Bug 1471772 - There is an illegal address access in basicio.cpp of exiv2.
Summary: There is an illegal address access in basicio.cpp of exiv2.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-17 12:23 UTC by owl337
Modified: 2019-08-06 12:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:46:47 UTC
Target Upstream Version:


Attachments (Terms of Use)
Triggered by "./exiv2 POC7" (298 bytes, application/x-rar)
2017-07-17 12:23 UTC, owl337
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 0 None None None 2019-08-06 12:47:09 UTC

Description owl337 2017-07-17 12:23:28 UTC
Created attachment 1299839 [details]
Triggered by "./exiv2 POC7"

Description of problem:

There is an illegal address access in basicio.cpp of exiv2.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC7

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
4150	malloc.c: No such file or directory.
(gdb) bt
#0  0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
#1  0x00007ffff60fba34 in _int_malloc (av=av@entry=0x7ffff643ec00 <main_arena>, bytes=bytes@entry=1600) at malloc.c:3417
#2  0x00007ffff60fe50e in __GI___libc_malloc (bytes=1600) at malloc.c:2895
#3  0x00007ffff60fffb8 in __libc_realloc (bytes=1600, oldmem=0x0) at malloc.c:2976
#4  realloc_hook_ini (ptr=0x0, sz=1600, caller=<optimized out>) at hooks.c:41
#5  0x00007ffff60fec17 in __GI___libc_realloc (oldmem=0x0, bytes=1600) at malloc.c:2965
#6  0x00007ffff60ac1cb in extend_alias_table () at localealias.c:397
#7  read_alias_file (fname=<optimized out>, fname_len=<optimized out>) at localealias.c:319
#8  0x00007ffff60ac3c7 in _nl_expand_alias (name=name@entry=0x7fffffffae30 "en_US.UTF-8") at localealias.c:203
#9  0x00007ffff60aa608 in _nl_find_domain (dirname=dirname@entry=0x7ffff620ea00 <_nl_default_dirname> "/usr/share/locale", locale=locale@entry=0x7fffffffae30 "en_US.UTF-8", 
    domainname=domainname@entry=0x7fffffffae50 "LC_MESSAGES/libc.mo", domainbinding=domainbinding@entry=0x0) at finddomain.c:124
#10 0x00007ffff60a9e72 in __dcigettext (domainname=0x7ffff6206229 <_libc_intl_domainname> "libc", msgid1=0x7ffff6206711 "Cannot allocate memory", msgid2=msgid2@entry=0x0, plural=plural@entry=0, 
    n=n@entry=0, category=category@entry=5) at dcigettext.c:722
#11 0x00007ffff60a8a8f in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5) at dcgettext.c:47
#12 0x00007ffff610558e in __GI___strerror_r (errnum=12, buf=0x7fffffffb0b0 "", buflen=1024) at _strerror.c:71
#13 0x00000000005706ef in Exiv2::strError() ()
#14 0x00000000004c11b8 in Exiv2::FileIo::mmap(bool) ()
#15 0x00000000006b8f3f in Exiv2::TiffImage::readMetadata() ()
#16 0x0000000000464434 in Action::Print::printSummary() ()
#17 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#18 0x0000000000439762 in main ()


icy@ubuntu:~/real/exiv2-asan/install/bin$ ./exiv2 ../../../exiv2_coll4/coll-out1/crashes/id\:000015\,sig\:11\,src\:001021\,op\:flip32\,pos\:47 
ASAN:SIGSEGV
=================================================================
==47987==ERROR: AddressSanitizer: SEGV on unknown address 0x00a09ffca08b (pc 0x7efe16b0fec5 bp 0x7ffca809dd00 sp 0x7ffca809d600 T0)
    #0 0x7efe16b0fec4  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434ec4)
    #1 0x7efe16b180e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #2 0x7efe16d28900  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x64d900)
    #3 0x7efe16d205eb  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x6455eb)
    #4 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #5 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #6 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #7 0x7efe15888abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

AddressSanitizer can not provide additional info.
==47987==ABORTING


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 Henri Salo 2017-07-30 12:52:39 UTC
I can confirm that this also segfaults 0.26 upstream release. Did you report this to upstream issue tracker?

Comment 5 Henri Salo 2017-07-30 12:54:16 UTC
Please use CVE-2017-11553 for this issue.

Comment 6 owl337 2017-08-15 02:39:35 UTC
ok(In reply to Henri Salo from comment #4)
> I can confirm that this also segfaults 0.26 upstream release. Did you report
> this to upstream issue tracker?

Could you support a issue tracker link ? Thank you.

Comment 7 Raphaël Hertzog 2017-08-31 14:38:33 UTC
I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/54

Comment 8 Henri Salo 2018-10-26 09:04:30 UTC
This has been fixed in upstream.

Comment 10 Jan Grulich 2019-01-28 16:08:23 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 14 errata-xmlrpc 2019-08-06 12:46:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101


Note You need to log in before you can comment on or make changes to this bug.