Bug 1482423 - There is a heap-buffer-overflow in the software exiv2 which is triggered in Exiv2::Image::io function.
Summary: There is a heap-buffer-overflow in the software exiv2 which is triggered in E...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: CVE-2017-12957
TreeView+ depends on / blocked
 
Reported: 2017-08-17 08:55 UTC by owl337
Modified: 2019-08-06 12:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:46:58 UTC


Attachments (Terms of Use)
Triggered by "./exiv2 POC13" (133 bytes, application/x-rar)
2017-08-17 08:55 UTC, owl337
no flags Details
It is the right POC (123 bytes, application/x-rar)
2017-08-19 14:59 UTC, owl337
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 None None None 2019-08-06 12:47:08 UTC

Description owl337 2017-08-17 08:55:25 UTC
Created attachment 1314597 [details]
Triggered by "./exiv2 POC13"

Description of problem:

There is a heap-buffer-overflow in the software exiv2 which is triggered in Exiv2::Image::io  function.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC12
ORF IMAGE
ORF IMAGE
*** Error in `./../../../exiv2': free(): invalid next size (fast): 0x0000000000cead30 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f837322d7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f837323637a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f837323a53c]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image17printIFDStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEjbci+0x4124)[0x7f8373fab6b4]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv25Image18printTiffStructureERNS_7BasicIoERSoNS_20PrintStructureOptionEim+0x12a)[0x7f8373fae0fa]
/home/icy/real/exiv2/install/lib/libexiv2.so.26(_ZN5Exiv28OrfImage12readMetadataEv+0x162)[0x7f837403f2c2]
./../../../exiv2[0x4276f8]
./../../../exiv2[0x42727c]
./../../../exiv2[0x4073a0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f83731d6830]
./../../../exiv2[0x406c89]
======= Memory map: ========
00400000-00467000 r-xp 00000000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00666000-00667000 r--p 00066000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00667000-00668000 rw-p 00067000 08:01 2262265                            /home/icy/real/exiv2/install/bin/exiv2
00668000-00678000 rw-p 00000000 00:00 0 
00cd7000-00d09000 rw-p 00000000 00:00 0                                  [heap]
7f836c000000-7f836c021000 rw-p 00000000 00:00 0 
7f836c021000-7f8370000000 ---p 00000000 00:00 0 
7f8372a9b000-7f8372d73000 r--p 00000000 08:01 1048676                    /usr/lib/locale/locale-archive
7f8372d73000-7f8372d99000 r-xp 00000000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7f8372d99000-7f8372f99000 ---p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7f8372f99000-7f8372f9b000 r--p 00026000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7f8372f9b000-7f8372f9c000 rw-p 00028000 08:01 529101                     /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7f8372f9c000-7f8372fb5000 r-xp 00000000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7f8372fb5000-7f83731b4000 ---p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7f83731b4000-7f83731b5000 r--p 00018000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7f83731b5000-7f83731b6000 rw-p 00019000 08:01 529399                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7f83731b6000-7f8373376000 r-xp 00000000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7f8373376000-7f8373576000 ---p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7f8373576000-7f837357a000 r--p 001c0000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7f837357a000-7f837357c000 rw-p 001c4000 08:01 536305                     /lib/x86_64-linux-gnu/libc-2.23.so
7f837357c000-7f8373580000 rw-p 00000000 00:00 0 
7f8373580000-7f8373596000 r-xp 00000000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8373596000-7f8373795000 ---p 00016000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8373795000-7f8373796000 rw-p 00015000 08:01 529515                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8373796000-7f837389e000 r-xp 00000000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7f837389e000-7f8373a9d000 ---p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7f8373a9d000-7f8373a9e000 r--p 00107000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7f8373a9e000-7f8373a9f000 rw-p 00108000 08:01 536300                     /lib/x86_64-linux-gnu/libm-2.23.so
7f8373a9f000-7f8373c11000 r-xp 00000000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f8373c11000-7f8373e11000 ---p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f8373e11000-7f8373e1b000 r--p 00172000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f8373e1b000-7f8373e1d000 rw-p 0017c000 08:01 1059188                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f8373e1d000-7f8373e21000 rw-p 00000000 00:00 0 
7f8373e21000-7f83742c9000 r-xp 00000000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7f83742c9000-7f83744c9000 ---p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7f83744c9000-7f83744fa000 r--p 004a8000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7f83744fa000-7f83744fc000 rw-p 004d9000 08:01 2262257                    /home/icy/real/exiv2/install/lib/libexiv2.so.26.0.0
7f83744fc000-7f8374518000 rw-p 00000000 00:00 0 
7f8374518000-7f8374530000 r-xp 00000000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8374530000-7f837472f000 ---p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f837472f000-7f8374730000 r--p 00017000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8374730000-7f8374731000 rw-p 00018000 08:01 536288                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8374731000-7f8374735000 rw-p 00000000 00:00 0 
7f8374735000-7f8374738000 r-xp 00000000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f8374738000-7f8374937000 ---p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f8374937000-7f8374938000 r--p 00002000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f8374938000-7f8374939000 rw-p 00003000 08:01 536294                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f8374939000-7f837495f000 r-xp 00000000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7f8374b36000-7f8374b3e000 rw-p 00000000 00:00 0 
7f8374b5b000-7f8374b5e000 rw-p 00000000 00:00 0 
7f8374b5e000-7f8374b5f000 r--p 00025000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7f8374b5f000-7f8374b60000 rw-p 00026000 08:01 536281                     /lib/x86_64-linux-gnu/ld-2.23.so
7f8374b60000-7f8374b61000 rw-p 00000000 00:00 0 
7ffe634ba000-7ffe634db000 rw-p 00000000 00:00 0                          [stack]
7ffe63503000-7ffe63505000 r--p 00000000 00:00 0                          [vvar]
7ffe63505000-7ffe63507000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted


GDB debugging information is as follows:
(gdb) set args POC12
(gdb) r
 ...

Breakpoint 7, Exiv2::Image::io (this=<optimized out>) at image.cpp:700
700	        return *io_;
(gdb) bt 
#0  Exiv2::Image::io (this=<optimized out>) at image.cpp:700
#1  0x00007ffff719728d in Exiv2::OrfImage::printStructure (this=<optimized out>, out=..., option=Exiv2::kpsRecursive, 
    depth=0) at orfimage.cpp:104
#2  0x00007ffff7198631 in Exiv2::OrfImage::readMetadata (this=<optimized out>) at orfimage.cpp:123
#3  0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289
#4  0x0000000000518489 in Action::Print::run (this=0x60400000d950, path=...) at actions.cpp:244
#5  0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170
(gdb) n
=================================================================
==77134==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed96 at pc 0x7ffff70b7a21 bp 0x7fffffffbdf0 sp 0x7fffffffbde8
READ of size 1 at 0x60200000ed96 thread T0
    #0 0x7ffff70b7a20  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43ba20)
    #1 0x7ffff70b90e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #2 0x7ffff71972ab  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51b2ab)
    #3 0x7ffff7198630  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x51c630)
    #4 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #5 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #6 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #7 0x7ffff5e29abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

0x60200000ed96 is located 0 bytes to the right of 6-byte region [0x60200000ed90,0x60200000ed96)
allocated by thread T0 here:
    #0 0x4e1842  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1842)
    #1 0x7ffff70b0c5f  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434c5f)
    #2 0x7ffff70b90e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)

Shadow bytes around the buggy address:
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9db0: fa fa[06]fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff9dc0: fa fa 06 fa fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==77134==ABORTING
[Inferior 1 (process 77134) exited with code 01]
(gdb) 



This vulnerability was triggered in Exiv2::Image::io (this=<optimized out>) at image.cpp:700
700	        return *io_;


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Marcus Meissner 2017-08-19 10:54:43 UTC
+++ exiv2-trunk/src/image.cpp

problem is here I think:

                 DataBuf  buf(size*count + pad+20);  // allocate a buffer

count is 0x7fffffff, so size is 0xfffffffe and the expression overflows the unsigned 32bit space.

Comment 3 Marcus Meissner 2017-08-19 11:00:26 UTC
(there seems to be some POC12 vs POC13 confusion. Above comment is for POC13.)

Comment 4 owl337 2017-08-19 13:43:47 UTC
I will check it as soon as possible.

Comment 5 owl337 2017-08-19 14:59:37 UTC
Created attachment 1315757 [details]
It is the right POC

Comment 6 owl337 2017-08-19 15:01:01 UTC
I upsteam the right POC13 in the attachment. Please download it.

Comment 7 owl337 2017-08-19 15:03:32 UTC
Sorry for this mistake.

Comment 8 Raphaël Hertzog 2017-08-31 15:17:20 UTC
I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/60

Comment 10 Jan Grulich 2019-01-28 16:08:19 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 14 errata-xmlrpc 2019-08-06 12:46:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101


Note You need to log in before you can comment on or make changes to this bug.