1500553 – it is a stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i ( in adpcm.c:126 )

Bug 1500553 - it is a stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i ( in adpcm.c:126 )

Summary: it is a stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i ( in adpc...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sox
Sub Component:
Version:	26
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Jiri Kucera
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-11 02:09 UTC by Liu Zhu
Modified:	2018-02-20 16:37 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sox-14.4.2.0-16.fc27 sox-14.4.2.0-17.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-14 17:28:27 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
poc_file (4.00 KB, audio/x-wav) 2017-10-11 02:09 UTC, Liu Zhu	no flags	Details
View All

Description Liu Zhu 2017-10-11 02:09:51 UTC

Created attachment 1336957 [details]
poc_file

Version-Release number of selected component (if applicable):
SoX v14.4.2

How reproducible:


Steps to Reproduce:
./sox crash_sample/01-stack-overflow out.snd
=================================================================
==55065==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5824d054 at pc 0x00000052297c bp 0x7fff5824cf90 sp 0x7fff5824cf80
WRITE of size 2 at 0x7fff5824d054 thread T0
    #0 0x52297b in lsx_ms_adpcm_block_expand_i /root/sox_ASAN/src/adpcm.c:126
    #1 0x50cb22 in AdpcmReadBlock /root/sox_ASAN/src/wav.c:178
    #2 0x513537 in read_samples /root/sox_ASAN/src/wav.c:1133
    #3 0x4df41a in sox_read /root/sox_ASAN/src/formats.c:978
    #4 0x40d473 in sox_read_wide /root/sox_ASAN/src/sox.c:490
    #5 0x40de4a in combiner_drain /root/sox_ASAN/src/sox.c:552
    #6 0x424af0 in drain_effect /root/sox_ASAN/src/effects.c:352
    #7 0x425cdd in sox_flow_effects /root/sox_ASAN/src/effects.c:445
    #8 0x4189fb in process /root/sox_ASAN/src/sox.c:1802
    #9 0x420be9 in main /root/sox_ASAN/src/sox.c:3008
    #10 0x7fbadeb0b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x40a658 in _start (/root/sox_ASAN/src/sox+0x40a658)

Address 0x7fff5824d054 is located in stack of thread T0 at offset 68 in frame
    #0 0x5227bb in lsx_ms_adpcm_block_expand_i /root/sox_ASAN/src/adpcm.c:112

  This frame has 1 object(s):
    [32, 64) 'state' <== Memory access at offset 68 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/sox_ASAN/src/adpcm.c:126 lsx_ms_adpcm_block_expand_i
Shadow bytes around the buggy address:
  0x10006b0419b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b0419f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006b041a00: 00 00 f1 f1 f1 f1 00 00 00 00[f3]f3 f3 f3 00 00
  0x10006b041a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006b041a50: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==55065==ABORTING



Additional info:

Name:Liuzhu

Comment 1 Fedora Update System 2018-02-01 14:18:44 UTC

sox-14.4.2.0-16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ec93095a73

Comment 2 Fedora Update System 2018-02-01 14:29:50 UTC

sox-14.4.2.0-16.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-790e7e720d

Comment 3 Fedora Update System 2018-02-01 19:10:47 UTC

sox-14.4.2.0-16.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-790e7e720d

Comment 4 Fedora Update System 2018-02-01 19:33:16 UTC

sox-14.4.2.0-16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ec93095a73

Comment 5 Fedora Update System 2018-02-06 23:00:57 UTC

sox-14.4.2.0-17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa1bf1711d

Comment 6 Fedora Update System 2018-02-07 13:51:12 UTC

sox-14.4.2.0-17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-aa1bf1711d

Comment 7 Fedora Update System 2018-02-14 17:28:27 UTC

sox-14.4.2.0-16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Jiri Kucera 2018-02-17 11:50:10 UTC

upstream discussion: https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaA_WyTTEWeGYPUhG95M3wOv64vTqn8jeH4JYvgMnx83Tw@mail.gmail.com/#msg36128861

patch origin: https://sourceforge.net/p/sox/mailman/sox-devel/thread/20171120110535.14410-1-mans@mansr.com/#msg36129559

Comment 9 Jiri Kucera 2018-02-17 12:00:27 UTC

(In reply to Jiri Kucera from comment #8)
> upstream discussion:
> https://sourceforge.net/p/sox/mailman/sox-devel/thread/
> CAG_ZyaA_WyTTEWeGYPUhG95M3wOv64vTqn8jeH4JYvgMnx83Tw.com/
> #msg36128861
> 
> patch origin:
> https://sourceforge.net/p/sox/mailman/sox-devel/thread/20171120110535.14410-
> 1-mans/#msg36129559

links messed up, again:

upstream discussion: https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaBLxUKk_xmrvn2YfnVLNRE_Rzxe+cYBC5CJtK_xWrVvNw@mail.gmail.com/#msg36121067

patch origin: https://bogomips.org/sox.git/patch/?id=3f7ed312614649e2695b54b398475d32be4f64f3

Comment 10 Fedora Update System 2018-02-20 16:37:15 UTC

sox-14.4.2.0-17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.