Bug 2027690 (CVE-2021-4156)

Summary: CVE-2021-4156 libsndfile: heap out-of-bounds read in src/flac.c in flac_buffer_copy
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andreas, mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: libsndfile 1.1.0 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 19:45:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2027692, 2030507, 2030508    
Bug Blocks: 2027694, 2034822    

Description Marian Rehak 2021-11-30 13:05:20 UTC
The vulnerability can lead to heap-based buffer overflow via a crafted sound file, and potentially control heap data by forge buffer content to perform heap exploitation.

Upstream Reference:


Comment 1 Marian Rehak 2021-11-30 13:05:33 UTC
Created libsndfile tracking bugs for this issue:

Affects: fedora-all [bug 2027692]

Comment 2 Todd Cullum 2021-12-09 00:54:00 UTC
Flaw summary:

There's an out-of-bounds READ possible in libsndfile's flac_buffer_copy() routine in flac.c. This could be triggered by a specially crafted file that is processed by a program linked with libsndfile.

Technical detail:

In the following for loop:

                                for (i = 0 ; i < len && pflac->remain > 0 ; i++)
                                {       offset = pflac->pos + i * channels ;

                                        if (pflac->bufferpos >= frame->header.blocksize)
                                                break ;

                                        if (offset + channels > pflac->len)
                                                break ;

                                        for (j = 0 ; j < channels ; j++)
                                                retpcm [offset + j] = ((uint32_t) buffer [j][pflac->bufferpos]) << shift ;
                                        pflac->remain -= channels ;
                                        pflac->bufferpos++ ;
                                        } ;
                                } ;

We see that there's an if check to ensure the loop terminates if pflac->bufferpos >= frame->header.blocksize.

In this case, frame->header.blocksize can be set to a value greater than the size of `buffer`, and since `buffer` is indexed by `pflac->bufferpos`, the loop will not terminate before causing an out-of-bounds read when reading `buffer`.

The upstream patch[1] introduces a check to prevent the above, and errors out upon failure.

1. https://github.com/libsndfile/libsndfile/pull/732/commits/4c30646abf7834e406f7e2429c70bc254e18beab

Comment 4 errata-xmlrpc 2022-05-10 14:35:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1968 https://access.redhat.com/errata/RHSA-2022:1968

Comment 5 Product Security DevOps Team 2022-05-10 19:45:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):