Created attachment 1629285 [details] jhead_poc1 Description of problem: There are invalid read in function ReadJpegSections and process_SOFn, jhead 3.03 Version-Release number of selected component (if applicable): 3.03 How reproducible: There are three poc files: https://github.com/zjuchenyuan/fuzzpoc/raw/master/jhead_poc1 https://github.com/zjuchenyuan/fuzzpoc/raw/master/jhead_poc2 https://github.com/zjuchenyuan/fuzzpoc/raw/master/jhead_poc3 Steps to Reproduce: 1. wget https://github.com/zjuchenyuan/fuzzpoc/raw/master/jhead_poc{1..3} 2. jhead jhead_poc1 Reproducible docker image based on ubuntu16.04 has been pushed to `zjuchenyuan/dockerized_poc:jhead`, you can do these: ``` docker run -it --rm zjuchenyuan/dockerized_poc:jhead # in the container /tmp/asan/jhead /fuzzpoc/jhead_poc1 valgrind -v /tmp/justafl/jhead /fuzzpoc/jhead_poc1 ``` Actual results: (after removing useless lines) ``` Step 5/10 : RUN /tmp/asan/jhead /fuzzpoc/jhead_poc1 || exit 0 ---> Running in f1b4109d1d60 ================================================================= ==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff2 at pc 0x7ffff6ee1676 bp 0x7fffffff0470 sp 0x7ffffffefc18 READ of size 5 at 0x60200000eff2 thread T0 #0 0x7ffff6ee1675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675) #1 0x40eb51 in ReadJpegSections /jhead-3.03/jpgfile.c:251 #2 0x410ead in ReadJpegSections /jhead-3.03/jpgfile.c:126 #3 0x410ead in ReadJpegFile /jhead-3.03/jpgfile.c:375 #4 0x4086b3 in ProcessFile /jhead-3.03/jhead.c:905 #5 0x402f9b in main /jhead-3.03/jhead.c:1757 #6 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x406868 in _start (/tmp/asan/jhead+0x406868) 0x60200000eff2 is located 0 bytes to the right of 2-byte region [0x60200000eff0,0x60200000eff2) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x40e5b7 in ReadJpegSections /jhead-3.03/jpgfile.c:173 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp Step 6/10 : RUN valgrind -v /tmp/justafl/jhead /fuzzpoc/jhead_poc1 || exit 0 ---> Running in 36b7ff7c1384 ==7== Memcheck, a memory error detector ==7== Invalid read of size 1 ==7== at 0x4C33D25: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410981: ReadJpegSections.part.0 (jpgfile.c:251) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e382 is 0 bytes after a block of size 2 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== HEAP SUMMARY: ==7== in use at exit: 47,664 bytes in 3 blocks ==7== total heap usage: 13 allocs, 10 frees, 51,890 bytes allocated ==7== ==7== Searching for pointers to 3 not-freed blocks ==7== Checked 106,720 bytes ==7== ==7== LEAK SUMMARY: ==7== definitely lost: 0 bytes in 0 blocks ==7== indirectly lost: 0 bytes in 0 blocks ==7== possibly lost: 0 bytes in 0 blocks ==7== still reachable: 47,664 bytes in 3 blocks ==7== suppressed: 0 bytes in 0 blocks ==7== Rerun with --leak-check=full to see details of leaked memory ==7== ==7== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ==7== ==7== 1 errors in context 1 of 1: ==7== Invalid read of size 1 ==7== at 0x4C33D25: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410981: ReadJpegSections.part.0 (jpgfile.c:251) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e382 is 0 bytes after a block of size 2 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Step 7/10 : RUN /tmp/asan/jhead /fuzzpoc/jhead_poc2 || exit 0 ---> Running in 99ec181d6327 ================================================================= ==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd3 at pc 0x00000040fecc bp 0x7fffffff0470 sp 0x7fffffff0460 READ of size 2 at 0x60200000efd3 thread T0 #0 0x40fecb in ReadJpegSections /jhead-3.03/jpgfile.c:273 #1 0x410ead in ReadJpegSections /jhead-3.03/jpgfile.c:126 #2 0x410ead in ReadJpegFile /jhead-3.03/jpgfile.c:375 #3 0x4086b3 in ProcessFile /jhead-3.03/jhead.c:905 #4 0x402f9b in main /jhead-3.03/jhead.c:1757 #5 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #6 0x406868 in _start (/tmp/asan/jhead+0x406868) 0x60200000efd4 is located 0 bytes to the right of 4-byte region [0x60200000efd0,0x60200000efd4) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x40e5b7 in ReadJpegSections /jhead-3.03/jpgfile.c:173 SUMMARY: AddressSanitizer: heap-buffer-overflow /jhead-3.03/jpgfile.c:273 ReadJpegSections Step 8/10 : RUN valgrind -v /tmp/justafl/jhead /fuzzpoc/jhead_poc2 || exit 0 ---> Running in 7cf2ec15c930 ==7== Memcheck, a memory error detector ==7== Invalid read of size 2 ==7== at 0x410FC0: process_SOFn (jpgfile.c:79) ==7== by 0x410FC0: ReadJpegSections.part.0 (jpgfile.c:329) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e4f3 is 3 bytes inside a block of size 4 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== Invalid read of size 2 ==7== at 0x410FC5: process_SOFn (jpgfile.c:80) ==7== by 0x410FC5: ReadJpegSections.part.0 (jpgfile.c:329) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e4f5 is 1 bytes after a block of size 4 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== Invalid read of size 1 ==7== at 0x410FCC: process_SOFn (jpgfile.c:81) ==7== by 0x410FCC: ReadJpegSections.part.0 (jpgfile.c:329) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e4f7 is 3 bytes after a block of size 4 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0) Step 9/10 : RUN /tmp/asan/jhead /fuzzpoc/jhead_poc3 || exit 0 ---> Running in 9017c4229f78 ================================================================= ==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd2 at pc 0x00000040fed4 bp 0x7fffffff0470 sp 0x7fffffff0460 READ of size 1 at 0x60200000efd2 thread T0 #0 0x40fed3 in process_SOFn /jhead-3.03/jpgfile.c:78 #1 0x40fed3 in ReadJpegSections /jhead-3.03/jpgfile.c:329 #2 0x410ead in ReadJpegSections /jhead-3.03/jpgfile.c:126 #3 0x410ead in ReadJpegFile /jhead-3.03/jpgfile.c:375 #4 0x4086b3 in ProcessFile /jhead-3.03/jhead.c:905 #5 0x402f9b in main /jhead-3.03/jhead.c:1757 #6 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x406868 in _start (/tmp/asan/jhead+0x406868) 0x60200000efd2 is located 0 bytes to the right of 2-byte region [0x60200000efd0,0x60200000efd2) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x40e5b7 in ReadJpegSections /jhead-3.03/jpgfile.c:173 SUMMARY: AddressSanitizer: heap-buffer-overflow /jhead-3.03/jpgfile.c:78 process_SOFn Step 10/10 : RUN valgrind -v /tmp/justafl/jhead /fuzzpoc/jhead_poc3 || exit 0 ---> Running in 50f21934e71f ==7== Memcheck, a memory error detector ==7== Invalid read of size 2 ==7== at 0x410FC0: process_SOFn (jpgfile.c:79) ==7== by 0x410FC0: ReadJpegSections.part.0 (jpgfile.c:329) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e4f3 is 1 bytes after a block of size 2 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== Invalid read of size 2 ==7== at 0x410FC5: process_SOFn (jpgfile.c:80) ==7== by 0x410FC5: ReadJpegSections.part.0 (jpgfile.c:329) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e4f5 is 3 bytes after a block of size 2 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== Invalid read of size 1 ==7== at 0x410FCC: process_SOFn (jpgfile.c:81) ==7== by 0x410FCC: ReadJpegSections.part.0 (jpgfile.c:329) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e4f7 is 5 bytes after a block of size 2 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== Invalid read of size 1 ==7== at 0x410FD7: process_SOFn (jpgfile.c:78) ==7== by 0x410FD7: ReadJpegSections.part.0 (jpgfile.c:329) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== Address 0x550e4f2 is 0 bytes after a block of size 2 alloc'd ==7== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7== by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173) ==7== by 0x4127CE: ReadJpegSections (jpgfile.c:126) ==7== by 0x4127CE: ReadJpegFile (jpgfile.c:375) ==7== by 0x408E3E: ProcessFile (jhead.c:905) ==7== by 0x402273: main (jhead.c:1757) ==7== ==7== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0) ``` Expected results: crash Additional info:
I (jhead Debian maintainer) worked with upstream to fix this issue in the new version 3.04. All the previous Debian patches are also now included upstream so other CVE are now also fixed upstream. The list of Debian patches applied upstream for the previous 3.03 version is available at https://sources.debian.org/src/jhead/1:3.03-3/debian/patches/
(In reply to Ludovic Rousseau from comment #1) > I (jhead Debian maintainer) worked with upstream to fix this issue in the > new version 3.04. > > All the previous Debian patches are also now included upstream so other CVE > are now also fixed upstream. > The list of Debian patches applied upstream for the previous 3.03 version is > available at https://sources.debian.org/src/jhead/1:3.03-3/debian/patches/ Ludovic, as always, thanks a lot for keeping jhead in shape and letting me know!
FEDORA-EPEL-2019-288e46f2d9 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-288e46f2d9
FEDORA-EPEL-2019-1a5ac407f8 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-1a5ac407f8
jhead-3.04-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-288e46f2d9
jhead-3.04-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-1a5ac407f8
jhead-3.04-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.
jhead-3.04-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.