Bug 1500554
| Summary: | It is a heap-buffer-overflow in ImaExpandS (in ima_rw.c:126) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Liu Zhu <fantasy7082> | ||||
| Component: | sox | Assignee: | Jiri Kucera <jkucera> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 26 | CC: | felix, fkluknav, hhorak, hobbes1069, psampaio | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sox-14.4.2.0-14.fc26 sox-14.4.2.0-14.fc27 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-01-23 21:17:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This bug has been fixed by the patch: https://github.com/mansr/sox/commit/ef3d8be0f80cbb650e4766b545d61e10d7a24c9e.patch Thread with the related discussion on upstream: https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaDcmDNEHRr2WBR2fPcXtu_kd5OdpRVTbhDe1YQZQA2c9w%40mail.gmail.com/#msg36103130 Link to commit (rawhide, f27, f26): https://src.fedoraproject.org/rpms/sox/c/7e448dcd69d072ba5bc1a3a6d84bc381199cd21b?branch=master Also resolves [ https://bugzilla.redhat.com/show_bug.cgi?id=1510917 ] sox-14.4.2.0-14.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b528f28c59 sox-14.4.2.0-14.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b26768593c sox-14.4.2.0-14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b528f28c59 sox-14.4.2.0-14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b26768593c sox-14.4.2.0-14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. sox-14.4.2.0-14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1336958 [details] poc_file Version-Release number of selected component (if applicable): SoX v14.4.2 How reproducible: ./sox crash_sample/02-heap-buffer-over tt.snd ================================================================= ==20977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006852 at pc 0x00000052caf3 bp 0x7ffd183bb2d0 sp 0x7ffd183bb2c0 WRITE of size 2 at 0x619000006852 thread T0 #0 0x52caf2 in ImaExpandS /root/sox_ASAN/src/ima_rw.c:126 #1 0x52cb62 in lsx_ima_block_expand_i /root/sox_ASAN/src/ima_rw.c:142 #2 0x50c7b3 in ImaAdpcmReadBlock /root/sox_ASAN/src/wav.c:141 #3 0x5134eb in read_samples /root/sox_ASAN/src/wav.c:1131 #4 0x4df41a in sox_read /root/sox_ASAN/src/formats.c:978 #5 0x40d473 in sox_read_wide /root/sox_ASAN/src/sox.c:490 #6 0x40de4a in combiner_drain /root/sox_ASAN/src/sox.c:552 #7 0x424af0 in drain_effect /root/sox_ASAN/src/effects.c:352 #8 0x425cdd in sox_flow_effects /root/sox_ASAN/src/effects.c:445 #9 0x4189fb in process /root/sox_ASAN/src/sox.c:1802 #10 0x420be9 in main /root/sox_ASAN/src/sox.c:3008 #11 0x7f4870b2a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #12 0x40a658 in _start (/root/sox_ASAN/src/sox+0x40a658) 0x619000006852 is located 0 bytes to the right of 978-byte region [0x619000006480,0x619000006852) allocated by thread T0 here: #0 0x7f4871e39961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961) #1 0x4e1b37 in lsx_realloc /root/sox_ASAN/src/xmalloc.c:37 #2 0x51132e in startread /root/sox_ASAN/src/wav.c:829 #3 0x4db176 in open_read /root/sox_ASAN/src/formats.c:545 #4 0x4db9ad in sox_open_read /root/sox_ASAN/src/formats.c:585 #5 0x4200fc in main /root/sox_ASAN/src/sox.c:2945 #6 0x7f4870b2a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sox_ASAN/src/ima_rw.c:126 ImaExpandS Shadow bytes around the buggy address: 0x0c327fff8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8d00: 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa 0x0c327fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==20977==ABORTING Additional info: