Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WavPack crashes -- Heap buffer overwrite #32

Closed
thuanpv opened this issue Apr 23, 2018 · 2 comments
Closed

WavPack crashes -- Heap buffer overwrite #32

thuanpv opened this issue Apr 23, 2018 · 2 comments
Assignees
@dbry

Comments

@thuanpv
Copy link

thuanpv commented Apr 23, 2018
edited

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This could lead to denial of service and potentially code execution.

This bug was found on Ubuntu 16.04 64-bit & WavPack revision 0a7295 (HEAD)

To reproduce:
Download & extract the attached file - wavpack_crash4.wav
wavpack -y wavpack_crash4.wav

Error message:

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

creating wavpack_crash4.wv,   0% done...*** Error in `../WavPack/cli/wavpack': munmap_chunk(): invalid pointer: 0x00000000009943f0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fbcb17db7e5]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x1a8)[0x7fbcb17e8698]
../WavPack/cli/wavpack[0x49080c]
../WavPack/cli/wavpack[0x4a0051]
../WavPack/cli/wavpack[0x4ace6d]
../WavPack/cli/wavpack[0x434406]
../WavPack/cli/wavpack[0x407443]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fbcb1784830]
../WavPack/cli/wavpack[0x416bf9]
======= Memory map: ========
00400000-00536000 r-xp 00000000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
00736000-00737000 r--p 00136000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
00737000-00738000 rw-p 00137000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
0088a000-009b2000 rw-p 00000000 00:00 0                                  [heap]
7fbcb154d000-7fbcb1563000 r-xp 00000000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fbcb1563000-7fbcb1762000 ---p 00016000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fbcb1762000-7fbcb1763000 r--p 00015000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fbcb1763000-7fbcb1764000 rw-p 00016000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fbcb1764000-7fbcb1924000 r-xp 00000000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7fbcb1924000-7fbcb1b24000 ---p 001c0000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7fbcb1b24000-7fbcb1b28000 r--p 001c0000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7fbcb1b28000-7fbcb1b2a000 rw-p 001c4000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7fbcb1b2a000-7fbcb1b2e000 rw-p 00000000 00:00 0 
7fbcb1b2e000-7fbcb1c36000 r-xp 00000000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7fbcb1c36000-7fbcb1e35000 ---p 00108000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7fbcb1e35000-7fbcb1e36000 r--p 00107000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7fbcb1e36000-7fbcb1e37000 rw-p 00108000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7fbcb1e37000-7fbcb1e5d000 r-xp 00000000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7fbcb204c000-7fbcb2050000 rw-p 00000000 00:00 0 
7fbcb205b000-7fbcb205c000 rw-p 00000000 00:00 0 
7fbcb205c000-7fbcb205d000 r--p 00025000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7fbcb205d000-7fbcb205e000 rw-p 00026000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7fbcb205e000-7fbcb205f000 rw-p 00000000 00:00 0 
7ffe40759000-7ffe4077a000 rw-p 00000000 00:00 0                          [stack]
7ffe407a4000-7ffe407a6000 r--p 00000000 00:00 0                          [vvar]
7ffe407a6000-7ffe407a8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Valgrind says:

creating wavpack_crash4.wv,   0% done...==168858== Invalid write of size 2
==168858==    at 0x4C868F: flush_word (write_words.c:502)
==168858==    by 0x4C868F: send_words_lossless (write_words.c:405)
==168858==    by 0x4854CB: pack_samples (pack.c:1159)
==168858==    by 0x48F5F7: pack_block (pack.c:638)
==168858==    by 0x4A0050: pack_streams (pack_utils.c:951)
==168858==    by 0x4ACE6C: WavpackFlushSamples (pack_utils.c:701)
==168858==    by 0x434405: pack_audio (wavpack.c:2393)
==168858==    by 0x434405: pack_file (wavpack.c:1891)
==168858==    by 0x407442: main (wavpack.c:1272)
==168858==  Address 0x57a9b1c is 13,212 bytes inside a block of size 13,213 alloc'd
==168858==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==168858==    by 0x49FF3D: pack_streams (pack_utils.c:928)
==168858==    by 0x4ACE6C: WavpackFlushSamples (pack_utils.c:701)
==168858==    by 0x434405: pack_audio (wavpack.c:2393)
==168858==    by 0x434405: pack_file (wavpack.c:1891)
==168858==    by 0x407442: main (wavpack.c:1272)
==168858== 
==168858== Invalid write of size 2
==168858==    at 0x4C2203: flush_word (write_words.c:502)
==168858==    by 0x4C87CB: send_words_lossless (write_words.c:438)
==168858==    by 0x4854CB: pack_samples (pack.c:1159)
==168858==    by 0x48F5F7: pack_block (pack.c:638)
==168858==    by 0x4A0050: pack_streams (pack_utils.c:951)
==168858==    by 0x4ACE6C: WavpackFlushSamples (pack_utils.c:701)
==168858==    by 0x434405: pack_audio (wavpack.c:2393)
==168858==    by 0x434405: pack_file (wavpack.c:1891)
==168858==    by 0x407442: main (wavpack.c:1272)
==168858==  Address 0x57a9b20 is 3 bytes after a block of size 13,213 alloc'd
==168858==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==168858==    by 0x49FF3D: pack_streams (pack_utils.c:928)
==168858==    by 0x4ACE6C: WavpackFlushSamples (pack_utils.c:701)
==168858==    by 0x434405: pack_audio (wavpack.c:2393)
==168858==    by 0x434405: pack_file (wavpack.c:1891)
==168858==    by 0x407442: main (wavpack.c:1272)

ASAN says:

==169033==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62700001bc9c at pc 0x000000495f60 bp 0x7fff5c6d1640 sp 0x7fff5c6d1630
WRITE of size 2 at 0x62700001bc9c thread T0
    #0 0x495f5f in flush_word /home/thuan/subjects/WavPack-asan/src/write_words.c:502
    #1 0x49169f in send_words_lossless /home/thuan/subjects/WavPack-asan/src/write_words.c:405
    #2 0x45a842 in pack_samples /home/thuan/subjects/WavPack-asan/src/pack.c:1136
    #3 0x4541ba in pack_block /home/thuan/subjects/WavPack-asan/src/pack.c:638
    #4 0x47919f in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:951
    #5 0x4772ef in WavpackFlushSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:701
    #6 0x40f7f4 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2393
    #7 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
    #8 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
    #9 0x7f1df62b382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x402528 in _start (/home/thuan/subjects/WavPack-asan/cli/wavpack+0x402528)

0x62700001bc9d is located 0 bytes to the right of 13213-byte region [0x627000018900,0x62700001bc9d)
allocated by thread T0 here:
    #0 0x7f1df774bf70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
    #1 0x478bb3 in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:928
    #2 0x4772ef in WavpackFlushSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:701
    #3 0x40f7f4 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2393
    #4 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
    #5 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
    #6 0x7f1df62b382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/subjects/WavPack-asan/src/write_words.c:502 in flush_word
Shadow bytes around the buggy address:
  0x0c4e7fffb740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4e7fffb750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4e7fffb760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4e7fffb770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4e7fffb780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4e7fffb790: 00 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffb7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffb7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffb7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffb7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffb7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==169033==ABORTING

Regards,

Thuan
wavpack_crash4.wav.tar.gz
@thuanpv thuanpv changed the title WavPack crashes WavPack crashes -- Heap buffer overwrite Apr 23, 2018
@dbry dbry self-assigned this Apr 24, 2018
dbry added a commit that referenced this issue Apr 25, 2018
@dbry
issue #30 issue #31 issue #32: no multiple format chunks in WAV or W64
26cb47f
@thuanpv
Copy link
Author

thuanpv commented Apr 26, 2018

All 3 issues have been fixed! Thanks.

@thuanpv thuanpv closed this as completed Apr 26, 2018
@mboehme
Copy link

mboehme commented Apr 30, 2018

Thanks, David, for applying the patch so promptly.

Here is our analysis:

  • The file contains the mandatory riff, fmt, and data chunks, plus an additional fmt chunk placed right after the first fmt chunk. The first fmt chunk specifies IEEE float as WAVE format. The second fmt chunk specifies PCM as WAVE format, one bit per sample, 20 channels, and 20 as block align.
  • The first fmt chunk passes all sanity checks (incl. bits per sample = 32 and BlockAlign / NumChannels < bits per sample / 8; riff.c:185) and sets config->float_norm_exp = 127 riff.c:220
  • The second fmt chunk allows to override the number of bits per sample, channels, and block align while maintaining the IEEE float format setting (i.e., the value of config->float_norm_exp), effectively circumventing the sanity checks. The assumption of the sanity checks holding later in the packing leads to the buffer overwrite.

MITRE assigned

  • CVE-2018-10536 for WAVE parser component (*.wav; ParseRiffHeaderConfig in riff.c)
  • CVE-2018-10537 for WAVE64 parser component (*.w64; ParseWave64HeaderConfig in wave64.c)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dbry dbry

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thuanpv @mboehme @dbry