Skip to content

heap-buffer-overflow #350

Closed
Closed
@magicSwordsMan

Description

@magicSwordsMan

Hello OpenEXR team,
I have identified an issue affecting OpenEXR by using AFL fuzz.

root@kali:~/openexr# valgrind -v --tool=memcheck --leak-check=full exrmultiview left outputFuzz/crashes/id:000000,sig:11,src:000453,op:arith8,pos:107,val:+35 right AllHalfValues.exr 12.exr
==76955== Memcheck, a memory error detector
==76955== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==76955== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==76955== Command: exrmultiview left outputFuzz/crashes/id:000000,sig:11,src:000453,op:arith8,pos:107,val:+35 right AllHalfValues.exr 12.exr
==76955==
--76955-- Valgrind options:
--76955-- -v
--76955-- --tool=memcheck
--76955-- --leak-check=full
--76955-- Contents of /proc/version:
--76955-- Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0-25)) #1 SMP Debian 4.17.8-1kali1 (2018-07-24)
--76955--
--76955-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx-avx2-bmi
--76955-- Page sizes: currently 4096, max supported 4096
--76955-- Valgrind library directory: /usr/lib/valgrind
--76955-- Reading syms from /usr/local/bin/exrmultiview
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.27.so
--76955-- Considering /usr/lib/debug/.build-id/dc/5cb16f5e644116cac64a4c3f5da4d081b81a4f.debug ..
--76955-- .. build-id is valid
--76955-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux
--76955-- Considering /usr/lib/valgrind/memcheck-amd64-linux ..
--76955-- .. CRC mismatch (computed 7680f3df wanted 92e0f93c)
--76955-- Considering /usr/lib/debug/usr/lib/valgrind/memcheck-amd64-linux ..
--76955-- .. CRC is valid
--76955-- object doesn't have a dynamic symbol table
--76955-- Scheduler: using generic scheduler lock implementation.
--76955-- Reading suppressions file: /usr/lib/valgrind/default.supp
==76955== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-76955-by-root-on-???
==76955== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-76955-by-root-on-???
==76955== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-76955-by-root-on-???
==76955==
==76955== TO CONTROL THIS PROCESS USING vgdb (which you probably
==76955== don't want to do, unless you know exactly what you're doing,
==76955== or are doing some strange experiment):
==76955== /usr/lib/valgrind/../../bin/vgdb --pid=76955 ...command...
==76955==
==76955== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==76955== /path/to/gdb exrmultiview
==76955== and then give GDB the following command
==76955== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=76955
==76955== --pid is optional if only one valgrind process is running
==76955==
--76955-- REDIR: 0x401e290 (ld-linux-x86-64.so.2:strlen) redirected to 0x58061781 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--76955-- REDIR: 0x401e070 (ld-linux-x86-64.so.2:index) redirected to 0x5806179b (vgPlain_amd64_linux_REDIR_FOR_index)
--76955-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so
--76955-- Considering /usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--76955-- .. CRC mismatch (computed 66a2a561 wanted 3789c7eb)
--76955-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--76955-- .. CRC is valid
--76955-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
--76955-- Considering /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--76955-- .. CRC mismatch (computed 8487a070 wanted 8af30a91)
--76955-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--76955-- .. CRC is valid
==76955== WARNING: new redirection conflicts with existing -- ignoring it
--76955-- old: 0x0401e290 (strlen ) R-> (0000.0) 0x58061781 vgPlain_amd64_linux_REDIR_FOR_strlen
--76955-- new: 0x0401e290 (strlen ) R-> (2007.0) 0x04838a60 strlen
--76955-- REDIR: 0x401aab0 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4839b90 (strcmp)
--76955-- REDIR: 0x401e7d0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x483d1a0 (mempcpy)
--76955-- Reading syms from /usr/local/lib/libIlmImf-2_3.so.2.3.0
--76955-- Reading syms from /usr/local/lib/libHalf-2_3.so.2.3.0
--76955-- Reading syms from /usr/local/lib/libImath-2_3.so.2.3.0
--76955-- Reading syms from /usr/local/lib/libIlmThread-2_3.so.2.3.0
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libpthread-2.27.so
--76955-- Considering /usr/lib/debug/.build-id/c1/969b6ac0e7a64f9cd88fdce8b584ccfc16623d.debug ..
--76955-- .. build-id is valid
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
--76955-- object doesn't have a symbol table
--76955-- Reading syms from /usr/local/lib/libIex-2_3.so.2.3.0
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
--76955-- object doesn't have a symbol table
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libm-2.27.so
--76955-- Considering /usr/lib/debug/.build-id/fa/b2857727406caccd7ab22e1729b09ccf2c3eb7.debug ..
--76955-- .. build-id is valid
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
--76955-- object doesn't have a symbol table
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libc-2.27.so
--76955-- Considering /usr/lib/debug/.build-id/dc/87cd1e2b171a4c51139cb4e1f2ec630e711de3.debug ..
--76955-- .. build-id is valid
--76955-- REDIR: 0x5361050 (libc.so.6:memmove) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360280 (libc.so.6:strncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361330 (libc.so.6:strcasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fcd0 (libc.so.6:strcat) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53602b0 (libc.so.6:rindex) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5362900 (libc.so.6:rawmemchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53611c0 (libc.so.6:mempcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360ff0 (libc.so.6:bcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360240 (libc.so.6:strncmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fd40 (libc.so.6:strcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361120 (libc.so.6:memset) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x537ab60 (libc.so.6:wcschr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53601e0 (libc.so.6:strnlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fdb0 (libc.so.6:strcspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361380 (libc.so.6:strncasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fd80 (libc.so.6:strcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53614c0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53602e0 (libc.so.6:strpbrk) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fd00 (libc.so.6:index) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53601b0 (libc.so.6:strlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53671b0 (libc.so.6:memrchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53613d0 (libc.so.6:strcasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360fc0 (libc.so.6:memchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x537b920 (libc.so.6:wcslen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360590 (libc.so.6:strspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361300 (libc.so.6:stpncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53612d0 (libc.so.6:stpcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5362930 (libc.so.6:strchrnul) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361420 (libc.so.6:strncasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5433700 (libc.so.6:__strrchr_avx2) redirected to 0x48383e0 (rindex)
--76955-- REDIR: 0x535c5c0 (libc.so.6:malloc) redirected to 0x4835750 (malloc)
--76955-- REDIR: 0x54338d0 (libc.so.6:__strlen_avx2) redirected to 0x48389a0 (strlen)
--76955-- REDIR: 0x542fee0 (libc.so.6:__memcmp_avx2_movbe) redirected to 0x483bab0 (bcmp)
--76955-- REDIR: 0x540f0a0 (libc.so.6:__strcmp_ssse3) redirected to 0x4839a50 (strcmp)
--76955-- REDIR: 0x535d2a0 (libc.so.6:calloc) redirected to 0x4837720 (calloc)
--76955-- REDIR: 0x5433e10 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x483c390 (memmove)
--76955-- REDIR: 0x503af90 (libstdc++.so.6:operator new(unsigned long)) redirected to 0x4835dc0 (operator new(unsigned long))
--76955-- REDIR: 0x5039220 (libstdc++.so.6:operator delete(void*)) redirected to 0x4836e80 (operator delete(void*))
--76955-- REDIR: 0x5422440 (libc.so.6:__strncpy_ssse3) redirected to 0x4838c60 (strncpy)
--76955-- REDIR: 0x5360a70 (libc.so.6:__GI_strstr) redirected to 0x483d410 (__strstr_sse2)
--76955-- REDIR: 0x503b040 (libstdc++.so.6:operator new[](unsigned long)) redirected to 0x48364e0 (operator new[](unsigned long))
--76955-- REDIR: 0x542a850 (libc.so.6:__strncmp_sse42) redirected to 0x4839220 (__strncmp_sse42)
--76955-- REDIR: 0x5434290 (libc.so.6:__memset_avx2_unaligned_erms) redirected to 0x483c280 (memset)
--76955-- REDIR: 0x535df10 (libc.so.6:posix_memalign) redirected to 0x4837c10 (posix_memalign)
--76955-- REDIR: 0x5039250 (libstdc++.so.6:operator delete) redirected to 0x4837380 (operator delete)
--76955-- REDIR: 0x535cc50 (libc.so.6:free) redirected to 0x4836980 (free)
--76955-- REDIR: 0x542f760 (libc.so.6:__memchr_avx2) redirected to 0x4839c30 (memchr)
Error reading pixel data from image file "outputFuzz/crashes/id:000000,sig:11,src:000453,op:arith8,pos:107,val:+35". Error decompressing data (input data are shorter than expected).
==76955==
==76955== HEAP SUMMARY:
==76955== in use at exit: 8 bytes in 1 blocks
==76955== total heap usage: 386 allocs, 385 frees, 93,432,818 bytes allocated
==76955==
==76955== Searching for pointers to 1 not-freed blocks
==76955== Checked 171,992 bytes
==76955==
==76955== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
==76955== at 0x4835E2F: operator new(unsigned long) (vg_replace_malloc.c:334)
==76955== by 0x4D191BD: ThreadPool (IlmThreadPool.cpp:758)
==76955== by 0x4D191BD: IlmThread_2_3::ThreadPool::globalThreadPool() (IlmThreadPool.cpp:838)
==76955== by 0x48FA88D: Imf_2_3::globalThreadCount() (ImfThreading.cpp:51)
==76955== by 0x4058B8: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:83)
==76955== by 0x409D33: main (main.cpp:251)
==76955==
==76955== LEAK SUMMARY:
==76955== definitely lost: 8 bytes in 1 blocks
==76955== indirectly lost: 0 bytes in 0 blocks
==76955== possibly lost: 0 bytes in 0 blocks
==76955== still reachable: 0 bytes in 0 blocks
==76955== suppressed: 0 bytes in 0 blocks
==76955==
==76955== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==76955== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Attached the POC

poc.zip
Version
openexr-2.3

Found by:TAN JIE

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugA bug in the source codeCVEA security vulnerability bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions