugging information is as follows: (gdb) set args POC12 (gdb) r ... Breakpoint 2, malloc_printerr (ar_ptr=0x7fffffffd250, ptr=0x68bc80, str=0x7ffff67e52c8 "malloc(): smallbin double linked list corrupted", action=3) at malloc.c:5006 5006 malloc.c: No such file or directory. (gdb) bt #0 malloc_printerr (ar_ptr=0x7fffffffd250, ptr=0x68bc80, str=0x7ffff67e52c8 "malloc(): smallbin double linked list corrupted", action=3) at malloc.c:5006 #1 _int_malloc (av=av@entry=0x7ffff6a18b20 <main_arena>, bytes=bytes@entry=51) at malloc.c:3386 #2 0x00007ffff66d8184 in __GI___libc_malloc (bytes=51) at malloc.c:2913 #3 0x00007ffff6fcae78 in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #4 0x00007ffff7371a49 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*> (this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.tcc:223 #5 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*> ( this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:195 #6 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*> ( this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:214 #7 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string (this=0x7fffffffd468, __str=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:400 #8 Exiv2::FileIo::path[abi:cxx11]() const (this=<optimized out>) at basicio.cpp:1031 #9 0x00007ffff7449bc2 in Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., option=<optimized out>, start=<optimized out>, bSwap=<optimized out>, c=<optimized out>, depth=<optimized out>) at image.cpp:498 #10 0x00007ffff744c0fa in Exiv2::Image::printTiffStructure (this=0x68bab0, io=..., out=..., option=Exiv2::kpsRecursive, depth=<optimized out>, offset=<optimized out>) at image.cpp:518 #11 0x00007ffff74dd2c2 in Exiv2::OrfImage::readMetadata (this=0x68bab0) at orfimage.cpp:123 #12 0x00000000004276f8 in Action::Print::printSummary (this=0x68cc30) at actions.cpp:289 ---Type <return> to continue, or q <return> to quit--- Python Exception <class 'gdb.error'> There is no member named _M_dataplus.: #13 0x000000000042727c in Action::Print::run (this=0x68cc30, path=) at actions.cpp:244 #14 0x00000000004073a0 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170 (gdb) n 5007 in malloc.c (gdb) 5006 in malloc.c (gdb) *** Error in `/home/icy/real/exiv2/install/bin/exiv2': malloc(): smallbin double linked list corrupted: 0x000000000068bc80 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff66cb7e5] /lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7ffff66d6651] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff66d8184] /usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7ffff6fcae78] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZNK5Exiv26FileIo4pathB5cxx11Ev+0xc9)[0x7ffff7371a49] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x4632)[0x7ffff7449bc2] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7ffff744c0fa] /home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7ffff74dd2c2] /home/icy/real/exiv2/install/bin/exiv2[0x4276f8] /home/icy/real/exiv2/install/bin/exiv2[0x42727c] /home/icy/real/exiv2/install/bin/exiv2[0x4073a0] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6674830] /home/icy/real/exiv2/install/bin/exiv2[0x406c89] ======= Memory map: ======== 00400000-00467000 r-xp 00000000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00666000-00667000 r--p 00066000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00667000-00668000 rw-p 00067000 08:01 2262265 /home/icy/real/exiv2/install/bin/exiv2 00668000-006aa000 rw-p 00000000 00:00 0 [heap] 7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 ... 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00007ffff6689428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. This vulnerability was triggered in Exiv2::FileIo::path[abi:cxx11]() const (this=0x68ccb0) at basicio.cpp:1031 ... 1026 #ifdef EXV_UNICODE_PATH 1027 if (p_->wpMode_ == Impl::wpUnicode) { 1028 return ws2s(p_->wpath_); 1029 } 1030 #endif 1031 return p_->path_; 1032 } 1033 1034 #ifdef EXV_UNICODE_PATH 1035 std::wstring FileIo::wpath() const Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.