New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow at iptc.cpp:464 #427

Closed
HongxuChen opened this Issue Sep 1, 2018 · 9 comments

Comments

Projects
3 participants
@HongxuChen

HongxuChen commented Sep 1, 2018

When running exiv2 $FILE (5940c6f) against psd files, , ASAN reports a heap-buffer-overflow error.

POCs:
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_iptc.cpp:464_1.psd?raw=true
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_iptc.cpp:464_2.psd?raw=true

ASAN output:

=================================================================
==16384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000140 at pc 0x7ffa566b54a2 bp 0x7ffec76dfe10 sp 0x7ffec76dfe08
READ of size 1 at 0x611000000140 thread T0
    #0 0x7ffa566b54a1 in Exiv2::IptcParser::decode(Exiv2::IptcData&, unsigned char const*, unsigned int) /home/hongxu/FOT/exiv2/src/iptc.cpp:464:33
    #1 0x7ffa567442d3 in Exiv2::PsdImage::readResourceBlock(unsigned short, unsigned int) /home/hongxu/FOT/exiv2/src/psdimage.cpp:246:21
    #2 0x7ffa56743675 in Exiv2::PsdImage::readMetadata() /home/hongxu/FOT/exiv2/src/psdimage.cpp:229:13
    #3 0x55b70c in Action::Print::printSummary() /home/hongxu/FOT/exiv2/src/actions.cpp:288:16
    #4 0x55a19a in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/hongxu/FOT/exiv2/src/actions.cpp:248:48
    #5 0x532dcb in main /home/hongxu/FOT/exiv2/src/exiv2.cpp:166:29
    #6 0x7ffa54cb7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x435ac9 in _start (/home/hongxu/FOT/exiv2/install/bin/exiv2+0x435ac9)

0x611000000140 is located 0 bytes to the right of 256-byte region [0x611000000040,0x611000000140)
allocated by thread T0 here:
    #0 0x52e0f0 in operator new[](unsigned long) (/home/hongxu/FOT/exiv2/install/bin/exiv2+0x52e0f0)
    #1 0x58c8df in Exiv2::DataBuf::DataBuf(long) /home/hongxu/FOT/exiv2/include/exiv2/types.hpp:215:46
    #2 0x7ffa56743f58 in Exiv2::PsdImage::readResourceBlock(unsigned short, unsigned int) /home/hongxu/FOT/exiv2/src/psdimage.cpp:243:25
    #3 0x7ffa56743675 in Exiv2::PsdImage::readMetadata() /home/hongxu/FOT/exiv2/src/psdimage.cpp:229:13
    #4 0x55b70c in Action::Print::printSummary() /home/hongxu/FOT/exiv2/src/actions.cpp:288:16
    #5 0x55a19a in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/hongxu/FOT/exiv2/src/actions.cpp:248:48
    #6 0x532dcb in main /home/hongxu/FOT/exiv2/src/exiv2.cpp:166:29
    #7 0x7ffa54cb7b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/exiv2/src/iptc.cpp:464:33 in Exiv2::IptcParser::decode(Exiv2::IptcData&, unsigned char const*, unsigned int)
Shadow bytes around the buggy address:
  0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8020: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c227fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16384==ABORTING

@piponazo piponazo self-assigned this Sep 3, 2018

@piponazo piponazo added the bug label Sep 3, 2018

@piponazo piponazo removed their assignment Sep 3, 2018

@piponazo

This comment has been minimized.

Collaborator

piponazo commented Sep 3, 2018

I could easily reproduce the issue but It does not seem trivial to fix. The problem seems to be in the IptcParser::decode method.

@clanmills clanmills self-assigned this Sep 3, 2018

@clanmills

This comment has been minimized.

Collaborator

clanmills commented Sep 3, 2018

Thanks for looking into this @piponazo I've also assigned myself to this. It's unlikely that we will resolve this for v0.27 RC1.

@piponazo

This comment has been minimized.

Collaborator

piponazo commented Nov 6, 2018

This issue was fixed by #518

@piponazo piponazo closed this Nov 6, 2018

@piponazo piponazo moved this from TODO to In Progress in v0.27 Nov 6, 2018

@piponazo piponazo assigned piponazo and unassigned clanmills Nov 6, 2018

@piponazo piponazo moved this from In Progress to Done in v0.27 Nov 6, 2018

@HongxuChen

This comment has been minimized.

HongxuChen commented Nov 7, 2018

@piponazo Do you mind us requesting CVEs?

@piponazo

This comment has been minimized.

Collaborator

piponazo commented Nov 7, 2018

@HongxuChen what do you mean exactly ? I am not familiar with how the CVEs works, but I am happy with the reports you are sending about vulnerabilities in Exiv2. We will try to fix all the possible vulnerabilities that are reported.

@HongxuChen

This comment has been minimized.

HongxuChen commented Nov 7, 2018

@piponazo I mean requesting a CVE id for a vulnerability. Usually it is requested by a developer, a reporter, or someone else, given that the vulnerability can be confirmed.

@piponazo

This comment has been minimized.

Collaborator

piponazo commented Nov 7, 2018

For me it is totally fine, as far as it does not increase my workload 😉 . We will analyse the issues reported to our github project, either if they have an assigned CVE or not.

@HongxuChen

This comment has been minimized.

HongxuChen commented Nov 7, 2018

@piponazo Thanks, we will post CVE ID if accepted 😃

@clanmills clanmills added this to the v0.27 milestone Nov 7, 2018

@HongxuChen

This comment has been minimized.

HongxuChen commented Nov 8, 2018

This got assigned CVE-2018-19107 (root cause is same as CVE-2018-19108 however two vulnerabilities).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment