Bug 1473889 - There is alloc-dealloc-mismatch in Exiv2::FileIo::seek of exiv2.
Summary: There is alloc-dealloc-mismatch in Exiv2::FileIo::seek of exiv2.
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2   
(Show other bugs)
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks: CVE-2017-11592
TreeView+ depends on / blocked
 
Reported: 2017-07-22 04:18 UTC by owl337
Modified: 2019-04-16 12:06 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 15:37:19 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./exiv2 POC9" (300 bytes, application/x-rar)
2017-07-22 04:18 UTC, owl337
no flags Details

Description owl337 2017-07-22 04:18:52 UTC
Created attachment 1302634 [details]
Triggered by "./exiv2 POC9"

Description of problem:

There is alloc-dealloc-mismatch in  Exiv2::FileIo::seek of exiv2.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 POC9

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC9

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__GI_fseek (fp=0x4647000000e900, offset=0, whence=1) at fseek.c:38
38	fseek.c: No such file or directory.
(gdb) bt
#0  __GI_fseek (fp=0x4647000000e900, offset=0, whence=1) at fseek.c:38
#1  0x00000000004c85e8 in Exiv2::FileIo::seek(long, Exiv2::BasicIo::Position) ()
#2  0x0000000000585750 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) ()
#3  0x000000000058b15c in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) ()
#4  0x00000000006bf786 in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) ()
#5  0x00000000006b8eb9 in Exiv2::TiffImage::readMetadata() ()
#6  0x0000000000464434 in Action::Print::printSummary() ()
#7  0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#8  0x0000000000439762 in main ()

The asan debug info is as follows:

=================================================================
==63376==ERROR: AddressSanitizer: alloc-dealloc-mismatch (INVALID vs operator delete) on 0x60300000d570
    #0 0x4e1c92  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1c92)
    #1 0x7f0c7c7d0bda  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cbda)
    #2 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #3 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #4 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #5 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #6 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #7 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #8 0x7f0c7c7d0b6a  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a)
    #9 0x7f0c7b54ac91  (/lib/x86_64-linux-gnu/libc.so.6+0x39c91)
    #10 0x7f0c7b54ace4  (/lib/x86_64-linux-gnu/libc.so.6+0x39ce4)
    #11 0x7f0c7b531ac6  (/lib/x86_64-linux-gnu/libc.so.6+0x20ac6)
    #12 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

0x60300000d570 is located 0 bytes inside of 4293853440-byte region [0x60300000d570,0x6030ffefd670)
ASAN:SIGSEGV
==63376==AddressSanitizer: while reporting a bug found another one. Ignoring.


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 Henri Salo 2017-07-30 12:59:51 UTC
Please use CVE-2017-11592 for this issue.

Comment 5 Raphaël Hertzog 2017-08-31 14:47:56 UTC
I forwarded this to the upstream developers: https://github.com/Exiv2/exiv2/issues/56

Comment 6 Henri Salo 2018-10-26 09:05:37 UTC
This has been fixed in upstream.

Comment 8 Jan Grulich 2019-01-28 16:08:24 UTC
Fixed with exiv2-0.27.0-1.el7_6.


Note You need to log in before you can comment on or make changes to this bug.