Bug 1678295 (CVE-2019-8356)
Summary: | CVE-2019-8356 sox: stack-based buffer overflow in bitrv2 in fft4g.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | felix, hhorak, hobbes1069, jkucera |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-27 03:25:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1678296, 1680176 | ||
Bug Blocks: | 1678305 |
Description
Dhananjay Arunesh
2019-02-18 12:55:53 UTC
Created sox tracking bugs for this issue: Affects: fedora-all [bug 1678296] ``` Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b54a8d in bitrv2 (n=1048576, ip0=0x615a68, a=0x7ffff650a010) at fft4g.c:807 807 } (gdb) bt #0 0x00007ffff7b54a8d in bitrv2 (n=1048576, ip0=0x615a68, a=0x7ffff650a010) at fft4g.c:807 ``` Eventually, below, we generate a m that is 256 when n is 1048576. ``` │709 static void bitrv2(int n, int *ip0, double *a) │ │710 { │ │711 int j, j1, k, k1, l, m, m2, ip[256]; │ │712 double xr, xi, yr, yi; │ │713 │ │714 (void)ip0; │ B+ │715 ip[0] = 0; │ │716 l = n; │ │717 m = 1; │ >│718 while ((m << 3) < l) { │ │719 l >>= 1; │ │720 for (j = 0; j < m; j++) { │ │721 ip[m + j] = ip[j] + l; │ │722 } │ B+ │723 m <<= 1; │ │724 } ``` m << 3 in this case is 2048, which is less than l, which is 4096 at this point in time. ip[m+j] starts at ip[256 + 0], which is already out of bounds. We continue writing past that, hence a classic stack buffer overflow. ``` (gdb) print ip[256] $51 = -9040 (gdb) n (gdb) print ip[256] $52 = 2048 ``` I don't believe Red Hat Enterprise Linux 6 is affected. Only the 7 build of sox seems to have the hardcoded ip[256] array. Strange. Also, the same file has this: ```c static void bitrv2conj(int n, int *ip0, double *a) { int j, j1, k, k1, l, m, m2, ip[256]; ``` Looks like the same flaw. Unclear if it is trigger-able, but I'll let upstream know just in case. Presumably the same fix. |