Bug 1482296 - There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2
Summary: There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-17 01:30 UTC by owl337
Modified: 2019-08-06 12:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:46:58 UTC


Attachments (Terms of Use)
Triggered by "./exiv2 POC12" (133 bytes, application/x-rar)
2017-08-17 01:30 UTC, owl337
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 None None None 2019-08-06 12:47:08 UTC

Description owl337 2017-08-17 01:30:51 UTC
Created attachment 1314499 [details]
Triggered by "./exiv2 POC12"

Description of problem:

 There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2

Version-Release number of selected component (if applicable):

<=latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:

$./exiv2 POC12
*** Error in `/home/icy/real/exiv2/install/bin/exiv2': malloc(): smallbin double linked list corrupted: 0x000000000068bc80 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff66cb7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7ffff66d6651]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff66d8184]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7ffff6fcae78]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZNK5Exiv26FileIo4pathB5cxx11Ev+0xc9)[0x7ffff7371a49]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x4632)[0x7ffff7449bc2]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7ffff744c0fa]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7ffff74dd2c2]
/home/icy/real/exiv2/install/bin/exiv2[0x4276f8]
/home/icy/real/exiv2/install/bin/exiv2[0x42727c]
/home/icy/real/exiv2/install/bin/exiv2[0x4073a0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6674830]
/home/icy/real/exiv2/install/bin/exiv2[0x406c89]
======= Memory map: ========
00400000-00467000 r-xp 00000000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00666000-00667000 r--p 00066000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00667000-00668000 rw-p 00067000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00668000-006aa000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff5f39000-7ffff6211000 r--p 00000000 08:01 1048676                    /usr/lib/locale/locale-archive
7ffff6211000-7ffff6237000 r-xp 00000000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7ffff6237000-7ffff6437000 ---p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7ffff6437000-7ffff6439000 r--p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7ffff6439000-7ffff643a000 rw-p 00028000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7ffff643a000-7ffff6453000 r-xp 00000000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff6453000-7ffff6652000 ---p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff6652000-7ffff6653000 r--p 00018000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff6653000-7ffff6654000 rw-p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff6654000-7ffff6814000 r-xp 00000000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6814000-7ffff6a14000 ---p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6a14000-7ffff6a18000 r--p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6a18000-7ffff6a1a000 rw-p 001c4000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6a1a000-7ffff6a1e000 rw-p 00000000 00:00 0 
7ffff6a1e000-7ffff6a34000 r-xp 00000000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6a34000-7ffff6c33000 ---p 00016000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6c33000-7ffff6c34000 rw-p 00015000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6c34000-7ffff6d3c000 r-xp 00000000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7ffff6d3c000-7ffff6f3b000 ---p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7ffff6f3b000-7ffff6f3c000 r--p 00107000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7ffff6f3c000-7ffff6f3d000 rw-p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7ffff6f3d000-7ffff70af000 r-xp 00000000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7ffff70af000-7ffff72af000 ---p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7ffff72af000-7ffff72b9000 r--p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7ffff72b9000-7ffff72bb000 rw-p 0017c000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7ffff72bb000-7ffff72bf000 rw-p 00000000 00:00 0 
7ffff72bf000-7ffff7767000 r-xp 00000000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7ffff7767000-7ffff7967000 ---p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7ffff7967000-7ffff7998000 r--p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7ffff7998000-7ffff799a000 rw-p 004d9000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7ffff799a000-7ffff79b6000 rw-p 00000000 00:00 0 
7ffff79b6000-7ffff79ce000 r-xp 00000000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff79ce000-7ffff7bcd000 ---p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bcd000-7ffff7bce000 r--p 00017000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bce000-7ffff7bcf000 rw-p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bcf000-7ffff7bd3000 rw-p 00000000 00:00 0 
7ffff7bd3000-7ffff7bd6000 r-xp 00000000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff7bd6000-7ffff7dd5000 ---p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff7dd5000-7ffff7dd6000 r--p 00002000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff7dd6000-7ffff7dd7000 rw-p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fd0000-7ffff7fd8000 rw-p 00000000 00:00 0 
7ffff7ff5000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff6689428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

The gdb debugging information is as follows:

(gdb) set args POC12
(gdb) r
...
Breakpoint 2, malloc_printerr (ar_ptr=0x7fffffffd250, ptr=0x68bc80, 
    str=0x7ffff67e52c8 "malloc(): smallbin double linked list corrupted", action=3) at malloc.c:5006
5006	malloc.c: No such file or directory.
(gdb) bt 
#0  malloc_printerr (ar_ptr=0x7fffffffd250, ptr=0x68bc80, 
    str=0x7ffff67e52c8 "malloc(): smallbin double linked list corrupted", action=3) at malloc.c:5006
#1  _int_malloc (av=av@entry=0x7ffff6a18b20 <main_arena>, bytes=bytes@entry=51) at malloc.c:3386
#2  0x00007ffff66d8184 in __GI___libc_malloc (bytes=51) at malloc.c:2913
#3  0x00007ffff6fcae78 in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#4  0x00007ffff7371a49 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*> (this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.tcc:223
#5  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*> (
    this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:195
#6  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*> (
    this=0x7fffffffd468, __beg=0x68ccd0 "id:000052,sig:11,src:001652+001281,op:splice,rep:2", __end=<optimized out>)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:214
#7  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string (this=0x7fffffffd468, 
    __str=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:400
#8  Exiv2::FileIo::path[abi:cxx11]() const (this=<optimized out>) at basicio.cpp:1031
#9  0x00007ffff7449bc2 in Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., 
    option=<optimized out>, start=<optimized out>, bSwap=<optimized out>, c=<optimized out>, depth=<optimized out>)
    at image.cpp:498
#10 0x00007ffff744c0fa in Exiv2::Image::printTiffStructure (this=0x68bab0, io=..., out=..., option=Exiv2::kpsRecursive, 
    depth=<optimized out>, offset=<optimized out>) at image.cpp:518
#11 0x00007ffff74dd2c2 in Exiv2::OrfImage::readMetadata (this=0x68bab0) at orfimage.cpp:123
#12 0x00000000004276f8 in Action::Print::printSummary (this=0x68cc30) at actions.cpp:289
---Type <return> to continue, or q <return> to quit---
Python Exception <class 'gdb.error'> There is no member named _M_dataplus.: 
#13 0x000000000042727c in Action::Print::run (this=0x68cc30, path=) at actions.cpp:244
#14 0x00000000004073a0 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170
(gdb) n
5007	in malloc.c
(gdb) 
5006	in malloc.c
(gdb) 
*** Error in `/home/icy/real/exiv2/install/bin/exiv2': malloc(): smallbin double linked list corrupted: 0x000000000068bc80 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff66cb7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7ffff66d6651]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff66d8184]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_Znwm+0x18)[0x7ffff6fcae78]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZNK5Exiv26FileIo4pathB5cxx11Ev+0xc9)[0x7ffff7371a49]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x4632)[0x7ffff7449bc2]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7ffff744c0fa]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7ffff74dd2c2]
/home/icy/real/exiv2/install/bin/exiv2[0x4276f8]
/home/icy/real/exiv2/install/bin/exiv2[0x42727c]
/home/icy/real/exiv2/install/bin/exiv2[0x4073a0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6674830]
/home/icy/real/exiv2/install/bin/exiv2[0x406c89]
======= Memory map: ========
00400000-00467000 r-xp 00000000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00666000-00667000 r--p 00066000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00667000-00668000 rw-p 00067000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00668000-006aa000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
...
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff6689428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

This vulnerability was triggered in Exiv2::FileIo::path[abi:cxx11]() const (this=0x68ccb0) at basicio.cpp:1031
...
1026	#ifdef EXV_UNICODE_PATH
1027	        if (p_->wpMode_ == Impl::wpUnicode) {
1028	            return ws2s(p_->wpath_);
1029	        }
1030	#endif
1031	        return p_->path_;
1032	    }
1033	
1034	#ifdef EXV_UNICODE_PATH
1035	    std::wstring FileIo::wpath() const


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Marcus Meissner 2017-08-19 11:02:14 UTC
POC12 is the same binary as POC13 from bug 1482423

Comment 3 owl337 2017-08-19 13:43:58 UTC
I will check it as soon as possible.

Comment 4 owl337 2017-08-19 15:03:22 UTC
Sorry for this mistake. POC12 is no problem, it is because POC13 is duplicated with POC12, I have update the POC13 in  bug 1482423.

Comment 5 Raphaël Hertzog 2017-08-31 15:12:03 UTC
I reported this issue to uptsream: https://github.com/Exiv2/exiv2/issues/59

Comment 7 Jan Grulich 2019-01-28 16:08:15 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 11 errata-xmlrpc 2019-08-06 12:46:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101


Note You need to log in before you can comment on or make changes to this bug.