Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2018-17229: AddressSanitizer: heap-buffer-overflow in Exiv2::d2Data #453

Closed
Marsman1996 opened this issue Sep 17, 2018 · 5 comments
Closed

CVE-2018-17229: AddressSanitizer: heap-buffer-overflow in Exiv2::d2Data #453

Marsman1996 opened this issue Sep 17, 2018 · 5 comments
Milestone
v0.27

Comments

@Marsman1996
Copy link

Marsman1996 commented Sep 17, 2018
edited

Tested in Ubuntu 16.04, 64bit, Exiv2(master b6a8d39)
$ exiv2 $POC

https://github.com/Marsman1996/pocs/blob/master/exiv2/CVE-2018-17229/poc4-d2Data

./bin/exiv2 ../../poc4-d2Data 
=================================================================
==29719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edda at pc 0x7f380fbee411 bp 0x7ffe90b43600 sp 0x7ffe90b435f0
WRITE of size 1 at 0x60200000edda thread T0
    #0 0x7f380fbee410 in Exiv2::d2Data(unsigned char*, double, Exiv2::ByteOrder) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/types.cpp:473
    #1 0x7f380fbfc1e7 in long Exiv2::toData<double>(unsigned char*, double, Exiv2::ByteOrder) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/include/exiv2/value.hpp:1512
    #2 0x7f380fc03803 in Exiv2::ValueType<double>::copy(unsigned char*, Exiv2::ByteOrder) const /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/include/exiv2/value.hpp:1611
    #3 0x7f380fb47e58 in Exiv2::Exifdatum::copy(unsigned char*, Exiv2::ByteOrder) const /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/exif.cpp:357
    #4 0x7f380fbe9083 in Exiv2::TiffImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/tiffimage.cpp:199
    #5 0x43a413 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/actions.cpp:287
    #6 0x439c8b in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/actions.cpp:247
    #7 0x4222d7 in main /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/exiv2.cpp:167
    #8 0x7f380eed082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x421ce8 in _start (/home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/build_asan/bin/exiv2+0x421ce8)

0x60200000edda is located 0 bytes to the right of 10-byte region [0x60200000edd0,0x60200000edda)
allocated by thread T0 here:
    #0 0x7f381032d6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x7f380fbeb51f in Exiv2::DataBuf::alloc(long) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/types.cpp:156
    #2 0x7f380fbe8fe6 in Exiv2::TiffImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/tiffimage.cpp:198
    #3 0x43a413 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/actions.cpp:287
    #4 0x439c8b in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/actions.cpp:247
    #5 0x4222d7 in main /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/exiv2.cpp:167
    #6 0x7f380eed082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/marsman/Desktop/crashana/exiv2/exiv2-b6a8d39613a28603a989bd5278798db8a54eeb1e/src/types.cpp:473 Exiv2::d2Data(unsigned char*, double, Exiv2::ByteOrder)
Shadow bytes around the buggy address:
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa 00[02]fa fa 00 00
  0x0c047fff9dc0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
  0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff9de0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fd
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29719==ABORTING

Addition: This bug was found with mem-AFL, which is based on AFL. Mem-AFL is developed by Yanhao(unfuzzable123@gmail.com) & Marsman1996(lqliuyuwei@outlook.com)
@D4N
Copy link
Member

D4N commented Sep 17, 2018

This issue is no longer present on master.

@D4N D4N closed this as completed Sep 17, 2018
@abergmann
Copy link

CVE-2018-17229 was assigned to this issue.

@Marsman1996 Marsman1996 changed the title AddressSanitizer: heap-buffer-overflow in Exiv2::d2Data CVE-2018-17229: AddressSanitizer: heap-buffer-overflow in Exiv2::d2Data Sep 21, 2018
@carnil
Copy link

carnil commented Oct 13, 2018

A bisect of the issue seem to indicate the issue is adressed by afb98cb ("Allocate correct amount of memory for the ICC profile")

@carnil
Copy link

carnil commented Oct 14, 2018
edited

Issue was introduced possibly later than 3d57bbc ("#1074 Work in progress. ICC Jpeg/Png/Tiff exiv2 -eC foo.xxx writes good foo.icc profiles. icc-test.sh is broken and to be investigated."). That is I was not able to determine exactly where the issue has been introduced.

The issue should be seen as well with the v0.26 tagged version if one cherry-picks (depending on used compiler) 04052ce on top and builds.

@carnil carnil mentioned this issue Oct 14, 2018
Closed
@carnil
Copy link

carnil commented Oct 14, 2018

Commit afb98cb introduces CVE-2018-17282, which was #457

@clanmills clanmills added this to the v0.27 milestone Nov 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.27
Development

No branches or pull requests
5 participants
@clanmills @carnil @D4N @abergmann @Marsman1996