Bug 1500553
Summary: | it is a stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i ( in adpcm.c:126 ) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Liu Zhu <fantasy7082> | ||||
Component: | sox | Assignee: | Jiri Kucera <jkucera> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 26 | CC: | felix, fkluknav, hhorak, hobbes1069, psampaio | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | sox-14.4.2.0-16.fc27 sox-14.4.2.0-17.fc26 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-02-14 17:28:27 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
sox-14.4.2.0-16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ec93095a73 sox-14.4.2.0-16.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-790e7e720d sox-14.4.2.0-16.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-790e7e720d sox-14.4.2.0-16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ec93095a73 sox-14.4.2.0-17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa1bf1711d sox-14.4.2.0-17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa1bf1711d sox-14.4.2.0-16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. upstream discussion: https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaA_WyTTEWeGYPUhG95M3wOv64vTqn8jeH4JYvgMnx83Tw@mail.gmail.com/#msg36128861 patch origin: https://sourceforge.net/p/sox/mailman/sox-devel/thread/20171120110535.14410-1-mans@mansr.com/#msg36129559 (In reply to Jiri Kucera from comment #8) > upstream discussion: > https://sourceforge.net/p/sox/mailman/sox-devel/thread/ > CAG_ZyaA_WyTTEWeGYPUhG95M3wOv64vTqn8jeH4JYvgMnx83Tw.com/ > #msg36128861 > > patch origin: > https://sourceforge.net/p/sox/mailman/sox-devel/thread/20171120110535.14410- > 1-mans/#msg36129559 links messed up, again: upstream discussion: https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaBLxUKk_xmrvn2YfnVLNRE_Rzxe+cYBC5CJtK_xWrVvNw@mail.gmail.com/#msg36121067 patch origin: https://bogomips.org/sox.git/patch/?id=3f7ed312614649e2695b54b398475d32be4f64f3 sox-14.4.2.0-17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1336957 [details] poc_file Version-Release number of selected component (if applicable): SoX v14.4.2 How reproducible: Steps to Reproduce: ./sox crash_sample/01-stack-overflow out.snd ================================================================= ==55065==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5824d054 at pc 0x00000052297c bp 0x7fff5824cf90 sp 0x7fff5824cf80 WRITE of size 2 at 0x7fff5824d054 thread T0 #0 0x52297b in lsx_ms_adpcm_block_expand_i /root/sox_ASAN/src/adpcm.c:126 #1 0x50cb22 in AdpcmReadBlock /root/sox_ASAN/src/wav.c:178 #2 0x513537 in read_samples /root/sox_ASAN/src/wav.c:1133 #3 0x4df41a in sox_read /root/sox_ASAN/src/formats.c:978 #4 0x40d473 in sox_read_wide /root/sox_ASAN/src/sox.c:490 #5 0x40de4a in combiner_drain /root/sox_ASAN/src/sox.c:552 #6 0x424af0 in drain_effect /root/sox_ASAN/src/effects.c:352 #7 0x425cdd in sox_flow_effects /root/sox_ASAN/src/effects.c:445 #8 0x4189fb in process /root/sox_ASAN/src/sox.c:1802 #9 0x420be9 in main /root/sox_ASAN/src/sox.c:3008 #10 0x7fbadeb0b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x40a658 in _start (/root/sox_ASAN/src/sox+0x40a658) Address 0x7fff5824d054 is located in stack of thread T0 at offset 68 in frame #0 0x5227bb in lsx_ms_adpcm_block_expand_i /root/sox_ASAN/src/adpcm.c:112 This frame has 1 object(s): [32, 64) 'state' <== Memory access at offset 68 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /root/sox_ASAN/src/adpcm.c:126 lsx_ms_adpcm_block_expand_i Shadow bytes around the buggy address: 0x10006b0419b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b0419c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b0419d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b0419e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b0419f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10006b041a00: 00 00 f1 f1 f1 f1 00 00 00 00[f3]f3 f3 f3 00 00 0x10006b041a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b041a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b041a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b041a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b041a50: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==55065==ABORTING Additional info: Name:Liuzhu