1781073 – heap-buffer-overflow in fucntion Get32s of exif.c

Bug 1781073 - heap-buffer-overflow in fucntion Get32s of exif.c

Summary: heap-buffer-overflow in fucntion Get32s of exif.c

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	jhead
Sub Component:
Version:	epel8
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Adrian Reber
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-09 09:33 UTC by libbin
Modified:	2019-12-09 09:33 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
PoC to trigger the heap-buffer-overflow (240 bytes, image/jpeg) 2019-12-09 09:33 UTC, libbin	no flags	Details
View All

Description libbin 2019-12-09 09:33:40 UTC

Created attachment 1643230 [details]
PoC to trigger the heap-buffer-overflow

Description of problem:
There are heap-buffer-overflow in function Get32s, jhead 3.03 and 3.04

Version-Release number of selected component (if applicable):
3.03 and 3.04


How reproducible:
There is a poc files:
https://github.com/BinLeeBit/crashes/blob/master/jhead/testfile/id_043. I add '-fsanitize=address -fno-omit-frame-pointer -O1' to the makefile.

Then, `./jhead ./id_043`


Steps to Reproduce:
1. download sourcecode (v3.04 v3.03): https://www.sentex.ca/~mwandel/jhead/
2. rewrite makefile, by adding `'-fsanitize=address -fno-omit-frame-pointer -O1`
3. ./jhead ./id_043

Actual results:(after removing useless lines)

==25921==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009fdd at pc 0x00000040aeff bp 0x7ffffffeeb70 sp 0x7ffffffeeb60
READ of size 1 at 0x611000009fdd thread T0
    #0 0x40aefe in Get32s /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:336
    #1 0x4115dc in ProcessGpsInfo /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/gpsinfo.c:138
    #2 0x40d9a3 in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:866
    #3 0x40d91c in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:852
    #4 0x40d91c in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:852
    #5 0x40d91c in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:852
    #6 0x40d91c in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:852
    #7 0x40e09a in process_EXIF /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:1041
    #8 0x408318 in ReadJpegSections /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:287
    #9 0x408581 in ReadJpegFile /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379
    #10 0x405039 in ProcessFile /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:905
    #11 0x40267d in main /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:1756
    #12 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x403c38 in _start (/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead+0x403c38)

0x611000009fdd is located 3 bytes to the right of 218-byte region [0x611000009f00,0x611000009fda)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40798b in ReadJpegSections /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:173
    #2 0x408581 in ReadJpegFile /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379
    #3 0x405039 in ProcessFile /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:905
    #4 0x40267d in main /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:1756
    #5 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:336 Get32s
Shadow bytes around the buggy address:
  0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa
  0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25921==ABORTING
[Inferior 1 (process 25921) exited with code 01]


Expected results:
crash

Additional info:

Note You need to log in before you can comment on or make changes to this bug.