Bug 1500553

Summary: it is a stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i ( in adpcm.c:126 )
Product: [Fedora] Fedora Reporter: Liu Zhu <fantasy7082>
Component: soxAssignee: Jiri Kucera <jkucera>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 26CC: felix, fkluknav, hhorak, hobbes1069, psampaio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sox-14.4.2.0-16.fc27 sox-14.4.2.0-17.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-14 17:28:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
poc_file none

Description Liu Zhu 2017-10-11 02:09:51 UTC 
Created attachment 1336957 [details]
poc_file

Version-Release number of selected component (if applicable):
SoX v14.4.2

How reproducible:


Steps to Reproduce:
./sox crash_sample/01-stack-overflow out.snd
=================================================================
==55065==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5824d054 at pc 0x00000052297c bp 0x7fff5824cf90 sp 0x7fff5824cf80
WRITE of size 2 at 0x7fff5824d054 thread T0
    #0 0x52297b in lsx_ms_adpcm_block_expand_i /root/sox_ASAN/src/adpcm.c:126
    #1 0x50cb22 in AdpcmReadBlock /root/sox_ASAN/src/wav.c:178
    #2 0x513537 in read_samples /root/sox_ASAN/src/wav.c:1133
    #3 0x4df41a in sox_read /root/sox_ASAN/src/formats.c:978
    #4 0x40d473 in sox_read_wide /root/sox_ASAN/src/sox.c:490
    #5 0x40de4a in combiner_drain /root/sox_ASAN/src/sox.c:552
    #6 0x424af0 in drain_effect /root/sox_ASAN/src/effects.c:352
    #7 0x425cdd in sox_flow_effects /root/sox_ASAN/src/effects.c:445
    #8 0x4189fb in process /root/sox_ASAN/src/sox.c:1802
    #9 0x420be9 in main /root/sox_ASAN/src/sox.c:3008
    #10 0x7fbadeb0b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x40a658 in _start (/root/sox_ASAN/src/sox+0x40a658)

Address 0x7fff5824d054 is located in stack of thread T0 at offset 68 in frame
    #0 0x5227bb in lsx_ms_adpcm_block_expand_i /root/sox_ASAN/src/adpcm.c:112

  This frame has 1 object(s):
    [32, 64) 'state' <== Memory access at offset 68 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/sox_ASAN/src/adpcm.c:126 lsx_ms_adpcm_block_expand_i
Shadow bytes around the buggy address:
  0x10006b0419b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006b041a00: 00 00 f1 f1 f1 f1 00 00 00 00[f3]f3 f3 f3 00 00
  0x10006b041a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a50: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==55065==ABORTING



Additional info:

Name:Liuzhu
Comment 1 Fedora Update System 2018-02-01 14:18:44 UTC 
sox-14.4.2.0-16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ec93095a73
Comment 2 Fedora Update System 2018-02-01 14:29:50 UTC 
sox-14.4.2.0-16.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-790e7e720d
Comment 3 Fedora Update System 2018-02-01 19:10:47 UTC 
sox-14.4.2.0-16.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-790e7e720d
Comment 4 Fedora Update System 2018-02-01 19:33:16 UTC 
sox-14.4.2.0-16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ec93095a73
Comment 5 Fedora Update System 2018-02-06 23:00:57 UTC 
sox-14.4.2.0-17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa1bf1711d
Comment 6 Fedora Update System 2018-02-07 13:51:12 UTC 
sox-14.4.2.0-17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa1bf1711d
Comment 7 Fedora Update System 2018-02-14 17:28:27 UTC 
sox-14.4.2.0-16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Jiri Kucera 2018-02-17 11:50:10 UTC 
upstream discussion: https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaA_WyTTEWeGYPUhG95M3wOv64vTqn8jeH4JYvgMnx83Tw@mail.gmail.com/#msg36128861

patch origin: https://sourceforge.net/p/sox/mailman/sox-devel/thread/20171120110535.14410-1-mans@mansr.com/#msg36129559
Comment 9 Jiri Kucera 2018-02-17 12:00:27 UTC 
(In reply to Jiri Kucera from comment #8)
> upstream discussion:
> https://sourceforge.net/p/sox/mailman/sox-devel/thread/
> CAG_ZyaA_WyTTEWeGYPUhG95M3wOv64vTqn8jeH4JYvgMnx83Tw.com/
> #msg36128861
> 
> patch origin:
> https://sourceforge.net/p/sox/mailman/sox-devel/thread/20171120110535.14410-
> 1-mans/#msg36129559

links messed up, again:

upstream discussion: https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaBLxUKk_xmrvn2YfnVLNRE_Rzxe+cYBC5CJtK_xWrVvNw@mail.gmail.com/#msg36121067

patch origin: https://bogomips.org/sox.git/patch/?id=3f7ed312614649e2695b54b398475d32be4f64f3
Comment 10 Fedora Update System 2018-02-20 16:37:15 UTC 
sox-14.4.2.0-17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.