Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-17282: SEGV in Exiv2::DataValue::copy at value.cpp:242 #457

Closed
Marsman1996 opened this issue Sep 20, 2018 · 1 comment
Closed
Labels
Milestone

Comments

@Marsman1996
Copy link

Marsman1996 commented Sep 20, 2018

Tested in Ubuntu 16.04, 64bit, Exiv2(master 37b8725)
$ exiv2 $POC

https://github.com/Marsman1996/pocs/blob/master/exiv2/CVE-2018-17282/poc8-DataValue%20copy

gdb info:

Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:164
164	../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
(gdb) bt
#0  __memmove_avx_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:164
#1  0x00007ffff797d3e0 in std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<unsigned char> (
    __first=0x65c0c0 <incomplete sequence \350>, __last=0x65c0c1 "", 
    __result=0x0) at /usr/include/c++/5/bits/stl_algobase.h:384
#2  0x00007ffff799f6a7 in std::__copy_move_a<false, unsigned char const*, unsigned char*> (__first=0x65c0c0 <incomplete sequence \350>, __last=0x65c0c1 "", 
    __result=0x0) at /usr/include/c++/5/bits/stl_algobase.h:402
#3  0x00007ffff79bef6c in std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*> (__first=232 '\350', __last=0 '\000', __result=0x0)
    at /usr/include/c++/5/bits/stl_algobase.h:440
#4  0x00007ffff79be1b1 in std::copy<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*> (__first=232 '\350', __last=0 '\000', __result=0x0)
    at /usr/include/c++/5/bits/stl_algobase.h:472
#5  0x00007ffff79b867e in Exiv2::DataValue::copy (this=0x65c090, buf=0x0)
    at /home/marsman/Desktop/crashana/exiv2/exiv2/src/value.cpp:242
#6  0x00007ffff795c798 in Exiv2::Exifdatum::copy (this=0x65bfc0, buf=0x0, 
    byteOrder=Exiv2::littleEndian)
    at /home/marsman/Desktop/crashana/exiv2/exiv2/src/exif.cpp:357
#7  0x00007ffff79b3824 in Exiv2::TiffImage::readMetadata (this=0x659a50)
   e/marsman/Desktop/crashana/exiv2/exiv2/src/tiffimage.cpp:195
#8  0x0000000000422097 in Action::Print::printSummary (this=0x65acb0)
    at /home/marsman/Desktop/crashana/exiv2/exiv2/src/actions.cpp:286
#9  0x0000000000421d7d in Action::Print::run (this=0x65acb0, 
    path="../../poc8-DataValue::copy")
    at /home/marsman/Desktop/crashana/exiv2/exiv2/src/actions.cpp:246
#10 0x0000000000412bc3 in main (argc=2, argv=0x7fffffffddc8)
    at /home/marsman/Desktop/crashana/exiv2/exiv2/src/exiv2.cpp:167

Asan info:

==130778==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f113fb20934 bp 0x7ffdf01f55d0 sp 0x7ffdf01f4d58 T0)
    #0 0x7f113fb20933  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xaa933)
    #1 0x7f113fb02e8d in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8ce8d)
    #2 0x7f113f36b9b5 in unsigned char* std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/5/bits/stl_algobase.h:384
    #3 0x7f113f3a54d6 in unsigned char* std::__copy_move_a<false, unsigned char const*, unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/5/bits/stl_algobase.h:402
    #4 0x7f113f3dc03f in unsigned char* std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) (/home/marsman/Desktop/crashana/exiv2/exiv2/build_asan/lib/libexiv2.so.0+0x31503f)
    #5 0x7f113f3daa6d in unsigned char* std::copy<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) (/home/marsman/Desktop/crashana/exiv2/exiv2/build_asan/lib/libexiv2.so.0+0x313a6d)
    #6 0x7f113f3d02f7 in Exiv2::DataValue::copy(unsigned char*, Exiv2::ByteOrder) const /home/marsman/Desktop/crashana/exiv2/exiv2/src/value.cpp:242
    #7 0x7f113f335c0a in Exiv2::Exifdatum::copy(unsigned char*, Exiv2::ByteOrder) const /home/marsman/Desktop/crashana/exiv2/exiv2/src/exif.cpp:357
    #8 0x7f113f3c662a in Exiv2::TiffImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2/src/tiffimage.cpp:195
    #9 0x42b5bd in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2/src/actions.cpp:286
    #10 0x42ae35 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2/src/actions.cpp:246
    #11 0x413757 in main /home/marsman/Desktop/crashana/exiv2/exiv2/src/exiv2.cpp:167
    #12 0x7f113e78582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x413168 in _start (/home/marsman/Desktop/crashana/exiv2/exiv2/build_asan/bin/exiv2+0x413168)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==130778==ABORTING

Addition: This bug was found with mem-AFL, which is based on AFL. Mem-AFL is developed by Yanhao(unfuzzable123@gmail.com) & Marsman1996(lqliuyuwei@outlook.com)

@Marsman1996 Marsman1996 changed the title SEGV in Exiv2::DataValue::copy at value.cpp:242 CVE-2018-17282: SEGV in Exiv2::DataValue::copy at value.cpp:242 Sep 21, 2018
@fgeek
Copy link

fgeek commented Sep 24, 2018

Crash reproduced. Thanks for reporting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants