1482295 – There is a heap-buffer-overflow in basicio.cpp of exiv2.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1482295 - There is a heap-buffer-overflow in basicio.cpp of exiv2.

Summary: There is a heap-buffer-overflow in basicio.cpp of exiv2.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	exiv2
Sub Component:
Version:	7.5-Alt
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Grulich
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-17 01:21 UTC by owl337
Modified:	2019-08-06 12:47 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 12:46:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Triggered by "./exiv2 POC11" (149 bytes, application/x-rar) 2017-08-17 01:21 UTC, owl337	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2101	0	None	None	None	2019-08-06 12:47:08 UTC

Description owl337 2017-08-17 01:21:55 UTC

Created attachment 1314498 [details]
Triggered by "./exiv2 POC11"

Description of problem:

There is a heap-buffer-overflow in  basicio.cpp of exiv2, the vulnerability causes lots of out of bound write in Exiv2::Image::printIFDStructure ().

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:


The output information is as follows:

$./exiv2 POC9
ORF IMAGE
*** Error in `./../../../exiv2': malloc(): memory corruption (fast): 0x00000000025be540 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fd3b91c57e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7fd3b91d0651]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fd3b91d2184]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7fd3b9ac4e78]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_+0x9f)[0x7fd3b9b563df]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(+0x18c9f1)[0x7fd3b9f459f1]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x20c2)[0x7fd3b9f41652]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7fd3b9f460fa]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7fd3b9fd72c2]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28PgfImage12readMetadataEv+0x56b)[0x7fd3b9ff284b]
./../../../exiv2[0x4276f8]
./../../../exiv2[0x42727c]
./../../../exiv2[0x4073a0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fd3b916e830]
./../../../exiv2[0x406c89]
======= Memory map: ========
00400000-00467000 r-xp 00000000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00666000-00667000 r--p 00066000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00667000-00668000 rw-p 00067000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00668000-00678000 rw-p 00000000 00:00 0 
025a1000-025d3000 rw-p 00000000 00:00 0                                  [heap]
7fd3b4000000-7fd3b4021000 rw-p 00000000 00:00 0 
7fd3b4021000-7fd3b8000000 ---p 00000000 00:00 0 
7fd3b8a33000-7fd3b8d0b000 r--p 00000000 08:01 1048676                    /usr/lib/locale/locale-archive
7fd3b8d0b000-7fd3b8d31000 r-xp 00000000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8d31000-7fd3b8f31000 ---p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f31000-7fd3b8f33000 r--p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f33000-7fd3b8f34000 rw-p 00028000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7fd3b8f34000-7fd3b8f4d000 r-xp 00000000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b8f4d000-7fd3b914c000 ---p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914c000-7fd3b914d000 r--p 00018000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914d000-7fd3b914e000 rw-p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7fd3b914e000-7fd3b930e000 r-xp 00000000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b930e000-7fd3b950e000 ---p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b950e000-7fd3b9512000 r--p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b9512000-7fd3b9514000 rw-p 001c4000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7fd3b9514000-7fd3b9518000 rw-p 00000000 00:00 0 
7fd3b9518000-7fd3b952e000 r-xp 00000000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b952e000-7fd3b972d000 ---p 00016000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b972d000-7fd3b972e000 rw-p 00015000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3b972e000-7fd3b9836000 r-xp 00000000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9836000-7fd3b9a35000 ---p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a35000-7fd3b9a36000 r--p 00107000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a36000-7fd3b9a37000 rw-p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7fd3b9a37000-7fd3b9ba9000 r-xp 00000000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9ba9000-7fd3b9da9000 ---p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9da9000-7fd3b9db3000 r--p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9db3000-7fd3b9db5000 rw-p 0017c000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd3b9db5000-7fd3b9db9000 rw-p 00000000 00:00 0 
7fd3b9db9000-7fd3ba261000 r-xp 00000000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba261000-7fd3ba461000 ---p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba461000-7fd3ba492000 r--p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba492000-7fd3ba494000 rw-p 004d9000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7fd3ba494000-7fd3ba4b0000 rw-p 00000000 00:00 0 
7fd3ba4b0000-7fd3ba4c8000 r-xp 00000000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba4c8000-7fd3ba6c7000 ---p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c7000-7fd3ba6c8000 r--p 00017000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c8000-7fd3ba6c9000 rw-p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd3ba6c9000-7fd3ba6cd000 rw-p 00000000 00:00 0 
7fd3ba6cd000-7fd3ba6d0000 r-xp 00000000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba6d0000-7fd3ba8cf000 ---p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8cf000-7fd3ba8d0000 r--p 00002000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8d0000-7fd3ba8d1000 rw-p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7fd3ba8d1000-7fd3ba8f7000 r-xp 00000000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baace000-7fd3baad6000 rw-p 00000000 00:00 0 
7fd3baaf3000-7fd3baaf6000 rw-p 00000000 00:00 0 
7fd3baaf6000-7fd3baaf7000 r--p 00025000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baaf7000-7fd3baaf8000 rw-p 00026000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7fd3baaf8000-7fd3baaf9000 rw-p 00000000 00:00 0 
7ffc17508000-7ffc17529000 rw-p 00000000 00:00 0                          [stack]
7ffc175e1000-7ffc175e3000 r--p 00000000 00:00 0                          [vvar]
7ffc175e3000-7ffc175e5000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted



GDB debugging information is as follows:
(gdb) set args POC9
(gdb) r
 ...

Breakpoint 3, Exiv2::MemIo::read (this=<optimized out>, buf=0x7fffffffc5e0 "\003", rcount=2) at basicio.cpp:1281
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
(gdb) c 24 
Will ignore next 23 crossings of breakpoint 3.  Continuing.
ORF IMAGE

Breakpoint 3, Exiv2::MemIo::read (this=<optimized out>, buf=0x60300000d510 "", rcount=4294967295) at basicio.cpp:1281
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
(gdb) bt 
#0  Exiv2::MemIo::read (this=<optimized out>, buf=0x60300000d510 "", rcount=4294967295) at basicio.cpp:1281
#1  0x00007ffff70b0e79 in Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., 
    option=Exiv2::kpsRecursive, start=0, bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:408
#2  0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x61300000de80, io=..., out=..., 
    option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518
#3  0x00007ffff71972ac in Exiv2::OrfImage::printStructure (this=<optimized out>, out=..., option=<optimized out>, 
    depth=<optimized out>) at orfimage.cpp:104
#4  0x00007ffff7198631 in Exiv2::OrfImage::readMetadata (this=<optimized out>) at orfimage.cpp:123
#5  0x00007ffff71c3df6 in Exiv2::PgfImage::readMetadata (this=<optimized out>) at pgfimage.cpp:152
#6  0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289
#7  0x0000000000518489 in Action::Print::run (this=0x60400000da50, path=...) at actions.cpp:244
#8  0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170
(gdb) n
=================================================================
==125397==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000d524 at pc 0x0000004ab7f6 bp 0x7fffffffbbf0 sp 0x7fffffffb3a0
WRITE of size 73 at 0x60300000d524 thread T0
    #0 0x4ab7f5  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4ab7f5)
    #1 0x7ffff6f5b74d  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x2df74d)
    #2 0x7ffff70b0e78  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434e78)
    #3 0x7ffff70b90e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #4 0x7ffff71972ab  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51b2ab)
    #5 0x7ffff7198630  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51c630)
    #6 0x7ffff71c3df5  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x547df5)
    #7 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #8 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #9 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #10 0x7ffff5e29abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #11 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

0x60300000d524 is located 0 bytes to the right of 20-byte region [0x60300000d510,0x60300000d524)
allocated by thread T0 here:
    #0 0x4e1842  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1842)
    #1 0x7ffff70b0c5f  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434c5f)
    #2 0x7ffff70b90e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)

Shadow bytes around the buggy address:
  0x0c067fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9aa0: fa fa 00 00[04]fa fa fa 00 00 00 07 fa fa 00 00
  0x0c067fff9ab0: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa
  0x0c067fff9ac0: 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07
  0x0c067fff9ad0: fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00
  0x0c067fff9ae0: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa
  0x0c067fff9af0: 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==125397==ABORTING
[Inferior 1 (process 125397) exited with code 01]



This vulnerability was triggered in Exiv2::Image::printIFDStructure () at basicio.cpp:1281.

1277	    long MemIo::read(byte* buf, long rcount)
1278	    {
1279	        long avail = EXV_MAX(p_->size_ - p_->idx_, 0);
1280	        long allow = EXV_MIN(rcount, avail);
1281	        std::memcpy(buf, &p_->data_[p_->idx_], allow);
1282	        p_->idx_ += allow;
1283	        if (rcount > avail) p_->eof_ = true;
1284	        return allow;
1285	    }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Marcus Meissner 2017-08-19 11:21:45 UTC

You attached POC11 but your comment says {POC9

Comment 3 owl337 2017-08-19 13:24:10 UTC

please refer to the $POC of attachments(POC11).

Comment 4 Dan Čermák 2017-10-19 21:57:29 UTC

The upstream issue is https://github.com/Exiv2/exiv2/issues/58, has been fixed and backported.

Comment 6 Jan Grulich 2019-01-28 16:08:21 UTC

Fixed with exiv2-0.27.0-1.el7_6.

Comment 10 errata-xmlrpc 2019-08-06 12:46:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101

Note You need to log in before you can comment on or make changes to this bug.