Bug 1501695
| Summary: | NULL Pointer Dereference vulneribility in libextractor EXTRACTOR_nsf_extract_method | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Leon <leon.zhao.7> | ||||
| Component: | libextractor | Assignee: | Gwyn Ciesla <gwync> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 27 | CC: | gwync, sheltren | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | libextractor-1.6-1.fc26 libextractor-1.6-1.fc25 libextractor-1.6-1.fc27 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-10-30 16:18:15 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16 libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16 libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1338044 [details] POC file that crashing libextract Description of problem: libextract make a NULL pointer dereference when parse nsf file, the code is in nsf_extractor.c line 164 164 if (memcmp (head->magicid, "NESM\x1a", 5)) head was null when memcmp calls Version-Release number of selected component (if applicable): libextract v1.4 How reproducible: ./extract -i $POC The output with address sanitizer enabled ./extract -i extract-nsf_extract_method-nsf_extractor-164.crash Keywords for file extract-nsf_extract_method-nsf_extractor-164.crash: ASAN:SIGSEGV ================================================================= ==40794==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f867ba8c0b0 bp 0x7ffc6d83cd10 sp 0x7ffc6d83c498 T0) #0 0x7f867ba8c0af (/lib/x86_64-linux-gnu/libc.so.6+0x16f0af) #1 0x7f867bfda74e in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7774e) #2 0x7f867773df8d in EXTRACTOR_nsf_extract_method /root/libextractor-1.4/src/plugins/nsf_extractor.c:164 #3 0x7f867bd02792 in do_extract /root/libextractor-1.4/src/main/extractor.c:577 #4 0x7f867bd02b98 in EXTRACTOR_extract /root/libextractor-1.4/src/main/extractor.c:655 #5 0x4044c9 in main /root/libextractor-1.4/src/main/extract.c:977 #6 0x7f867b93d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==40794==ABORTING gdb and backtrace (gdb) run -i extract-nsf_extract_method-nsf_extractor-164.crash Starting program: /opt/asan/bin/extract -i extract-nsf_extract_method-nsf_extractor-164.crash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Keywords for file extract-nsf_extract_method-nsf_extractor-164.crash: Program received signal SIGSEGV, Segmentation fault. __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:878 878 ../sysdeps/x86_64/multiarch/memcmp-sse4.S: No such file or directory. (gdb) bt #0 __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:878 #1 0x00007ffff6ee174f in memcmp () from /usr/lib/x86_64-linux-gnu/libasan.so.2 #2 0x00007ffff263df8e in EXTRACTOR_nsf_extract_method (ec=0x7fffffffa050) at nsf_extractor.c:164 #3 0x00007ffff6c09793 in do_extract (plugins=0x60800000b5a0, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577 #4 0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b5a0, filename=0x60b00000aba9 "extract-nsf_extract_method-nsf_extractor-164.crash", data=0x0, size=0, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655 #5 0x00000000004044ca in main (argc=3, argv=0x7fffffffe4b8) at extract.c:977 (gdb) f 2 #2 0x00007ffff263df8e in EXTRACTOR_nsf_extract_method (ec=0x7fffffffa050) at nsf_extractor.c:164 164 if (memcmp (head->magicid, "NESM\x1a", 5)) (gdb) p head $1 = (const struct header *) 0x0 Actual results: crash Expected results: crash Additional info: This vulnerability is detected Zhao Liang, Huawei Weiran Labs