Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1482295

Summary: There is a heap-buffer-overflow in basicio.cpp of exiv2.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: exiv2Assignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: dan.cermak, meissner
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:46:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by "./exiv2 POC11" none

Description owl337 2017-08-17 01:21:55 UTC 
Created attachment 1314498 [details]
Triggered by "./exiv2 POC11"

Description of problem:

There is a heap-buffer-overflow in  basicio.cpp of exiv2, the vulnerability causes lots of out of bound write in Exiv2::Image::printIFDStructure ().

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:


The output information is as follows:

$./exiv2 POC9
ORF IMAGE
*** Error in `./../../../exiv2': malloc(): memory corruption (fast): 0x00000000025be540 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fd3b91c57e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7fd3b91d0651]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fd3b91d2184]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7fd3b9ac4e78]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_+0x9f)[0x7fd3b9b563df]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(+0x18c9f1)[0x7fd3b9f459f1]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x20c2)[0x7fd3b9f41652]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7fd3b9f460fa]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7fd3b9fd72c2]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28PgfImage12readMetadataEv+0x56b)[0x7fd3b9ff284b]
./../../../exiv2[0x4276f8]
./../../../exiv2[0x42727c]
./../../../exiv2[0x4073a0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fd3b916e830]
./../../../exiv2[0x406c89]
======= Memory map: ========
00400000-00467000 r-xp 00000000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00666000-00667000 r--p 00066000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00667000-00668000 rw-p 00067000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00668000-00678000 rw-p 00000000 00:00 0 
025a1000-025d3000 rw-p 00000000 00:00 0                                  [heap]
7fd3b4000000-7fd3b4021000 rw-p 00000000 00:00 0 
7fd3b4021000-7fd3b8000000 ---p 00000000 00:00 0 
7fd3b8a33000-7fd3b8d0b000 r--p 00000000 08:01 1048676                    /usr/lib/locale/locale-archive
7fd3b8d0b000-7fd3b8d31000 r-xp 00000000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8d31000-7fd3b8f31000 ---p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f31000-7fd3b8f33000 r--p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f33000-7fd3b8f34000 rw-p 00028000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f34000-7fd3b8f4d000 r-xp 00000000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b8f4d000-7fd3b914c000 ---p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914c000-7fd3b914d000 r--p 00018000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914d000-7fd3b914e000 rw-p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914e000-7fd3b930e000 r-xp 00000000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b930e000-7fd3b950e000 ---p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b950e000-7fd3b9512000 r--p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b9512000-7fd3b9514000 rw-p 001c4000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b9514000-7fd3b9518000 rw-p 00000000 00:00 0 
7fd3b9518000-7fd3b952e000 r-xp 00000000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b952e000-7fd3b972d000 ---p 00016000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b972d000-7fd3b972e000 rw-p 00015000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b972e000-7fd3b9836000 r-xp 00000000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9836000-7fd3b9a35000 ---p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a35000-7fd3b9a36000 r--p 00107000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a36000-7fd3b9a37000 rw-p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a37000-7fd3b9ba9000 r-xp 00000000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9ba9000-7fd3b9da9000 ---p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9da9000-7fd3b9db3000 r--p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9db3000-7fd3b9db5000 rw-p 0017c000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9db5000-7fd3b9db9000 rw-p 00000000 00:00 0 
7fd3b9db9000-7fd3ba261000 r-xp 00000000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba261000-7fd3ba461000 ---p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba461000-7fd3ba492000 r--p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba492000-7fd3ba494000 rw-p 004d9000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba494000-7fd3ba4b0000 rw-p 00000000 00:00 0 
7fd3ba4b0000-7fd3ba4c8000 r-xp 00000000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba4c8000-7fd3ba6c7000 ---p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c7000-7fd3ba6c8000 r--p 00017000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c8000-7fd3ba6c9000 rw-p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c9000-7fd3ba6cd000 rw-p 00000000 00:00 0 
7fd3ba6cd000-7fd3ba6d0000 r-xp 00000000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba6d0000-7fd3ba8cf000 ---p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8cf000-7fd3ba8d0000 r--p 00002000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8d0000-7fd3ba8d1000 rw-p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8d1000-7fd3ba8f7000 r-xp 00000000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baace000-7fd3baad6000 rw-p 00000000 00:00 0 
7fd3baaf3000-7fd3baaf6000 rw-p 00000000 00:00 0 
7fd3baaf6000-7fd3baaf7000 r--p 00025000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baaf7000-7fd3baaf8000 rw-p 00026000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baaf8000-7fd3baaf9000 rw-p 00000000 00:00 0 
7ffc17508000-7ffc17529000 rw-p 00000000 00:00 0                          [stack]
7ffc175e1000-7ffc175e3000 r--p 00000000 00:00 0                          [vvar]
7ffc175e3000-7ffc175e5000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted



GDB debugging information is as follows:
(gdb) set args POC9
(gdb) r
 ...

Breakpoint 3, Exiv2::MemIo::read (this=<optimized out>, buf=0x7fffffffc5e0 "\003", rcount=2) at basicio.cpp:1281
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
(gdb) c 24 
Will ignore next 23 crossings of breakpoint 3.  Continuing.
ORF IMAGE

Breakpoint 3, Exiv2::MemIo::read (this=<optimized out>, buf=0x60300000d510 "", rcount=4294967295) at basicio.cpp:1281
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
(gdb) bt 
#0  Exiv2::MemIo::read (this=<optimized out>, buf=0x60300000d510 "", rcount=4294967295) at basicio.cpp:1281
#1  0x00007ffff70b0e79 in Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., 
    option=Exiv2::kpsRecursive, start=0, bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:408
#2  0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x61300000de80, io=..., out=..., 
    option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518
#3  0x00007ffff71972ac in Exiv2::OrfImage::printStructure (this=<optimized out>, out=..., option=<optimized out>, 
    depth=<optimized out>) at orfimage.cpp:104
#4  0x00007ffff7198631 in Exiv2::OrfImage::readMetadata (this=<optimized out>) at orfimage.cpp:123
#5  0x00007ffff71c3df6 in Exiv2::PgfImage::readMetadata (this=<optimized out>) at pgfimage.cpp:152
#6  0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289
#7  0x0000000000518489 in Action::Print::run (this=0x60400000da50, path=...) at actions.cpp:244
#8  0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170
(gdb) n
=================================================================
==125397==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000d524 at pc 0x0000004ab7f6 bp 0x7fffffffbbf0 sp 0x7fffffffb3a0
WRITE of size 73 at 0x60300000d524 thread T0
    #0 0x4ab7f5  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4ab7f5)
    #1 0x7ffff6f5b74d  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x2df74d)
    #2 0x7ffff70b0e78  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434e78)
    #3 0x7ffff70b90e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #4 0x7ffff71972ab  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51b2ab)
    #5 0x7ffff7198630  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51c630)
    #6 0x7ffff71c3df5  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x547df5)
    #7 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #8 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #9 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #10 0x7ffff5e29abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #11 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

0x60300000d524 is located 0 bytes to the right of 20-byte region [0x60300000d510,0x60300000d524)
allocated by thread T0 here:
    #0 0x4e1842  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1842)
    #1 0x7ffff70b0c5f  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434c5f)
    #2 0x7ffff70b90e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)

Shadow bytes around the buggy address:
  0x0c067fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9aa0: fa fa 00 00[04]fa fa fa 00 00 00 07 fa fa 00 00
  0x0c067fff9ab0: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa
  0x0c067fff9ac0: 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07
  0x0c067fff9ad0: fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00
  0x0c067fff9ae0: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa
  0x0c067fff9af0: 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==125397==ABORTING
[Inferior 1 (process 125397) exited with code 01]



This vulnerability was triggered in Exiv2::Image::printIFDStructure () at basicio.cpp:1281.

1277	    long MemIo::read(byte* buf, long rcount)
1278	    {
1279	        long avail = EXV_MAX(p_->size_ - p_->idx_, 0);
1280	        long allow = EXV_MIN(rcount, avail);
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
1282	        p_->idx_ += allow;
1283	        if (rcount > avail) p_->eof_ = true;
1284	        return allow;
1285	    }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Marcus Meissner 2017-08-19 11:21:45 UTC 
You attached POC11 but your comment says {POC9
Comment 3 owl337 2017-08-19 13:24:10 UTC 
please refer to the $POC of attachments(POC11).
Comment 4 Dan Čermák 2017-10-19 21:57:29 UTC 
The upstream issue is https://github.com/Exiv2/exiv2/issues/58, has been fixed and backported.
Comment 6 Jan Grulich 2019-01-28 16:08:21 UTC 
Fixed with exiv2-0.27.0-1.el7_6.
Comment 10 errata-xmlrpc 2019-08-06 12:46:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101