RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1575201 - Heap Buffer Overflow in image.cpp:260 Exiv2::Image::byteSwap2
Summary: Heap Buffer Overflow in image.cpp:260 Exiv2::Image::byteSwap2
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-05 04:55 UTC by albertzjf
Modified: 2018-05-29 17:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-29 17:51:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
poc file (296 bytes, application/octet-stream)
2018-05-09 08:18 UTC, albertzjf
no flags Details
ltrace output (237.29 KB, text/plain)
2018-05-25 21:21 UTC, Pedro Yóssis Silva Barbosa
no flags Details

Description albertzjf 2018-05-05 04:55:06 UTC
Description of problem:
Heap Buffer Overflow in image.cpp:260 Exiv2::Image::byteSwap2

Version-Release number of selected component (if applicable):
0.26

How reproducible:
./exiv2 POC /dev/null

Steps to Reproduce:
1.
2.
3.

=================================================================
==98057==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed54 at pc 0x7f550604e903 bp 0x7fff2502ebd0 sp 0x7fff2502ebc0
READ of size 1 at 0x60200000ed54 thread T0
    #0 0x7f550604e902 in Exiv2::Image::byteSwap2(Exiv2::DataBuf&, unsigned long, bool) /home/puppet/test_object_pic/exiv2-trunk/src/image.cpp:260
    #1 0x7f5506050573 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /home/puppet/test_object_pic/exiv2-trunk/src/image.cpp:418
    #2 0x7f55060518a3 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) /home/puppet/test_object_pic/exiv2-trunk/src/image.cpp:517
    #3 0x7f55060bbb27 in Exiv2::OrfImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) /home/puppet/test_object_pic/exiv2-trunk/src/orfimage.cpp:104
    #4 0x7f55060bc0da in Exiv2::OrfImage::readMetadata() /home/puppet/test_object_pic/exiv2-trunk/src/orfimage.cpp:123
    #5 0x43ab12 in Action::Print::printSummary() /home/puppet/test_object_pic/exiv2-trunk/src/actions.cpp:289
    #6 0x43a1bf in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/puppet/test_object_pic/exiv2-trunk/src/actions.cpp:244
    #7 0x422139 in main /home/puppet/test_object_pic/exiv2-trunk/src/exiv2.cpp:170
    #8 0x7f55053af82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x421b08 in _start (/usr/local/bin/exiv2+0x421b08)

0x60200000ed54 is located 0 bytes to the right of 4-byte region [0x60200000ed50,0x60200000ed54)
allocated by thread T0 here:
    #0 0x7f55067dd6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x454815 in Exiv2::DataBuf::DataBuf(long) /home/puppet/test_object_pic/exiv2-trunk/include/exiv2/types.hpp:204
    #2 0x7f550605014d in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /home/puppet/test_object_pic/exiv2-trunk/src/image.cpp:402
    #3 0x7f55060518a3 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) /home/puppet/test_object_pic/exiv2-trunk/src/image.cpp:517
    #4 0x7f55060bbb27 in Exiv2::OrfImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) /home/puppet/test_object_pic/exiv2-trunk/src/orfimage.cpp:104
    #5 0x7f55060bc0da in Exiv2::OrfImage::readMetadata() /home/puppet/test_object_pic/exiv2-trunk/src/orfimage.cpp:123
    #6 0x43ab12 in Action::Print::printSummary() /home/puppet/test_object_pic/exiv2-trunk/src/actions.cpp:289
    #7 0x43a1bf in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/puppet/test_object_pic/exiv2-trunk/src/actions.cpp:244
    #8 0x422139 in main /home/puppet/test_object_pic/exiv2-trunk/src/exiv2.cpp:170
    #9 0x7f55053af82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/puppet/test_object_pic/exiv2-trunk/src/image.cpp:260 Exiv2::Image::byteSwap2(Exiv2::DataBuf&, unsigned long, bool)
Shadow bytes around the buggy address:
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa[04]fa fa fa 00 fa
  0x0c047fff9db0: fa fa 00 fa fa fa 00 fa fa fa fd fd fa fa fd fa
  0x0c047fff9dc0: fa fa 06 fa fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==98057==ABORTING


This vulnerability was triggered in Exiv2::Image::byteSwap2(Exiv2::DataBuf&, unsigned long, bool) at src/image.cpp:260

    uint16_t Image::byteSwap2(DataBuf& buf,size_t offset,bool bSwap)
    {
        uint16_t v;
        char*    p = (char*) &v;
        p[0] = buf.pData_[offset];
        p[1] = buf.pData_[offset+1];
        return Image::byteSwap(v,bSwap);
    }


Actual results:
crash

Expected results:
crash

Additional info:
This vulnerability is detected by NESA Lab(nesa.zju.edu.cn), with our custom
seed generate system, SmartSeed. Please contact  puppet.cn  and
albertzjf if you need more info about the team, the tool or the
vulnerability.

Comment 2 albertzjf 2018-05-09 08:18:48 UTC
Created attachment 1433611 [details]
poc file

Comment 3 Pedro Yóssis Silva Barbosa 2018-05-25 21:18:46 UTC
Could you please provide more information regarding your findings?

The provided POC didn't crash here in RHEL 7. Moreover, the Exiv2::Image::byteSwap2 in /usr/lib64/libexiv2.so wasn't even called at all.




[pedroysb@rhel-7 sf_rhel_shared]$ gdb /usr/bin/exiv2
pwndbg> # breakpoint at main
pwndbg> b *0x406850
pwndbg> run POC
...
Breakpoint *0x406850
pwndbg> b _ZN5Exiv25Image9byteSwap2ERNS_7DataBufEmb
Breakpoint 2 at 0x7ffff75ce160
pwndbg> c
Continuing.
Error: Directory Image: IFD entry 23 lies outside of the data buffer.
Error: Directory Image, entry 0x0000 has invalid size 4294967288*2; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 65280; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00000000; truncating the entry
Error: Directory Image, entry 0x0000 has invalid size 4278135811*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 61440; setting type size 1.
Error: Directory Image, entry 0x0000 has invalid size 4278135811*1; skipping entry.
Warning: Directory Image, entry 0x000e has unknown Exif (TIFF) type 11267; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x000e is out of bounds: Offset = 0x00000010, size = 65279, exceeds buffer size by 64999 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 65280; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00000000; truncating the entry
Error: Directory Image, entry 0x0000 has invalid size 4278135811*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 65280; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00000000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 65278; setting type size 1.
Warning: Directory Image, entry 0x002c has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x002c has invalid size 4278190080*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x0000 has invalid size 4278059008*1; skipping entry.
File name       : POC
File size       : 296 Bytes
MIME type       : image/x-olympus-orf
Image size      : 0 x 0
Camera make     : 
Camera model    : 
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    : 

[Inferior 1 (process 26135) exited normally]
pwndbg> 


When I intercept the library function calls using ltrace, the byteSwap2 function doesn't appear in the logs too (see attachment).

Comment 4 Pedro Yóssis Silva Barbosa 2018-05-25 21:21:56 UTC
Created attachment 1441710 [details]
ltrace output

Comment 5 albertzjf 2018-05-26 01:21:49 UTC
Sorry for misleading. The crash was actually triggered in Ubuntu 16.04 by this POC when we tested. When to report, I found most CVEs of exiv2 was referenced to this website, and I thought there wouldn't be much difference.

Comment 6 Pedro Yóssis Silva Barbosa 2018-05-29 17:51:11 UTC
Closing as NOTABUG


Note You need to log in before you can comment on or make changes to this bug.