Closed
Description
Following bugs was found with mem-AFL, which is based on AFL. Mem-AFL is developed by Yanhao(unfuzzable123@gmail.com) & Marsman1996(lqliuyuwei@outlook.com)
both tested in Ubuntu 16.04, 64bit, Exiv2(master ce516ed && v0.26)
$ exiv2 $POC
POC1
https://github.com/Marsman1996/pocs/blob/master/exiv2/CVE-2018-16336/poc1-heapoverflow
./bin/exiv2 ../../poc1-heapoverflow
=================================================================
==27206==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef31 at pc 0x7feaa8b0e155 bp 0x7ffdafb8d0c0 sp 0x7ffdafb8d0b0
READ of size 1 at 0x60200000ef31 thread T0
#0 0x7feaa8b0e154 in Exiv2::Internal::PngChunk::parseTXTChunk(Exiv2::DataBuf const&, int, Exiv2::Internal::PngChunk::TxtChunkType) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngchunk_int.cpp:140
#1 0x7feaa8b0d9e7 in Exiv2::Internal::PngChunk::decodeTXTChunk(Exiv2::Image*, Exiv2::DataBuf const&, Exiv2::Internal::PngChunk::TxtChunkType) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngchunk_int.cpp:83
#2 0x7feaa8a4ddc1 in Exiv2::PngImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngimage.cpp:488
#3 0x43a4b7 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/actions.cpp:291
#4 0x439d2f in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/actions.cpp:251
#5 0x422407 in main /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/exiv2.cpp:166
#6 0x7feaa7cea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x421e18 in _start (/home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/build_asan/bin/exiv2+0x421e18)
0x60200000ef31 is located 0 bytes to the right of 1-byte region [0x60200000ef30,0x60200000ef31)
allocated by thread T0 here:
#0 0x7feaa914a6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x453bb9 in Exiv2::DataBuf::DataBuf(long) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/include/exiv2/types.hpp:214
#2 0x7feaa8a4db3a in Exiv2::PngImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngimage.cpp:450
#3 0x43a4b7 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/actions.cpp:291
#4 0x439d2f in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/actions.cpp:251
#5 0x422407 in main /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/exiv2.cpp:166
#6 0x7feaa7cea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngchunk_int.cpp:140 Exiv2::Internal::PngChunk::parseTXTChunk(Exiv2::DataBuf const&, int, Exiv2::Internal::PngChunk::TxtChunkType)
Shadow bytes around the buggy address:
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa[01]fa fa fa fd fd fa fa 00 fa
0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fd
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==27206==ABORTING
POC2
https://github.com/Marsman1996/pocs/blob/master/exiv2/CVE-2018-16336/poc2-heapoverflow
./bin/exiv2 ../../poc2-heapoverflow
=================================================================
==27229==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef5e at pc 0x7f109485cf94 bp 0x7ffded4341f0 sp 0x7ffded4341e0
READ of size 1 at 0x60200000ef5e thread T0
#0 0x7f109485cf93 in bool __gnu_cxx::__ops::_Iter_equals_val<char const>::operator()<unsigned char*>(unsigned char*) /usr/include/c++/5/bits/predefined_ops.h:194
#1 0x7f109485cebd in std::iterator_traits<unsigned char*>::difference_type std::__count_if<unsigned char*, __gnu_cxx::__ops::_Iter_equals_val<char const> >(unsigned char*, unsigned char*, __gnu_cxx::__ops::_Iter_equals_val<char const>) /usr/include/c++/5/bits/stl_algo.h:3193
#2 0x7f109485cd63 in std::iterator_traits<unsigned char*>::difference_type std::count<unsigned char*, char>(unsigned char*, unsigned char*, char const&) /usr/include/c++/5/bits/stl_algo.h:3968
#3 0x7f10948583ef in Exiv2::Internal::PngChunk::parseTXTChunk(Exiv2::DataBuf const&, int, Exiv2::Internal::PngChunk::TxtChunkType) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngchunk_int.cpp:167
#4 0x7f10948579e7 in Exiv2::Internal::PngChunk::decodeTXTChunk(Exiv2::Image*, Exiv2::DataBuf const&, Exiv2::Internal::PngChunk::TxtChunkType) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngchunk_int.cpp:83
#5 0x7f1094797e07 in Exiv2::PngImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngimage.cpp:495
#6 0x43a4b7 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/actions.cpp:291
#7 0x439d2f in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/actions.cpp:251
#8 0x422407 in main /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/exiv2.cpp:166
#9 0x7f1093a3482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x421e18 in _start (/home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/build_asan/bin/exiv2+0x421e18)
0x60200000ef5e is located 1 bytes to the right of 13-byte region [0x60200000ef50,0x60200000ef5d)
allocated by thread T0 here:
#0 0x7f1094e946b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x453bb9 in Exiv2::DataBuf::DataBuf(long) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/include/exiv2/types.hpp:214
#2 0x7f1094797b3a in Exiv2::PngImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/pngimage.cpp:450
#3 0x43a4b7 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/actions.cpp:291
#4 0x439d2f in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/actions.cpp:251
#5 0x422407 in main /home/marsman/Desktop/crashana/exiv2/exiv2-ce516eddefbebd31749b361a540832f41f9fe5d0/src/exiv2.cpp:166
#6 0x7f1093a3482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/c++/5/bits/predefined_ops.h:194 bool __gnu_cxx::__ops::_Iter_equals_val<char const>::operator()<unsigned char*>(unsigned char*)
Shadow bytes around the buggy address:
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa 00 03 fa fa 00[05]fa fa 00 fa
0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fd
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==27229==ABORTING