Bug 1679952

Summary: Stack buffer overflow in gpsinfo.c when running jhead
Product: [Fedora] Fedora EPEL Reporter: Jianzhong Liu <j.zhong0>
Component: jheadAssignee: Adrian Reber <adrian>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: adrian, j.zhong0, ludovic.rousseau
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: jhead-3.03-4.fc30 jhead-3.03-4.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-14 01:05:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Input triggering the bug none

Description Jianzhong Liu 2019-02-22 10:34:29 UTC 
Created attachment 1537431 [details]
Input triggering the bug

Description of problem: 
Some inputs may trigger a stack buffer overflow in jhead.

Version-Release number of selected component (if applicable):
jhead-3.03

How reproducible:
Stable

Steps to Reproduce:
1. Run jhead with the attached input

Actual results:
Running with default settings:

jhead SBO_gpsinfo.c:150:17_asan_plain_nocrash

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 11 padding bytes before section E1

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 12 padding bytes before section E1

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegally sized Exif subdirectory (229 entries)

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 10 padding bytes before section E1

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 35 for tag 0000 in Exif

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Too many components 2013278224 for tag 0000 in Exif

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 16 for tag 5132 in Exif

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal GPS directory link in Exif

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 16 for Exif gps tag 002a

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 69 for Exif gps tag 0004

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Inappropriate format (11) for Exif GPS coordinates!
*** buffer overflow detected ***: jhead terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f0c7ae239e7]
/lib64/libc.so.6(+0x115b62)[0x7f0c7ae21b62]
/lib64/libc.so.6(+0x11506b)[0x7f0c7ae2106b]
/lib64/libc.so.6(+0x506ba)[0x7f0c7ad5c6ba]
/lib64/libc.so.6(_IO_vfprintf+0x4ed7)[0x7f0c7ad59357]
/lib64/libc.so.6(__vsprintf_chk+0x88)[0x7f0c7ae210f8]
/lib64/libc.so.6(__sprintf_chk+0x7d)[0x7f0c7ae2104d]
jhead[0x408e1b]
jhead[0x406fb5]
jhead[0x4071e3]
jhead[0x40465b]
jhead[0x4047ed]
jhead[0x402b5e]
jhead[0x4017e4]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f0c7ad2e3d5]
jhead[0x402270]
======= Memory map: ========
00400000-00410000 r-xp 00000000 08:01 3543787                            /usr/bin/jhead
00610000-00611000 r--p 00010000 08:01 3543787                            /usr/bin/jhead
00611000-00612000 rw-p 00011000 08:01 3543787                            /usr/bin/jhead
00612000-00617000 rw-p 00000000 00:00 0
01630000-01651000 rw-p 00000000 00:00 0                                  [heap]
7f0c7aaf6000-7f0c7ab0b000 r-xp 00000000 08:01 3286373                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f0c7ab0b000-7f0c7ad0a000 ---p 00015000 08:01 3286373                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f0c7ad0a000-7f0c7ad0b000 r--p 00014000 08:01 3286373                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f0c7ad0b000-7f0c7ad0c000 rw-p 00015000 08:01 3286373                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f0c7ad0c000-7f0c7aece000 r-xp 00000000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7aece000-7f0c7b0ce000 ---p 001c2000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0ce000-7f0c7b0d2000 r--p 001c2000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0d2000-7f0c7b0d4000 rw-p 001c6000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0d4000-7f0c7b0d9000 rw-p 00000000 00:00 0
7f0c7b0d9000-7f0c7b1da000 r-xp 00000000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b1da000-7f0c7b3d9000 ---p 00101000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3d9000-7f0c7b3da000 r--p 00100000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3da000-7f0c7b3db000 rw-p 00101000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3db000-7f0c7b3fd000 r-xp 00000000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5f5000-7f0c7b5f8000 rw-p 00000000 00:00 0
7f0c7b5f9000-7f0c7b5fc000 rw-p 00000000 00:00 0
7f0c7b5fc000-7f0c7b5fd000 r--p 00021000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5fd000-7f0c7b5fe000 rw-p 00022000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5fe000-7f0c7b5ff000 rw-p 00000000 00:00 0
7ffc6e3ac000-7ffc6e3cd000 rw-p 00000000 00:00 0                          [stack]
7ffc6e3df000-7ffc6e3e2000 r--p 00000000 00:00 0                          [vvar]
7ffc6e3e2000-7ffc6e3e4000 r-xp 00000000 00:00 0                          [vdso]
[1]    172 abort (core dumped)  jhead SBO_gpsinfo.c:150:17_asan_plain_nocrash

Stack backtrace according to gdb:

#0  0x00007f0c7ad42207 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f0c7ad438f8 in __GI_abort () at abort.c:90
#2  0x00007f0c7ad84d27 in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0x7f0c7ae95312 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x00007f0c7ae239e7 in __GI___fortify_fail (msg=msg@entry=0x7f0c7ae952b8 "buffer overflow detected")
    at fortify_fail.c:30
#4  0x00007f0c7ae21b62 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007f0c7ae2106b in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
#6  0x00007f0c7ad5c6ba in __GI___printf_fp_l (fp=fp@entry=0x7ffc6e3c4670, loc=<optimized out>,
    info=info@entry=0x7ffc6e3c41e0, args=args@entry=0x7ffc6e3c41c0) at printf_fp.c:1235
#7  0x00007f0c7ad5c799 in ___printf_fp (fp=fp@entry=0x7ffc6e3c4670, info=info@entry=0x7ffc6e3c41e0,
    args=args@entry=0x7ffc6e3c41c0) at printf_fp.c:1256
#8  0x00007f0c7ad59357 in _IO_vfprintf_internal (s=s@entry=0x7ffc6e3c4670, format=<optimized out>,
    format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", ap=ap@entry=0x7ffc6e3c47a8) at vfprintf.c:1634
#9  0x00007f0c7ae210f8 in ___vsprintf_chk (
    s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\003c\001", flags=1, slen=50,
    format=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", args=args@entry=0x7ffc6e3c47a8) at vsprintf_chk.c:83
#10 0x00007f0c7ae2104d in ___sprintf_chk (
    s=s@entry=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\003c\001", flags=flags@entry=1,
    slen=slen@entry=50, format=format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs") at sprintf_chk.c:32
#11 0x0000000000408e1b in sprintf (__fmt=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs",
    __s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\003c\001") at /usr/include/bits/stdio2.h:33
#12 ProcessGpsInfo (DirStart=<optimized out>, OffsetBase=OffsetBase@entry=0x1630308 "II*",
    ExifLength=ExifLength@entry=2135) at gpsinfo.c:151
#13 0x0000000000406fb5 in ProcessExifDir (DirStart=0x1630318 "E", OffsetBase=OffsetBase@entry=0x1630308 "II*",
    ExifLength=ExifLength@entry=2135, NestingLevel=NestingLevel@entry=0) at exif.c:866
#14 0x00000000004071e3 in process_EXIF (ExifSection=ExifSection@entry=0x1630300 "\b_Exif", length=length@entry=2143)
    at exif.c:1041
#15 0x000000000040465b in ReadJpegSections (infile=infile@entry=0x1630070, ReadMode=ReadMode@entry=READ_METADATA)
    at jpgfile.c:287
#16 0x00000000004047ed in ReadJpegFile (
    FileName=FileName@entry=0x7ffc6e3cc8f5 "SBO_gpsinfo.c:150:17_asan_plain_nocrash", ReadMode=READ_METADATA)
    at jpgfile.c:375
#17 0x0000000000402b5e in ProcessFile (FileName=0x7ffc6e3cc8f5 "SBO_gpsinfo.c:150:17_asan_plain_nocrash")
    at jhead.c:905
#18 0x00000000004017e4 in main (argc=<optimized out>, argv=0x7ffc6e3cbd58) at jhead.c:1757

Expected results:
Not applicable

Additional info:
Comment 1 Adrian Reber 2019-02-25 07:19:59 UTC 
Have you contacted upstream about it? That would make more sense than reporting it here.
Comment 2 Jianzhong Liu 2019-02-26 02:34:35 UTC 
(In reply to Adrian Reber from comment #1)
> Have you contacted upstream about it? That would make more sense than
> reporting it here.

I have sent the author an email regarding this bug, but the author has been unresponsive.
Comment 3 Ludovic Rousseau 2019-08-02 17:45:29 UTC 
The upstream author is not very responsive.
Also jhead is a good example of an unsecure parser for a complex format. I would not be surprised if more bugs are found.

For Debian I fixed this bug in https://salsa.debian.org/debian/jhead/commit/bf330c777cc911b9f8509ffec7458952789c81e2
Comment 4 Adrian Reber 2019-08-05 15:15:54 UTC 
(In reply to Ludovic Rousseau from comment #3)
> The upstream author is not very responsive.
> Also jhead is a good example of an unsecure parser for a complex format. I
> would not be surprised if more bugs are found.
> 
> For Debian I fixed this bug in
> https://salsa.debian.org/debian/jhead/commit/
> bf330c777cc911b9f8509ffec7458952789c81e2

Thanks for pointing me to your patches. I will use them in the next jhead builds.
Comment 5 Fedora Update System 2019-08-05 15:38:21 UTC 
FEDORA-2019-17b95fecd3 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-17b95fecd3
Comment 6 Fedora Update System 2019-08-05 15:46:08 UTC 
FEDORA-2019-441c2fb0d1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-441c2fb0d1
Comment 7 Fedora Update System 2019-08-06 01:27:15 UTC 
jhead-3.03-4.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-441c2fb0d1
Comment 8 Fedora Update System 2019-08-06 03:49:27 UTC 
jhead-3.03-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-17b95fecd3
Comment 9 Fedora Update System 2019-08-14 01:05:27 UTC 
jhead-3.03-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2019-08-14 01:42:05 UTC 
jhead-3.03-4.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.