Bug 1483988
Summary: | There is a floating point exception in dcraw_common.cpp of libRAW. It will lead to remote denial of service attack. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
Component: | LibRaw | Assignee: | Debarshi Ray <debarshir> | ||||
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.5-Alt | CC: | henri, v.owl337 | ||||
Target Milestone: | rc | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-09-06 11:42:54 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1488476 | ||||||
Attachments: |
|
Is upstream affected? Did you communicate with upstream security contact? This has been assigned CVE-2017-13735 (not requested by me). You should report these vulnerabilities to upstream first. Usually upstream wants security reports in private so that they can fix the issues before making it public (coordinated disclosure). Thanks for your remind. We have upstreamed it in https://github.com/LibRaw/LibRaw/issues/96. The author replied me this bug has been fixed. The author replied me this bug has been fixed. This has been fixed in upstream 0.18.3 release. Please see: https://www.libraw.org/news/libraw-0-18-3 Why is this closed as wontfix? |
Created attachment 1316614 [details] Triggered by "./multirender_test POC1" Description of problem: There is a floating point exception in dcraw_common.cpp of libRAW. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./multirender_test POC1 Steps to Reproduce: $ ./multirender_test POC1 Processing file POC1 Floating point exception The GDB debugging information is as follows: $ ./multirender_test POC1 gdb-peda$ r ... Breakpoint 1, LibRaw::kodak_radc_load_raw (this=0x7ffffff9d6e8) at internal/dcraw_common.cpp:2751 2751 val = (buf[c][y+1][x] << 4) / mul[c]; gdb-peda$ c 11 Will ignore next 10 crossings of breakpoint 1. Continuing. Breakpoint 1, LibRaw::kodak_radc_load_raw (this=0x7ffffff9d6e8) at internal/dcraw_common.cpp:2751 2751 val = (buf[c][y+1][x] << 4) / mul[c]; gdb-peda$ n Program received signal SIGFPE, Arithmetic exception. [----------------------------------registers-----------------------------------] RAX: 0x1f70 RBX: 0x0 RCX: 0x2afa RDX: 0x0 RSI: 0x7ffff7fda0d0 --> 0x1 RDI: 0x7ffff7d952c0 --> 0x1 RBP: 0x602878 --> 0x6028a0 --> 0x0 RSP: 0x7ffffff993a0 --> 0x0 RIP: 0x7ffff7a65e2b (<LibRaw::kodak_radc_load_raw()+7259>: idiv DWORD PTR [rsp+0x9c]) R8 : 0x7ffffff99dec --> 0x11380f00121d10bd R9 : 0x0 R10: 0x7ffffff99dec --> 0x11380f00121d10bd R11: 0x14 R12: 0x0 R13: 0x7ffffff9d6e8 --> 0x7ffff7d94a30 --> 0x7ffff7b48e10 (<LibRaw::open_datastream(LibRaw_abstract_datastream*)>: push rbp) R14: 0x0 R15: 0x300 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7a65e1f <LibRaw::kodak_radc_load_raw()+7247>: movsx eax,WORD PTR [rax+rbx*2+0x304] 0x7ffff7a65e27 <LibRaw::kodak_radc_load_raw()+7255>: shl eax,0x4 0x7ffff7a65e2a <LibRaw::kodak_radc_load_raw()+7258>: cdq => 0x7ffff7a65e2b <LibRaw::kodak_radc_load_raw()+7259>: idiv DWORD PTR [rsp+0x9c] 0x7ffff7a65e32 <LibRaw::kodak_radc_load_raw()+7266>: test eax,eax 0x7ffff7a65e34 <LibRaw::kodak_radc_load_raw()+7268>: mov r15d,0x0 0x7ffff7a65e3a <LibRaw::kodak_radc_load_raw()+7274>: cmovns r15w,ax 0x7ffff7a65e3f <LibRaw::kodak_radc_load_raw()+7279>: mov r13,rbp [------------------------------------stack-------------------------------------] 0000| 0x7ffffff993a0 --> 0x0 0008| 0x7ffffff993a8 --> 0x700000000 0016| 0x7ffffff993b0 --> 0x90000000c ('\x0c') 0024| 0x7ffffff993b8 --> 0x8 0032| 0x7ffffff993c0 --> 0x7ffffff9a6fa --> 0x0 0040| 0x7ffffff993c8 --> 0x304 0048| 0x7ffffff993d0 --> 0x7ffffff9a6f8 --> 0x0 0056| 0x7ffffff993d8 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGFPE 0x00007ffff7a65e2b in LibRaw::kodak_radc_load_raw (this=0x7ffffff9d6e8) at internal/dcraw_common.cpp:2751 2751 val = (buf[c][y+1][x] << 4) / mul[c]; gdb-peda$ x/xw ($rsp+0x9c) 0x7ffffff9943c: 0x00000000 gdb-peda$ The vulnerability was triggered in function LibRaw::kodak_radc_load_raw (this=0x7ffffff9d6e8) at internal/dcraw_common.cpp:2751 2749 for (y=0; y < 2; y++) 2750 for (x=0; x < width/2; x++) { 2751 val = (buf[c][y+1][x] << 4) / mul[c]; 2752 if (val < 0) val = 0; 2753 if (c) RAW(row+y*2+c-1,x*2+2-c) = val; 2754 else RAW(row+r*2+y,x*2+y) = val; 2755 } Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.