Bug 1482295 - There is a heap-buffer-overflow in basicio.cpp of exiv2.
Summary: There is a heap-buffer-overflow in basicio.cpp of exiv2.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-17 01:21 UTC by owl337
Modified: 2019-08-06 12:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:46:58 UTC


Attachments (Terms of Use)
Triggered by "./exiv2 POC11" (149 bytes, application/x-rar)
2017-08-17 01:21 UTC, owl337
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 None None None 2019-08-06 12:47:08 UTC

Description owl337 2017-08-17 01:21:55 UTC
Created attachment 1314498 [details]
Triggered by "./exiv2 POC11"

Description of problem:

There is a heap-buffer-overflow in  basicio.cpp of exiv2, the vulnerability causes lots of out of bound write in Exiv2::Image::printIFDStructure ().

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:


The output information is as follows:

$./exiv2 POC9
ORF IMAGE
*** Error in `./../../../exiv2': malloc(): memory corruption (fast): 0x00000000025be540 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fd3b91c57e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7fd3b91d0651]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fd3b91d2184]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7fd3b9ac4e78]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_+0x9f)[0x7fd3b9b563df]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(+0x18c9f1)[0x7fd3b9f459f1]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x20c2)[0x7fd3b9f41652]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7fd3b9f460fa]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7fd3b9fd72c2]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28PgfImage12readMetadataEv+0x56b)[0x7fd3b9ff284b]
./../../../exiv2[0x4276f8]
./../../../exiv2[0x42727c]
./../../../exiv2[0x4073a0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fd3b916e830]
./../../../exiv2[0x406c89]
======= Memory map: ========
00400000-00467000 r-xp 00000000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00666000-00667000 r--p 00066000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00667000-00668000 rw-p 00067000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00668000-00678000 rw-p 00000000 00:00 0 
025a1000-025d3000 rw-p 00000000 00:00 0                                  [heap]
7fd3b4000000-7fd3b4021000 rw-p 00000000 00:00 0 
7fd3b4021000-7fd3b8000000 ---p 00000000 00:00 0 
7fd3b8a33000-7fd3b8d0b000 r--p 00000000 08:01 1048676                    /usr/lib/locale/locale-archive
7fd3b8d0b000-7fd3b8d31000 r-xp 00000000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8d31000-7fd3b8f31000 ---p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f31000-7fd3b8f33000 r--p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f33000-7fd3b8f34000 rw-p 00028000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f34000-7fd3b8f4d000 r-xp 00000000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b8f4d000-7fd3b914c000 ---p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914c000-7fd3b914d000 r--p 00018000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914d000-7fd3b914e000 rw-p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914e000-7fd3b930e000 r-xp 00000000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b930e000-7fd3b950e000 ---p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b950e000-7fd3b9512000 r--p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b9512000-7fd3b9514000 rw-p 001c4000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b9514000-7fd3b9518000 rw-p 00000000 00:00 0 
7fd3b9518000-7fd3b952e000 r-xp 00000000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b952e000-7fd3b972d000 ---p 00016000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b972d000-7fd3b972e000 rw-p 00015000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b972e000-7fd3b9836000 r-xp 00000000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9836000-7fd3b9a35000 ---p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a35000-7fd3b9a36000 r--p 00107000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a36000-7fd3b9a37000 rw-p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a37000-7fd3b9ba9000 r-xp 00000000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9ba9000-7fd3b9da9000 ---p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9da9000-7fd3b9db3000 r--p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9db3000-7fd3b9db5000 rw-p 0017c000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9db5000-7fd3b9db9000 rw-p 00000000 00:00 0 
7fd3b9db9000-7fd3ba261000 r-xp 00000000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba261000-7fd3ba461000 ---p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba461000-7fd3ba492000 r--p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba492000-7fd3ba494000 rw-p 004d9000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba494000-7fd3ba4b0000 rw-p 00000000 00:00 0 
7fd3ba4b0000-7fd3ba4c8000 r-xp 00000000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba4c8000-7fd3ba6c7000 ---p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c7000-7fd3ba6c8000 r--p 00017000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c8000-7fd3ba6c9000 rw-p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c9000-7fd3ba6cd000 rw-p 00000000 00:00 0 
7fd3ba6cd000-7fd3ba6d0000 r-xp 00000000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba6d0000-7fd3ba8cf000 ---p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8cf000-7fd3ba8d0000 r--p 00002000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8d0000-7fd3ba8d1000 rw-p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8d1000-7fd3ba8f7000 r-xp 00000000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baace000-7fd3baad6000 rw-p 00000000 00:00 0 
7fd3baaf3000-7fd3baaf6000 rw-p 00000000 00:00 0 
7fd3baaf6000-7fd3baaf7000 r--p 00025000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baaf7000-7fd3baaf8000 rw-p 00026000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baaf8000-7fd3baaf9000 rw-p 00000000 00:00 0 
7ffc17508000-7ffc17529000 rw-p 00000000 00:00 0                          [stack]
7ffc175e1000-7ffc175e3000 r--p 00000000 00:00 0                          [vvar]
7ffc175e3000-7ffc175e5000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted



GDB debugging information is as follows:
(gdb) set args POC9
(gdb) r
 ...

Breakpoint 3, Exiv2::MemIo::read (this=<optimized out>, buf=0x7fffffffc5e0 "\003", rcount=2) at basicio.cpp:1281
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
(gdb) c 24 
Will ignore next 23 crossings of breakpoint 3.  Continuing.
ORF IMAGE

Breakpoint 3, Exiv2::MemIo::read (this=<optimized out>, buf=0x60300000d510 "", rcount=4294967295) at basicio.cpp:1281
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
(gdb) bt 
#0  Exiv2::MemIo::read (this=<optimized out>, buf=0x60300000d510 "", rcount=4294967295) at basicio.cpp:1281
#1  0x00007ffff70b0e79 in Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., 
    option=Exiv2::kpsRecursive, start=0, bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:408
#2  0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x61300000de80, io=..., out=..., 
    option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518
#3  0x00007ffff71972ac in Exiv2::OrfImage::printStructure (this=<optimized out>, out=..., option=<optimized out>, 
    depth=<optimized out>) at orfimage.cpp:104
#4  0x00007ffff7198631 in Exiv2::OrfImage::readMetadata (this=<optimized out>) at orfimage.cpp:123
#5  0x00007ffff71c3df6 in Exiv2::PgfImage::readMetadata (this=<optimized out>) at pgfimage.cpp:152
#6  0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289
#7  0x0000000000518489 in Action::Print::run (this=0x60400000da50, path=...) at actions.cpp:244
#8  0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170
(gdb) n
=================================================================
==125397==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000d524 at pc 0x0000004ab7f6 bp 0x7fffffffbbf0 sp 0x7fffffffb3a0
WRITE of size 73 at 0x60300000d524 thread T0
    #0 0x4ab7f5  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4ab7f5)
    #1 0x7ffff6f5b74d  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x2df74d)
    #2 0x7ffff70b0e78  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434e78)
    #3 0x7ffff70b90e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #4 0x7ffff71972ab  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51b2ab)
    #5 0x7ffff7198630  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51c630)
    #6 0x7ffff71c3df5  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x547df5)
    #7 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #8 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #9 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #10 0x7ffff5e29abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #11 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

0x60300000d524 is located 0 bytes to the right of 20-byte region [0x60300000d510,0x60300000d524)
allocated by thread T0 here:
    #0 0x4e1842  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1842)
    #1 0x7ffff70b0c5f  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434c5f)
    #2 0x7ffff70b90e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)

Shadow bytes around the buggy address:
  0x0c067fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9aa0: fa fa 00 00[04]fa fa fa 00 00 00 07 fa fa 00 00
  0x0c067fff9ab0: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa
  0x0c067fff9ac0: 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07
  0x0c067fff9ad0: fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00
  0x0c067fff9ae0: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa
  0x0c067fff9af0: 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==125397==ABORTING
[Inferior 1 (process 125397) exited with code 01]



This vulnerability was triggered in Exiv2::Image::printIFDStructure () at basicio.cpp:1281.

1277	    long MemIo::read(byte* buf, long rcount)
1278	    {
1279	        long avail = EXV_MAX(p_->size_ - p_->idx_, 0);
1280	        long allow = EXV_MIN(rcount, avail);
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
1282	        p_->idx_ += allow;
1283	        if (rcount > avail) p_->eof_ = true;
1284	        return allow;
1285	    }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Marcus Meissner 2017-08-19 11:21:45 UTC
You attached POC11 but your comment says {POC9

Comment 3 owl337 2017-08-19 13:24:10 UTC
please refer to the $POC of attachments(POC11).

Comment 4 dan.cermak 2017-10-19 21:57:29 UTC
The upstream issue is https://github.com/Exiv2/exiv2/issues/58, has been fixed and backported.

Comment 6 Jan Grulich 2019-01-28 16:08:21 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 10 errata-xmlrpc 2019-08-06 12:46:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101


Note You need to log in before you can comment on or make changes to this bug.