Bug 1471772 - There is an illegal address access in basicio.cpp of exiv2.
There is an illegal address access in basicio.cpp of exiv2.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2 (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-17 08:23 EDT by owl337
Modified: 2017-08-31 10:38 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 10:41:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./exiv2 POC7" (298 bytes, application/x-rar)
2017-07-17 08:23 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-17 08:23:28 EDT
Created attachment 1299839 [details]
Triggered by "./exiv2 POC7"

Description of problem:

There is an illegal address access in basicio.cpp of exiv2.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC7

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
4150	malloc.c: No such file or directory.
(gdb) bt
#0  0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
#1  0x00007ffff60fba34 in _int_malloc (av=av@entry=0x7ffff643ec00 <main_arena>, bytes=bytes@entry=1600) at malloc.c:3417
#2  0x00007ffff60fe50e in __GI___libc_malloc (bytes=1600) at malloc.c:2895
#3  0x00007ffff60fffb8 in __libc_realloc (bytes=1600, oldmem=0x0) at malloc.c:2976
#4  realloc_hook_ini (ptr=0x0, sz=1600, caller=<optimized out>) at hooks.c:41
#5  0x00007ffff60fec17 in __GI___libc_realloc (oldmem=0x0, bytes=1600) at malloc.c:2965
#6  0x00007ffff60ac1cb in extend_alias_table () at localealias.c:397
#7  read_alias_file (fname=<optimized out>, fname_len=<optimized out>) at localealias.c:319
#8  0x00007ffff60ac3c7 in _nl_expand_alias (name=name@entry=0x7fffffffae30 "en_US.UTF-8") at localealias.c:203
#9  0x00007ffff60aa608 in _nl_find_domain (dirname=dirname@entry=0x7ffff620ea00 <_nl_default_dirname> "/usr/share/locale", locale=locale@entry=0x7fffffffae30 "en_US.UTF-8", 
    domainname=domainname@entry=0x7fffffffae50 "LC_MESSAGES/libc.mo", domainbinding=domainbinding@entry=0x0) at finddomain.c:124
#10 0x00007ffff60a9e72 in __dcigettext (domainname=0x7ffff6206229 <_libc_intl_domainname> "libc", msgid1=0x7ffff6206711 "Cannot allocate memory", msgid2=msgid2@entry=0x0, plural=plural@entry=0, 
    n=n@entry=0, category=category@entry=5) at dcigettext.c:722
#11 0x00007ffff60a8a8f in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5) at dcgettext.c:47
#12 0x00007ffff610558e in __GI___strerror_r (errnum=12, buf=0x7fffffffb0b0 "", buflen=1024) at _strerror.c:71
#13 0x00000000005706ef in Exiv2::strError() ()
#14 0x00000000004c11b8 in Exiv2::FileIo::mmap(bool) ()
#15 0x00000000006b8f3f in Exiv2::TiffImage::readMetadata() ()
#16 0x0000000000464434 in Action::Print::printSummary() ()
#17 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#18 0x0000000000439762 in main ()


icy@ubuntu:~/real/exiv2-asan/install/bin$ ./exiv2 ../../../exiv2_coll4/coll-out1/crashes/id\:000015\,sig\:11\,src\:001021\,op\:flip32\,pos\:47 
ASAN:SIGSEGV
=================================================================
==47987==ERROR: AddressSanitizer: SEGV on unknown address 0x00a09ffca08b (pc 0x7efe16b0fec5 bp 0x7ffca809dd00 sp 0x7ffca809d600 T0)
    #0 0x7efe16b0fec4  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434ec4)
    #1 0x7efe16b180e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #2 0x7efe16d28900  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x64d900)
    #3 0x7efe16d205eb  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x6455eb)
    #4 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #5 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #6 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #7 0x7efe15888abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

AddressSanitizer can not provide additional info.
==47987==ABORTING


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 Henri Salo 2017-07-30 08:52:39 EDT
I can confirm that this also segfaults 0.26 upstream release. Did you report this to upstream issue tracker?
Comment 5 Henri Salo 2017-07-30 08:54:16 EDT
Please use CVE-2017-11553 for this issue.
Comment 6 owl337 2017-08-14 22:39:35 EDT
ok(In reply to Henri Salo from comment #4)
> I can confirm that this also segfaults 0.26 upstream release. Did you report
> this to upstream issue tracker?

Could you support a issue tracker link ? Thank you.
Comment 7 Raphaël Hertzog 2017-08-31 10:38:33 EDT
I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/54

Note You need to log in before you can comment on or make changes to this bug.