New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-11531: heap buffer overflow in preview.cpp #283

Closed
fgeek opened this Issue Apr 22, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@fgeek
Collaborator

fgeek commented Apr 22, 2018

<snip>
Error: Offset of directory PanasonicRaw, entry 0x0148 is out of bounds: Offset = 0x00000000; truncating the entry
=================================================================
==12668==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000dfeb at pc 0x7f8e53eb8d7b bp 0x7ffc8f1625b0 sp 0x7ffc8f161d60
WRITE of size 151 at 0x61300000dfeb thread T0
    #0 0x7f8e53eb8d7a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
    #1 0x7f8e53089ce3 in getData /home/afl/src/exiv2/src/preview.cpp:811
    #2 0x7f8e5307a65b in Exiv2::PreviewManager::getPreviewProperties() const /home/afl/src/exiv2/src/preview.cpp:1143
    #3 0x7f8e53104dac in Exiv2::Rw2Image::readMetadata() /home/afl/src/exiv2/src/rw2image.cpp:141
    #4 0x55da4bd2e156 in Action::Print::printSummary() /home/afl/src/exiv2/src/actions.cpp:296
    #5 0x55da4bd32267 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/afl/src/exiv2/src/actions.cpp:242
    #6 0x55da4bcc927b in main /home/afl/src/exiv2/src/exiv2.cpp:166
    #7 0x7f8e51f502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x55da4bcca019 in _start (/home/afl/builds/exiv2/c80b1b9d51689692bc865f1a1d16bf7fd2a532c4/bin/exiv2+0x13019)

0x61300000dfeb is located 0 bytes to the right of 363-byte region [0x61300000de80,0x61300000dfeb)
allocated by thread T0 here:
    #0 0x7f8e53f1ed70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
    #1 0x7f8e53089a36 in Exiv2::DataBuf::DataBuf(long) ../include/exiv2/types.hpp:206
    #2 0x7f8e53089a36 in getData /home/afl/src/exiv2/src/preview.cpp:805
    #3 0x7f8e5307a65b in Exiv2::PreviewManager::getPreviewProperties() const /home/afl/src/exiv2/src/preview.cpp:1143
    #4 0x7f8e53104dac in Exiv2::Rw2Image::readMetadata() /home/afl/src/exiv2/src/rw2image.cpp:141
    #5 0x55da4bd2e156 in Action::Print::printSummary() /home/afl/src/exiv2/src/actions.cpp:296
    #6 0x55da4bd32267 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/afl/src/exiv2/src/actions.cpp:242
    #7 0x55da4bcc927b in main /home/afl/src/exiv2/src/exiv2.cpp:166
    #8 0x7f8e51f502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
Shadow bytes around the buggy address:
  0x0c267fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12668==ABORTING

Reproducer: exiv2-heap-buffer-overflow-getdata
SHA1: 6c5cfef92f3213cff13e8ddfc737139f686b3370
Tools: afl 2.52b, afl-utils

@piponazo piponazo self-assigned this May 25, 2018

@piponazo piponazo referenced this issue May 25, 2018

Merged

Fix issue #283 #327

@piponazo

This comment has been minimized.

Collaborator

piponazo commented May 26, 2018

This issue should be fixed now @fgeek . Thanks for reporting!

@abergmann

This comment has been minimized.

abergmann commented May 29, 2018

CVE-2018-11531 was assigned to this issue.

@fgeek fgeek changed the title from heap buffer overflow in preview.cpp to CVE-2018-11531: heap buffer overflow in preview.cpp May 29, 2018

@fgeek

This comment has been minimized.

Collaborator

fgeek commented Jun 2, 2018

@piponazo Thank you. I can continue fuzzing after other open bug reports has been closed (printStructure etc).

@piponazo

This comment has been minimized.

Collaborator

piponazo commented Jun 3, 2018

That would be ideal! In the next weeks we want to finish porting the test suite from the old bash system to the new python one, and at that moment we will fix the problems with printStructure that is our main source of bugs.

We'll keep you informed ;)

D4N added a commit to D4N/exiv2 that referenced this issue Jun 4, 2018

D4N added a commit to D4N/exiv2 that referenced this issue Jun 4, 2018

D4N added a commit that referenced this issue Jun 6, 2018

[testsuite] Fix name of regression test #283
issue got a CVE assigned

@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment