Bug 1765647 - Invalid read in function ReadJpegSections and process_SOFn
Summary: Invalid read in function ReadJpegSections and process_SOFn
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: jhead
Version: epel8
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Adrian Reber
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-25 16:22 UTC by chenyuan
Modified: 2019-12-09 02:09 UTC (History)
2 users (show)

Fixed In Version: jhead-3.04-1.el8 jhead-3.04-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-09 01:47:53 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
jhead_poc1 (22.47 KB, image/jpeg)
2019-10-25 16:22 UTC, chenyuan 		no flags Details
View All

Description chenyuan 2019-10-25 16:22:56 UTC 
Created attachment 1629285 [details]
jhead_poc1

Description of problem:

There are invalid read in function ReadJpegSections and process_SOFn, jhead 3.03

Version-Release number of selected component (if applicable):

3.03

How reproducible:


There are three poc files: 
https://github.com/zjuchenyuan/fuzzpoc/raw/master/jhead_poc1
https://github.com/zjuchenyuan/fuzzpoc/raw/master/jhead_poc2
https://github.com/zjuchenyuan/fuzzpoc/raw/master/jhead_poc3

Steps to Reproduce:
1. wget https://github.com/zjuchenyuan/fuzzpoc/raw/master/jhead_poc{1..3}
2. jhead jhead_poc1

Reproducible docker image based on ubuntu16.04 has been pushed to `zjuchenyuan/dockerized_poc:jhead`, you can do these:

```
docker run -it --rm zjuchenyuan/dockerized_poc:jhead
# in the container
/tmp/asan/jhead /fuzzpoc/jhead_poc1
valgrind -v /tmp/justafl/jhead /fuzzpoc/jhead_poc1
```

Actual results: (after removing useless lines)


```
Step 5/10 : RUN /tmp/asan/jhead /fuzzpoc/jhead_poc1 || exit 0
 ---> Running in f1b4109d1d60
=================================================================
==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff2 at pc 0x7ffff6ee1676 bp 0x7fffffff0470 sp 0x7ffffffefc18
READ of size 5 at 0x60200000eff2 thread T0
    #0 0x7ffff6ee1675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
    #1 0x40eb51 in ReadJpegSections /jhead-3.03/jpgfile.c:251
    #2 0x410ead in ReadJpegSections /jhead-3.03/jpgfile.c:126
    #3 0x410ead in ReadJpegFile /jhead-3.03/jpgfile.c:375
    #4 0x4086b3 in ProcessFile /jhead-3.03/jhead.c:905
    #5 0x402f9b in main /jhead-3.03/jhead.c:1757
    #6 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x406868 in _start (/tmp/asan/jhead+0x406868)

0x60200000eff2 is located 0 bytes to the right of 2-byte region [0x60200000eff0,0x60200000eff2)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40e5b7 in ReadJpegSections /jhead-3.03/jpgfile.c:173

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp

Step 6/10 : RUN valgrind -v /tmp/justafl/jhead /fuzzpoc/jhead_poc1 || exit 0
 ---> Running in 36b7ff7c1384
==7== Memcheck, a memory error detector

==7== Invalid read of size 1
==7==    at 0x4C33D25: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410981: ReadJpegSections.part.0 (jpgfile.c:251)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e382 is 0 bytes after a block of size 2 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==

==7== HEAP SUMMARY:
==7==     in use at exit: 47,664 bytes in 3 blocks
==7==   total heap usage: 13 allocs, 10 frees, 51,890 bytes allocated
==7==
==7== Searching for pointers to 3 not-freed blocks
==7== Checked 106,720 bytes
==7==
==7== LEAK SUMMARY:
==7==    definitely lost: 0 bytes in 0 blocks
==7==    indirectly lost: 0 bytes in 0 blocks
==7==      possibly lost: 0 bytes in 0 blocks
==7==    still reachable: 47,664 bytes in 3 blocks
==7==         suppressed: 0 bytes in 0 blocks
==7== Rerun with --leak-check=full to see details of leaked memory
==7==
==7== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==7==
==7== 1 errors in context 1 of 1:
==7== Invalid read of size 1
==7==    at 0x4C33D25: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410981: ReadJpegSections.part.0 (jpgfile.c:251)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e382 is 0 bytes after a block of size 2 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==
==7== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Step 7/10 : RUN /tmp/asan/jhead /fuzzpoc/jhead_poc2 || exit 0
 ---> Running in 99ec181d6327
=================================================================
==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd3 at pc 0x00000040fecc bp 0x7fffffff0470 sp 0x7fffffff0460
READ of size 2 at 0x60200000efd3 thread T0
    #0 0x40fecb in ReadJpegSections /jhead-3.03/jpgfile.c:273
    #1 0x410ead in ReadJpegSections /jhead-3.03/jpgfile.c:126
    #2 0x410ead in ReadJpegFile /jhead-3.03/jpgfile.c:375
    #3 0x4086b3 in ProcessFile /jhead-3.03/jhead.c:905
    #4 0x402f9b in main /jhead-3.03/jhead.c:1757
    #5 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x406868 in _start (/tmp/asan/jhead+0x406868)

0x60200000efd4 is located 0 bytes to the right of 4-byte region [0x60200000efd0,0x60200000efd4)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40e5b7 in ReadJpegSections /jhead-3.03/jpgfile.c:173

SUMMARY: AddressSanitizer: heap-buffer-overflow /jhead-3.03/jpgfile.c:273 ReadJpegSections

Step 8/10 : RUN valgrind -v /tmp/justafl/jhead /fuzzpoc/jhead_poc2 || exit 0
 ---> Running in 7cf2ec15c930
==7== Memcheck, a memory error detector

==7== Invalid read of size 2
==7==    at 0x410FC0: process_SOFn (jpgfile.c:79)
==7==    by 0x410FC0: ReadJpegSections.part.0 (jpgfile.c:329)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e4f3 is 3 bytes inside a block of size 4 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==
==7== Invalid read of size 2
==7==    at 0x410FC5: process_SOFn (jpgfile.c:80)
==7==    by 0x410FC5: ReadJpegSections.part.0 (jpgfile.c:329)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e4f5 is 1 bytes after a block of size 4 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==
==7== Invalid read of size 1
==7==    at 0x410FCC: process_SOFn (jpgfile.c:81)
==7==    by 0x410FCC: ReadJpegSections.part.0 (jpgfile.c:329)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e4f7 is 3 bytes after a block of size 4 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==

==7== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

Step 9/10 : RUN /tmp/asan/jhead /fuzzpoc/jhead_poc3 || exit 0
 ---> Running in 9017c4229f78
=================================================================
==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd2 at pc 0x00000040fed4 bp 0x7fffffff0470 sp 0x7fffffff0460
READ of size 1 at 0x60200000efd2 thread T0
    #0 0x40fed3 in process_SOFn /jhead-3.03/jpgfile.c:78
    #1 0x40fed3 in ReadJpegSections /jhead-3.03/jpgfile.c:329
    #2 0x410ead in ReadJpegSections /jhead-3.03/jpgfile.c:126
    #3 0x410ead in ReadJpegFile /jhead-3.03/jpgfile.c:375
    #4 0x4086b3 in ProcessFile /jhead-3.03/jhead.c:905
    #5 0x402f9b in main /jhead-3.03/jhead.c:1757
    #6 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x406868 in _start (/tmp/asan/jhead+0x406868)

0x60200000efd2 is located 0 bytes to the right of 2-byte region [0x60200000efd0,0x60200000efd2)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40e5b7 in ReadJpegSections /jhead-3.03/jpgfile.c:173

SUMMARY: AddressSanitizer: heap-buffer-overflow /jhead-3.03/jpgfile.c:78 process_SOFn

Step 10/10 : RUN valgrind -v /tmp/justafl/jhead /fuzzpoc/jhead_poc3 || exit 0
 ---> Running in 50f21934e71f
==7== Memcheck, a memory error detector

==7== Invalid read of size 2
==7==    at 0x410FC0: process_SOFn (jpgfile.c:79)
==7==    by 0x410FC0: ReadJpegSections.part.0 (jpgfile.c:329)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e4f3 is 1 bytes after a block of size 2 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==
==7== Invalid read of size 2
==7==    at 0x410FC5: process_SOFn (jpgfile.c:80)
==7==    by 0x410FC5: ReadJpegSections.part.0 (jpgfile.c:329)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e4f5 is 3 bytes after a block of size 2 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==
==7== Invalid read of size 1
==7==    at 0x410FCC: process_SOFn (jpgfile.c:81)
==7==    by 0x410FCC: ReadJpegSections.part.0 (jpgfile.c:329)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e4f7 is 5 bytes after a block of size 2 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==
==7== Invalid read of size 1
==7==    at 0x410FD7: process_SOFn (jpgfile.c:78)
==7==    by 0x410FD7: ReadJpegSections.part.0 (jpgfile.c:329)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==  Address 0x550e4f2 is 0 bytes after a block of size 2 alloc'd
==7==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7==    by 0x410266: ReadJpegSections.part.0 (jpgfile.c:173)
==7==    by 0x4127CE: ReadJpegSections (jpgfile.c:126)
==7==    by 0x4127CE: ReadJpegFile (jpgfile.c:375)
==7==    by 0x408E3E: ProcessFile (jhead.c:905)
==7==    by 0x402273: main (jhead.c:1757)
==7==

==7== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
```

Expected results:

crash

Additional info:
Comment 1 Ludovic Rousseau 2019-11-22 16:54:39 UTC 
I (jhead Debian maintainer) worked with upstream to fix this issue in the new version 3.04.

All the previous Debian patches are also now included upstream so other CVE are now also fixed upstream.
The list of Debian patches applied upstream for the previous 3.03 version is available at https://sources.debian.org/src/jhead/1:3.03-3/debian/patches/
Comment 2 Adrian Reber 2019-11-23 11:21:45 UTC 
(In reply to Ludovic Rousseau from comment #1)
> I (jhead Debian maintainer) worked with upstream to fix this issue in the
> new version 3.04.
> 
> All the previous Debian patches are also now included upstream so other CVE
> are now also fixed upstream.
> The list of Debian patches applied upstream for the previous 3.03 version is
> available at https://sources.debian.org/src/jhead/1:3.03-3/debian/patches/

Ludovic, as always, thanks a lot for keeping jhead in shape and letting me know!
Comment 3 Fedora Update System 2019-11-23 11:26:04 UTC 
FEDORA-EPEL-2019-288e46f2d9 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-288e46f2d9
Comment 4 Fedora Update System 2019-11-23 11:33:05 UTC 
FEDORA-EPEL-2019-1a5ac407f8 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-1a5ac407f8
Comment 5 Fedora Update System 2019-11-24 01:25:55 UTC 
jhead-3.04-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-288e46f2d9
Comment 6 Fedora Update System 2019-11-24 01:30:47 UTC 
jhead-3.04-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-1a5ac407f8
Comment 7 Fedora Update System 2019-12-09 01:47:53 UTC 
jhead-3.04-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2019-12-09 02:09:06 UTC 
jhead-3.04-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.