Hide Forgot
Created attachment 1291986 [details] Triggered by "exiv POC1" Description of problem: There is an ivalid free in Image::printIFDStructure that leads to a Segmentation fault at exiv2. A crafted input will lead to remote denial of service attack. Version-Release number of selected component (if applicable): <= 0.26 How reproducible: exiv2 POC1 Steps to Reproduce: $./exiv2 POC1 invalid type value detected in Image::printIFDStructure: 32768 Exiv2 exception in print action for file POC1: invalid type value detected in Image::printIFDStructure Segmentation fault The gdb debugging information is as follows: (gdb) set args POC1 (gdb) r ... invalid type value detected in Image::printIFDStructure Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x656400) at malloc.c:2933 2933 malloc.c: No such file or directory. (gdb) bt #0 __GI___libc_free (mem=0x656400) at malloc.c:2933 #1 0x00007ffff745b823 in __gnu_cxx::new_allocator<char>::deallocate ( __p=0x656400 <error: Cannot access memory at address 0x656400>, this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/ext/new_allocator.h:110 #2 __gnu_cxx::__alloc_traits<std::allocator<char> >::deallocate ( __p=0x656400 <error: Cannot access memory at address 0x656400>, __a=..., __n=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/ext/alloc_traits.h:185 #3 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy (this=<optimized out>, __size=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/basic_string.h:185 #4 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose (this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/basic_string.h:180 #5 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string ( this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/basic_string.h:544 #6 std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::~pair ( this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_pair.h:96 #7 __gnu_cxx::new_allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::destroy (this=<optimized out>, __p=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/ext/new_allocator.h:133 #8 std::_Rb_tree<int, std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<int>, std::allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_destroy_node (this=0x7ffff79a0818 <Exiv2::tagName(unsigned short, unsigned long)::tags>, ---Type <return> to continue, or q <return> to quit--- __p=0x0) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_tree.h:520 #9 std::_Rb_tree<int, std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<int>, std::allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_drop_node (this=0x7ffff79a0818 <Exiv2::tagName(unsigned short, unsigned long)::tags>, __p=0x0) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_tree.h:561 #10 std::_Rb_tree<int, std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<int>, std::allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_erase (this=0x7ffff79a0818 <Exiv2::tagName(unsigned short, unsigned long)::tags>, __x=0x0) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_tree.h:1614 #11 0x00007ffff745b7e3 in std::_Rb_tree<int, std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<int>, std::allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_erase ( this=0x7ffff79a0818 <Exiv2::tagName(unsigned short, unsigned long)::tags>, __x=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_tree.h:1612 #12 0x00007ffff745b7e3 in std::_Rb_tree<int, std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<int>, std::allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_erase ( this=0x7ffff79a0818 <Exiv2::tagName(unsigned short, unsigned long)::tags>, __x=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_tree.h:1612 #13 0x00007ffff745b7e3 in std::_Rb_tree<int, std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>---Type <return> to continue, or q <return> to quit--- , std::allocator<char> > >, std::_Select1st<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<int>, std::allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_erase ( this=0x7ffff79a0818 <Exiv2::tagName(unsigned short, unsigned long)::tags>, __x=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_tree.h:1612 #14 0x00007ffff745b7e3 in std::_Rb_tree<int, std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<int>, std::allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_erase ( this=0x7ffff79a0818 <Exiv2::tagName(unsigned short, unsigned long)::tags>, __x=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_tree.h:1612 #15 0x00007ffff745b7e3 in std::_Rb_tree<int, std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<int>, std::allocator<std::pair<int const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_erase ( this=0x7ffff79a0818 <Exiv2::tagName(unsigned short, unsigned long)::tags>, __x=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/bits/stl_tree.h:1612 #16 0x00007ffff6694c92 in __run_exit_handlers (status=1, listp=0x7ffff6a1f698 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82 #17 0x00007ffff6694ce5 in __GI_exit (status=<optimized out>) at exit.c:104 #18 0x00007ffff667bac7 in __libc_start_main (main=0x407240 <main(int, char* const*)>, argc=2, argv=0x7fffffffe538, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe528) at libc-start.c:323 #19 0x0000000000407169 in _start () This vulnerability was triggered in __GI___libc_free() at line malloc.c:2933. From the information above we can see that the program try to free a memory it can not access. In order to get more information, we use AddressSanitizer mode compiling the program . $ ./exiv2 POC1 invalid type value detected in Image::printIFDStructure: 32768 Exiv2 exception in print action for file POC1: invalid type value detected in Image::printIFDStructure ================================================================= ==28127==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60200000ed90 in thread T0 #0 0x4e1c92 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1c92) #1 0x51515c (/home/icy/real/exiv2-asan/install/bin/exiv2+0x51515c) #2 0x4e2fe6 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2fe6) #3 0x7f057e3ffabf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x43b288 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288) AddressSanitizer can not describe address in more detail (wild memory access suspected). ==28127==ABORTING Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.
The upstream issue is: https://github.com/Exiv2/exiv2/issues/144. The issue has been fixed on the master branch.
Fixed with exiv2-0.27.0-1.el7_6.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101