Bug 1679952 - Stack buffer overflow in gpsinfo.c when running jhead
Summary: Stack buffer overflow in gpsinfo.c when running jhead
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: jhead
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Adrian Reber
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-22 10:34 UTC by Jianzhong Liu
Modified: 2019-08-14 01:42 UTC (History)
3 users (show)

Fixed In Version: jhead-3.03-4.fc30 jhead-3.03-4.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-14 01:05:27 UTC


Attachments (Terms of Use)
Input triggering the bug (269.87 KB, image/jpeg)
2019-02-22 10:34 UTC, Jianzhong Liu
no flags Details

Description Jianzhong Liu 2019-02-22 10:34:29 UTC
Created attachment 1537431 [details]
Input triggering the bug

Description of problem: 
Some inputs may trigger a stack buffer overflow in jhead.

Version-Release number of selected component (if applicable):
jhead-3.03

How reproducible:
Stable

Steps to Reproduce:
1. Run jhead with the attached input

Actual results:
Running with default settings:

jhead SBO_gpsinfo.c:150:17_asan_plain_nocrash

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 11 padding bytes before section E1

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 12 padding bytes before section E1

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegally sized Exif subdirectory (229 entries)

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 10 padding bytes before section E1

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 35 for tag 0000 in Exif

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Too many components 2013278224 for tag 0000 in Exif

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 16 for tag 5132 in Exif

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal GPS directory link in Exif

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 16 for Exif gps tag 002a

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 69 for Exif gps tag 0004

Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Inappropriate format (11) for Exif GPS coordinates!
*** buffer overflow detected ***: jhead terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f0c7ae239e7]
/lib64/libc.so.6(+0x115b62)[0x7f0c7ae21b62]
/lib64/libc.so.6(+0x11506b)[0x7f0c7ae2106b]
/lib64/libc.so.6(+0x506ba)[0x7f0c7ad5c6ba]
/lib64/libc.so.6(_IO_vfprintf+0x4ed7)[0x7f0c7ad59357]
/lib64/libc.so.6(__vsprintf_chk+0x88)[0x7f0c7ae210f8]
/lib64/libc.so.6(__sprintf_chk+0x7d)[0x7f0c7ae2104d]
jhead[0x408e1b]
jhead[0x406fb5]
jhead[0x4071e3]
jhead[0x40465b]
jhead[0x4047ed]
jhead[0x402b5e]
jhead[0x4017e4]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f0c7ad2e3d5]
jhead[0x402270]
======= Memory map: ========
00400000-00410000 r-xp 00000000 08:01 3543787                            /usr/bin/jhead
00610000-00611000 r--p 00010000 08:01 3543787                            /usr/bin/jhead
00611000-00612000 rw-p 00011000 08:01 3543787                            /usr/bin/jhead
00612000-00617000 rw-p 00000000 00:00 0
01630000-01651000 rw-p 00000000 00:00 0                                  [heap]
7f0c7aaf6000-7f0c7ab0b000 r-xp 00000000 08:01 3286373                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f0c7ab0b000-7f0c7ad0a000 ---p 00015000 08:01 3286373                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f0c7ad0a000-7f0c7ad0b000 r--p 00014000 08:01 3286373                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f0c7ad0b000-7f0c7ad0c000 rw-p 00015000 08:01 3286373                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f0c7ad0c000-7f0c7aece000 r-xp 00000000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7aece000-7f0c7b0ce000 ---p 001c2000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0ce000-7f0c7b0d2000 r--p 001c2000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0d2000-7f0c7b0d4000 rw-p 001c6000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0d4000-7f0c7b0d9000 rw-p 00000000 00:00 0
7f0c7b0d9000-7f0c7b1da000 r-xp 00000000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b1da000-7f0c7b3d9000 ---p 00101000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3d9000-7f0c7b3da000 r--p 00100000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3da000-7f0c7b3db000 rw-p 00101000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3db000-7f0c7b3fd000 r-xp 00000000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5f5000-7f0c7b5f8000 rw-p 00000000 00:00 0
7f0c7b5f9000-7f0c7b5fc000 rw-p 00000000 00:00 0
7f0c7b5fc000-7f0c7b5fd000 r--p 00021000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5fd000-7f0c7b5fe000 rw-p 00022000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5fe000-7f0c7b5ff000 rw-p 00000000 00:00 0
7ffc6e3ac000-7ffc6e3cd000 rw-p 00000000 00:00 0                          [stack]
7ffc6e3df000-7ffc6e3e2000 r--p 00000000 00:00 0                          [vvar]
7ffc6e3e2000-7ffc6e3e4000 r-xp 00000000 00:00 0                          [vdso]
[1]    172 abort (core dumped)  jhead SBO_gpsinfo.c:150:17_asan_plain_nocrash

Stack backtrace according to gdb:

#0  0x00007f0c7ad42207 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f0c7ad438f8 in __GI_abort () at abort.c:90
#2  0x00007f0c7ad84d27 in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0x7f0c7ae95312 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x00007f0c7ae239e7 in __GI___fortify_fail (msg=msg@entry=0x7f0c7ae952b8 "buffer overflow detected")
    at fortify_fail.c:30
#4  0x00007f0c7ae21b62 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007f0c7ae2106b in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
#6  0x00007f0c7ad5c6ba in __GI___printf_fp_l (fp=fp@entry=0x7ffc6e3c4670, loc=<optimized out>,
    info=info@entry=0x7ffc6e3c41e0, args=args@entry=0x7ffc6e3c41c0) at printf_fp.c:1235
#7  0x00007f0c7ad5c799 in ___printf_fp (fp=fp@entry=0x7ffc6e3c4670, info=info@entry=0x7ffc6e3c41e0,
    args=args@entry=0x7ffc6e3c41c0) at printf_fp.c:1256
#8  0x00007f0c7ad59357 in _IO_vfprintf_internal (s=s@entry=0x7ffc6e3c4670, format=<optimized out>,
    format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", ap=ap@entry=0x7ffc6e3c47a8) at vfprintf.c:1634
#9  0x00007f0c7ae210f8 in ___vsprintf_chk (
    s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\003c\001", flags=1, slen=50,
    format=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", args=args@entry=0x7ffc6e3c47a8) at vsprintf_chk.c:83
#10 0x00007f0c7ae2104d in ___sprintf_chk (
    s=s@entry=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\003c\001", flags=flags@entry=1,
    slen=slen@entry=50, format=format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs") at sprintf_chk.c:32
#11 0x0000000000408e1b in sprintf (__fmt=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs",
    __s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\003c\001") at /usr/include/bits/stdio2.h:33
#12 ProcessGpsInfo (DirStart=<optimized out>, OffsetBase=OffsetBase@entry=0x1630308 "II*",
    ExifLength=ExifLength@entry=2135) at gpsinfo.c:151
#13 0x0000000000406fb5 in ProcessExifDir (DirStart=0x1630318 "E", OffsetBase=OffsetBase@entry=0x1630308 "II*",
    ExifLength=ExifLength@entry=2135, NestingLevel=NestingLevel@entry=0) at exif.c:866
#14 0x00000000004071e3 in process_EXIF (ExifSection=ExifSection@entry=0x1630300 "\b_Exif", length=length@entry=2143)
    at exif.c:1041
#15 0x000000000040465b in ReadJpegSections (infile=infile@entry=0x1630070, ReadMode=ReadMode@entry=READ_METADATA)
    at jpgfile.c:287
#16 0x00000000004047ed in ReadJpegFile (
    FileName=FileName@entry=0x7ffc6e3cc8f5 "SBO_gpsinfo.c:150:17_asan_plain_nocrash", ReadMode=READ_METADATA)
    at jpgfile.c:375
#17 0x0000000000402b5e in ProcessFile (FileName=0x7ffc6e3cc8f5 "SBO_gpsinfo.c:150:17_asan_plain_nocrash")
    at jhead.c:905
#18 0x00000000004017e4 in main (argc=<optimized out>, argv=0x7ffc6e3cbd58) at jhead.c:1757

Expected results:
Not applicable

Additional info:

Comment 1 Adrian Reber 2019-02-25 07:19:59 UTC
Have you contacted upstream about it? That would make more sense than reporting it here.

Comment 2 Jianzhong Liu 2019-02-26 02:34:35 UTC
(In reply to Adrian Reber from comment #1)
> Have you contacted upstream about it? That would make more sense than
> reporting it here.

I have sent the author an email regarding this bug, but the author has been unresponsive.

Comment 3 Ludovic Rousseau 2019-08-02 17:45:29 UTC
The upstream author is not very responsive.
Also jhead is a good example of an unsecure parser for a complex format. I would not be surprised if more bugs are found.

For Debian I fixed this bug in https://salsa.debian.org/debian/jhead/commit/bf330c777cc911b9f8509ffec7458952789c81e2

Comment 4 Adrian Reber 2019-08-05 15:15:54 UTC
(In reply to Ludovic Rousseau from comment #3)
> The upstream author is not very responsive.
> Also jhead is a good example of an unsecure parser for a complex format. I
> would not be surprised if more bugs are found.
> 
> For Debian I fixed this bug in
> https://salsa.debian.org/debian/jhead/commit/
> bf330c777cc911b9f8509ffec7458952789c81e2

Thanks for pointing me to your patches. I will use them in the next jhead builds.

Comment 5 Fedora Update System 2019-08-05 15:38:21 UTC
FEDORA-2019-17b95fecd3 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-17b95fecd3

Comment 6 Fedora Update System 2019-08-05 15:46:08 UTC
FEDORA-2019-441c2fb0d1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-441c2fb0d1

Comment 7 Fedora Update System 2019-08-06 01:27:15 UTC
jhead-3.03-4.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-441c2fb0d1

Comment 8 Fedora Update System 2019-08-06 03:49:27 UTC
jhead-3.03-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-17b95fecd3

Comment 9 Fedora Update System 2019-08-14 01:05:27 UTC
jhead-3.03-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2019-08-14 01:42:05 UTC
jhead-3.03-4.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.