Bug 1470737 - There is an invalid free in Action::TaskFactory::cleanup funtion of actions.cpp in exiv2. A crafted input will lead to remote denial of service attack.
There is an invalid free in Action::TaskFactory::cleanup funtion of actions...
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2 (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
: Security
Depends On:
Blocks: CVE-2017-11337
  Show dependency treegraph
 
Reported: 2017-07-13 10:30 EDT by owl337
Modified: 2017-10-19 17:00 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./exiv2 $POC" (95 bytes, application/x-rar)
2017-07-13 10:30 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-13 10:30:26 EDT
Created attachment 1297689 [details]
Triggered by  "./exiv2 $POC"

Description of problem:

There is an invalid free in  Action::TaskFactory::cleanup  funtion of actions.cpp in  exiv2. A crafted input will lead to remote denial of service attack.

Version-Release number of selected component (if applicable):

<=latest version

How reproducible:

./exiv2 POC3

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC3

*** Error in `/real/exiv2/bin/.libs/lt-exiv2': malloc(): memory corruption: 0x0000000000bac250 ***
Aborted

ASAN output information:

$./exiv2 POC3

Error: Directory Image, entry 0x0144 has invalid size 4294967295*8; skipping entry.
File name       : POC3
File size       : 28 Bytes
MIME type       : image/tiff
Image size      : 0 x 0
POC3 No Exif data found in the file
=================================================================
==92908==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60200000ed90 in thread T0
    #0 0x4e1c92  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1c92)
    #1 0x51515c  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x51515c)
    #2 0x4e2fe6  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2fe6)
    #3 0x7fbeb19e9abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #4 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

0x60200000ed90 is located 0 bytes inside of 1229389824-byte region [0x60200000ed90,0x60204947ed90)
freed by thread T0 here:
==92908==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.6-18MJNr/llvm-toolchain-3.6-3.6.2/projects/compiler-rt/lib/asan/asan_allocator.cc:668 "((res.trace)) != (0)" (0x0, 0x0)
    #0 0x4c9dd4  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4c9dd4)
    #1 0x4d0751  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4d0751)
    #2 0x43b8c8  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b8c8)
    #3 0x4c5d70  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4c5d70)
    #4 0x4c6b9f  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4c6b9f)
    #5 0x43f5d5  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43f5d5)
    #6 0x43bc87  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43bc87)
    #7 0x4e1d51  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1d51)
    #8 0x51515c  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x51515c)
    #9 0x4e2fe6  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2fe6)
    #10 0x7fbeb19e9abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #11 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

The GDB debugging information is as follows:

(gdb) set args POC3
(gdb) r
...
(gdb) 
Continuing.

Breakpoint 2, Action::TaskFactory::cleanup (this=<optimized out>) at actions.cpp:194
194	                delete i->second;

(gdb) bt
#0  Action::TaskFactory::cleanup (this=<optimized out>) at actions.cpp:194
#1  0x00000000004e2fe7 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:174
(gdb) s
=================================================================
==114915==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60200000edb0 in thread T0
    #0 0x4e1c92  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1c92)
    #1 0x51515c  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x51515c)
    #2 0x4e2fe6  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2fe6)
    #3 0x7ffff5e29abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #4 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

0x60200000edb0 is located 0 bytes inside of 1229389824-byte region [0x60200000edb0,0x60204947edb0)
freed by thread T0 here:
==114915==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.6-18MJNr/llvm-toolchain-3.6-3.6.2/projects/compiler-rt/lib/asan/asan_allocator.cc:668 "((res.trace)) != (0)" (0x0, 0x0)
    #0 0x4c9dd4  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4c9dd4)
    #1 0x4d0751  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4d0751)
    #2 0x43b8c8  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b8c8)
    #3 0x4c5d70  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4c5d70)
    #4 0x4c6b9f  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4c6b9f)
    #5 0x43f5d5  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43f5d5)
    #6 0x43bc87  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43bc87)
    #7 0x4e1d51  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1d51)
    #8 0x51515c  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x51515c)
    #9 0x4e2fe6  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2fe6)
    #10 0x7ffff5e29abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #11 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

[Inferior 1 (process 114915) exited with code 01]

This vulnerability was triggered in Action::TaskFactory::cleanup() at actions.cpp:194. Line 194 attempting free on address which was not malloc()-ed: 0x60200000edb0

 189     void TaskFactory::cleanup()
 190     {
 191         if (instance_ != 0) {
 192             Registry::iterator e = registry_.end();
 193             for (Registry::iterator i = registry_.begin(); i != e; ++i) {
 194                 delete i->second;
 195             }
 196             delete instance_;
 197             instance_ = 0;
 198         }
 199     } //TaskFactory::cleanup



Actual results:

crash

Expected results:

crash


Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Adam Mariš 2017-07-24 08:41:53 EDT
Please, report this issue to upstream. Thanks!
Comment 3 Raphaël Hertzog 2017-08-31 10:13:59 EDT
I forwarded this report upstream: https://github.com/Exiv2/exiv2/issues/50
Comment 4 dan.cermak 2017-10-19 17:00:17 EDT
This has been fixed upstream and backported to the 0.26 branch.

Note You need to log in before you can comment on or make changes to this bug.