Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

out bound reads which could result to segmentfault #263

Closed
xiaoqx opened this issue Apr 4, 2018 · 1 comment · Fixed by #479
Closed

out bound reads which could result to segmentfault #263

xiaoqx opened this issue Apr 4, 2018 · 1 comment · Fixed by #479
Labels
bug
Projects
v0.27
Milestone
v0.27

Comments

@xiaoqx
Copy link

xiaoqx commented Apr 4, 2018
edited by D4N

there are other testcases to trigger out of bound read with the commands (exiv2 -pv $POC),
some debug information as follows:

exiv2 -pv $POC

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x66208e
RBX: 0x7ffff78a2ed9 --> 0x63747049002e2e2e ('...')
RCX: 0x0
RDX: 0xf1fe
RSI: 0xffffffff
RDI: 0x0
RBP: 0x7fffffff2ce0 --> 0x7fffffff2ec0 --> 0x7fffffff30a0 --> 0x7fffffff3280 --> 0x7fffffff3460 --> 0x7fffffff3640 (--> ...)
RSP: 0x7fffffff2c20 --> 0x5ff7fe2780
RIP: 0x7ffff778c165 (<Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+659>:   movzx  eax,BYTE PTR [rax])
R8 : 0x0
R9 : 0x651fe0 --> 0x0
R10: 0x7ffff7089760 --> 0x0
R11: 0x0
R12: 0x7ffff78a2ac5 --> 0x4853004949435341 ('ASCII')
R13: 0x7fffffffe490 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)                                                                                                                                [-------------------------------------code-------------------------------------]
   0x7ffff778c155 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+643>:      mov    edx,DWORD PTR [rbp-0x94]
   0x7ffff778c15b <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+649>:      mov    rax,QWORD PTR [rbp-0xb0]
   0x7ffff778c162 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+656>:      add    rax,rdx
=> 0x7ffff778c165 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+659>:      movzx  eax,BYTE PTR [rax]
   0x7ffff778c168 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+662>:      cmp    al,0x1c
   0x7ffff778c16a <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+664>:      jne    0x7ffff778c186 <Exiv2::IptcData::printStructure(std::ostream&, unsigned ch
ar const*, unsigned long, unsigned int)+692>
   0x7ffff778c16c <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+666>:      mov    eax,DWORD PTR [rbp-0x94]
   0x7ffff778c172 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+672>:      mov    rdx,QWORD PTR [rbp-0xb8]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff2c20 --> 0x5ff7fe2780
0008| 0x7fffffff2c28 --> 0xf4
0016| 0x7fffffff2c30 --> 0x652e90 --> 0x1300000008002a49
0024| 0x7fffffff2c38 --> 0x7fffffffe050 --> 0x7ffff7592e38 --> 0x7ffff735afb0 (<_ZNSt14basic_ofstreamIcSt11char_traitsIcEED1Ev>:        mov    rax,QWORD PTR [rip+0x238d01]        # 0x7ffff7593cb8)
0032| 0x7fffffff2c40 --> 0x2000000000000
0040| 0x7fffffff2c48 --> 0xf1fef10e0003
0048| 0x7fffffff2c50 --> 0x651ff8 ('.' <repeats 39 times>)
0056| 0x7fffffff2c58 --> 0x644880 --> 0x7ffffbad2488
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff778c165 in Exiv2::IptcData::printStructure (out=..., bytes=0x652e90 "I*", size=0xf4, depth=0x5f) at iptc.cpp:357
357                     while ( bytes[i] == 0x1c && i < size-3 ) {
gdb-peda$ bt
#0  0x00007ffff778c165 in Exiv2::IptcData::printStructure (out=..., bytes=0x652e90 "I*", size=0xf4, depth=0x5f) at iptc.cpp:357
#1  0x00007ffff7782379 in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x5e) at image.cpp:470
#2  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x5d) at image.cpp:455
#3  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x5c) at image.cpp:455
#4  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x5b) at image.cpp:455
#5  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x5a) at image.cpp:455
#6  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x59) at image.cpp:455
#7  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x58) at image.cpp:455
#8  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x57) at image.cpp:455
#9  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x56) at image.cpp:455
#10 0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x55) at image.cpp:455
#11 0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x54) at image.cpp:455
#12 0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ac0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x53) at image.cpp:455

===========
the other one : 

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x662000 ('')
RBX: 0x3
RCX: 0x2
RDX: 0x14ff0
RSI: 0x64d010 --> 0x7ffff7082a49 (MemError)
RDI: 0x7fffffffe050 --> 0x7ffff7592e38 --> 0x7ffff735afb0 (<_ZNSt14basic_ofstreamIcSt11char_traitsIcEED1Ev>:    mov    rax,QWORD PTR [rip+0x238d01]        # 0x7ffff7593cb8)
RBP: 0x7fffffffd960 --> 0x7fffffffdb40 --> 0x7fffffffdd20 --> 0x7fffffffdf00 --> 0x7fffffffdf80 --> 0x7fffffffdfe0 (--> ...)
RSP: 0x7fffffffd8a0 --> 0x2f7fe2780
RIP: 0x7ffff778bf41 (<Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+111>:   movzx  eax,BYTE PTR [rax])
R8 : 0x644950 --> 0x0
R9 : 0x64d010 --> 0x7ffff7082a49 (MemError)
R10: 0x5e ('^')
R11: 0x246
R12: 0x7ffff78a2ac5 --> 0x4853004949435341 ('ASCII')
R13: 0x7fffffffe490 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff778bf31 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+95>:       mov    edx,DWORD PTR [rbp-0x94]
   0x7ffff778bf37 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+101>:      mov    rax,QWORD PTR [rbp-0xb0]
   0x7ffff778bf3e <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+108>:      add    rax,rdx
=> 0x7ffff778bf41 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+111>:      movzx  eax,BYTE PTR [rax]
   0x7ffff778bf44 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+114>:      cmp    al,0x1c
   0x7ffff778bf46 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+116>:      jne    0x7ffff778bf14 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+66>
   0x7ffff778bf48 <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+118>:      add    DWORD PTR [rbp-0xbc],0x1
   0x7ffff778bf4f <Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)+125>:      mov    edx,DWORD PTR [rbp-0xbc]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd8a0 --> 0x2f7fe2780
0008| 0x7fffffffd8a8 --> 0x2
0016| 0x7fffffffd8b0 --> 0x64d010 --> 0x7ffff7082a49 (MemError)
0024| 0x7fffffffd8b8 --> 0x7fffffffe050 --> 0x7ffff7592e38 --> 0x7ffff735afb0 (<_ZNSt14basic_ofstreamIcSt11char_traitsIcEED1Ev>:        mov    rax,QWORD PTR [rip+0x238d01]        # 0x7ffff7593cb8)
0032| 0x7fffffffd8c0 --> 0x0
0040| 0x7fffffffd8c8 --> 0x14ff0f6d39947
0048| 0x7fffffffd8d0 --> 0xd47b0c2
0056| 0x7fffffffd8d8 --> 0x644870 --> 0x7ffffbad2488
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff778bf41 in Exiv2::IptcData::printStructure (out=..., bytes=0x64d010 "I*\b\367\377\177", size=0x2, depth=0x2) at iptc.cpp:354
354                     while  ( i < size-3 && bytes[i] != 0x1c ) i++;
gdb-peda$ p bytes
$1 = (const Exiv2::byte *) 0x64d010 "I*\b\367\377\177"
gdb-peda$ x /4w $rax
0x662000:       Cannot access memory at address 0x662000
gdb-peda$ bt
#0  0x00007ffff778bf41 in Exiv2::IptcData::printStructure (out=..., bytes=0x64d010 "I*\b\367\377\177", size=0x2, depth=0x2) at iptc.cpp:354
#1  0x00007ffff7782379 in Exiv2::Image::printIFDStructure (this=0x644ab0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x2) at image.cpp:470
#2  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ab0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x1) at image.cpp:455
#3  0x00007ffff778218c in Exiv2::Image::printIFDStructure (this=0x644ab0, io=..., out=..., option=Exiv2::kpsRecursive, start=0x8, bSwap=0x0, c=0x49, depth=0x0) at image.cpp:455
#4  0x00007ffff7782abc in Exiv2::Image::printTiffStructure (this=0x644ab0, io=..., out=..., option=Exiv2::kpsRecursive, depth=0xffffffff, offset=0x0) at image.cpp:533
#5  0x00007ffff781bc6d in Exiv2::TiffImage::printStructure (this=0x644ab0, out=..., option=Exiv2::kpsRecursive, depth=0x0) at tiffimage.cpp:344
#6  0x00007ffff781aec3 in Exiv2::TiffImage::readMetadata (this=0x644ab0) at tiffimage.cpp:187
#7  0x000000000041fba6 in Action::Print::printList (this=0x644830) at actions.cpp:537
#8  0x000000000041c76b in Action::Print::run (this=0x644830, path="./crashes-2018-03-23-21-09/exiv2000:id:000015,sig:11,src:000399,op:flip1,pos:26") at actions.cpp:243
#9  0x000000000040e267 in main (argc=0x3, argv=0x7fffffffe498) at exiv2.cpp:166
#10 0x00007ffff6ce9f45 in __libc_start_main (main=0x40dfae <main(int, char* const*)>, argc=0x3, argv=0x7fffffffe498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe488) at libc-start.c:287
#11 0x000000000040dee9 in _start ()

==================
the pocs please refer to :
https://github.com/xiaoqx/pocs/blob/master/exiv2/9-printStructure-outbound-read-1
https://github.com/xiaoqx/pocs/blob/master/exiv2/10-printStructure-outbound-read-2
@piponazo piponazo added the bug label May 27, 2018
@piponazo piponazo added this to TODO in v0.27 May 29, 2018
D4N added a commit that referenced this issue Sep 1, 2018
@D4N
Add reproducer for #263 to the test suite.
25071d6 
This fixes #263
D4N added a commit that referenced this issue Sep 1, 2018
@D4N
Add reproducer for #263 to the test suite.
a82c68e 
This fixes #263
D4N added a commit that referenced this issue Sep 1, 2018
@D4N
Add reproducer for #263 to the test suite.
09a7d89 
This fixes #263
piponazo pushed a commit that referenced this issue Sep 10, 2018
@D4N @piponazo
Add reproducer for #263 to the test suite.
c730327 
This fixes #263
D4N added a commit that referenced this issue Sep 10, 2018
@D4N
Add reproducer for #263 to the test suite.
ffa39aa 
This fixes #263
@a17r
Copy link
Contributor

a17r commented Sep 21, 2018

Is this the same as CVE-2017-17724?

D4N added a commit to D4N/exiv2 that referenced this issue Oct 11, 2018
@D4N
[testsuite] Add reproducers for Exiv2#263
0fca78e 
This issue got resolved by Exiv2#180 and Exiv2#461.
@D4N D4N mentioned this issue Oct 11, 2018
Merged
@D4N D4N moved this from TODO to In Progress in v0.27 Oct 11, 2018
D4N added a commit to D4N/exiv2 that referenced this issue Oct 11, 2018
@D4N
[testsuite] Add reproducers for Exiv2#263
f6d775b 
This issue got resolved by Exiv2#180 and Exiv2#461.
@D4N D4N closed this as completed in #479 Oct 12, 2018
D4N added a commit that referenced this issue Oct 12, 2018
@D4N
Merge pull request #479 from D4N/add_reproducers
d68f42a 
Add reproducers for #159, #216 and #263
@D4N D4N moved this from In Progress to Done in v0.27 Oct 12, 2018
@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
No open projects
v0.27
  
Done
Milestone
v0.27
Development

Successfully merging a pull request may close this issue.

Add reproducers for #159, #216 and #263 D4N/exiv2
4 participants
@piponazo @clanmills @a17r @xiaoqx