Bug 1500553 - it is a stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i ( in adpcm.c:126 )
Summary: it is a stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i ( in adpc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sox
Version: 26
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Jiri Kucera
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-11 02:09 UTC by Liu Zhu
Modified: 2018-02-20 16:37 UTC (History)
5 users (show)

Fixed In Version: sox-14.4.2.0-16.fc27 sox-14.4.2.0-17.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-14 17:28:27 UTC


Attachments (Terms of Use)
poc_file (4.00 KB, audio/x-wav)
2017-10-11 02:09 UTC, Liu Zhu
no flags Details

Description Liu Zhu 2017-10-11 02:09:51 UTC
Created attachment 1336957 [details]
poc_file

Version-Release number of selected component (if applicable):
SoX v14.4.2

How reproducible:


Steps to Reproduce:
./sox crash_sample/01-stack-overflow out.snd
=================================================================
==55065==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5824d054 at pc 0x00000052297c bp 0x7fff5824cf90 sp 0x7fff5824cf80
WRITE of size 2 at 0x7fff5824d054 thread T0
    #0 0x52297b in lsx_ms_adpcm_block_expand_i /root/sox_ASAN/src/adpcm.c:126
    #1 0x50cb22 in AdpcmReadBlock /root/sox_ASAN/src/wav.c:178
    #2 0x513537 in read_samples /root/sox_ASAN/src/wav.c:1133
    #3 0x4df41a in sox_read /root/sox_ASAN/src/formats.c:978
    #4 0x40d473 in sox_read_wide /root/sox_ASAN/src/sox.c:490
    #5 0x40de4a in combiner_drain /root/sox_ASAN/src/sox.c:552
    #6 0x424af0 in drain_effect /root/sox_ASAN/src/effects.c:352
    #7 0x425cdd in sox_flow_effects /root/sox_ASAN/src/effects.c:445
    #8 0x4189fb in process /root/sox_ASAN/src/sox.c:1802
    #9 0x420be9 in main /root/sox_ASAN/src/sox.c:3008
    #10 0x7fbadeb0b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x40a658 in _start (/root/sox_ASAN/src/sox+0x40a658)

Address 0x7fff5824d054 is located in stack of thread T0 at offset 68 in frame
    #0 0x5227bb in lsx_ms_adpcm_block_expand_i /root/sox_ASAN/src/adpcm.c:112

  This frame has 1 object(s):
    [32, 64) 'state' <== Memory access at offset 68 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/sox_ASAN/src/adpcm.c:126 lsx_ms_adpcm_block_expand_i
Shadow bytes around the buggy address:
  0x10006b0419b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006b041a00: 00 00 f1 f1 f1 f1 00 00 00 00[f3]f3 f3 f3 00 00
  0x10006b041a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a50: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==55065==ABORTING



Additional info:

Name:Liuzhu

Comment 1 Fedora Update System 2018-02-01 14:18:44 UTC
sox-14.4.2.0-16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ec93095a73

Comment 2 Fedora Update System 2018-02-01 14:29:50 UTC
sox-14.4.2.0-16.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-790e7e720d

Comment 3 Fedora Update System 2018-02-01 19:10:47 UTC
sox-14.4.2.0-16.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-790e7e720d

Comment 4 Fedora Update System 2018-02-01 19:33:16 UTC
sox-14.4.2.0-16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ec93095a73

Comment 5 Fedora Update System 2018-02-06 23:00:57 UTC
sox-14.4.2.0-17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa1bf1711d

Comment 6 Fedora Update System 2018-02-07 13:51:12 UTC
sox-14.4.2.0-17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa1bf1711d

Comment 7 Fedora Update System 2018-02-14 17:28:27 UTC
sox-14.4.2.0-16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2018-02-20 16:37:15 UTC
sox-14.4.2.0-17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.