Closed
Description
Tested in Ubuntu 16.04, 64bit, Exiv2(master 37b8725)
$ exiv2 $POC
https://github.com/Marsman1996/pocs/blob/master/exiv2/CVE-2018-17282/poc8-DataValue%20copy
gdb info:
Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:164
164 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
(gdb) bt
#0 __memmove_avx_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:164
#1 0x00007ffff797d3e0 in std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<unsigned char> (
__first=0x65c0c0 <incomplete sequence \350>, __last=0x65c0c1 "",
__result=0x0) at /usr/include/c++/5/bits/stl_algobase.h:384
#2 0x00007ffff799f6a7 in std::__copy_move_a<false, unsigned char const*, unsigned char*> (__first=0x65c0c0 <incomplete sequence \350>, __last=0x65c0c1 "",
__result=0x0) at /usr/include/c++/5/bits/stl_algobase.h:402
#3 0x00007ffff79bef6c in std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*> (__first=232 '\350', __last=0 '\000', __result=0x0)
at /usr/include/c++/5/bits/stl_algobase.h:440
#4 0x00007ffff79be1b1 in std::copy<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*> (__first=232 '\350', __last=0 '\000', __result=0x0)
at /usr/include/c++/5/bits/stl_algobase.h:472
#5 0x00007ffff79b867e in Exiv2::DataValue::copy (this=0x65c090, buf=0x0)
at /home/marsman/Desktop/crashana/exiv2/exiv2/src/value.cpp:242
#6 0x00007ffff795c798 in Exiv2::Exifdatum::copy (this=0x65bfc0, buf=0x0,
byteOrder=Exiv2::littleEndian)
at /home/marsman/Desktop/crashana/exiv2/exiv2/src/exif.cpp:357
#7 0x00007ffff79b3824 in Exiv2::TiffImage::readMetadata (this=0x659a50)
e/marsman/Desktop/crashana/exiv2/exiv2/src/tiffimage.cpp:195
#8 0x0000000000422097 in Action::Print::printSummary (this=0x65acb0)
at /home/marsman/Desktop/crashana/exiv2/exiv2/src/actions.cpp:286
#9 0x0000000000421d7d in Action::Print::run (this=0x65acb0,
path="../../poc8-DataValue::copy")
at /home/marsman/Desktop/crashana/exiv2/exiv2/src/actions.cpp:246
#10 0x0000000000412bc3 in main (argc=2, argv=0x7fffffffddc8)
at /home/marsman/Desktop/crashana/exiv2/exiv2/src/exiv2.cpp:167
Asan info:
==130778==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f113fb20934 bp 0x7ffdf01f55d0 sp 0x7ffdf01f4d58 T0)
#0 0x7f113fb20933 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xaa933)
#1 0x7f113fb02e8d in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8ce8d)
#2 0x7f113f36b9b5 in unsigned char* std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/5/bits/stl_algobase.h:384
#3 0x7f113f3a54d6 in unsigned char* std::__copy_move_a<false, unsigned char const*, unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/5/bits/stl_algobase.h:402
#4 0x7f113f3dc03f in unsigned char* std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) (/home/marsman/Desktop/crashana/exiv2/exiv2/build_asan/lib/libexiv2.so.0+0x31503f)
#5 0x7f113f3daa6d in unsigned char* std::copy<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) (/home/marsman/Desktop/crashana/exiv2/exiv2/build_asan/lib/libexiv2.so.0+0x313a6d)
#6 0x7f113f3d02f7 in Exiv2::DataValue::copy(unsigned char*, Exiv2::ByteOrder) const /home/marsman/Desktop/crashana/exiv2/exiv2/src/value.cpp:242
#7 0x7f113f335c0a in Exiv2::Exifdatum::copy(unsigned char*, Exiv2::ByteOrder) const /home/marsman/Desktop/crashana/exiv2/exiv2/src/exif.cpp:357
#8 0x7f113f3c662a in Exiv2::TiffImage::readMetadata() /home/marsman/Desktop/crashana/exiv2/exiv2/src/tiffimage.cpp:195
#9 0x42b5bd in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2/src/actions.cpp:286
#10 0x42ae35 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2/src/actions.cpp:246
#11 0x413757 in main /home/marsman/Desktop/crashana/exiv2/exiv2/src/exiv2.cpp:167
#12 0x7f113e78582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x413168 in _start (/home/marsman/Desktop/crashana/exiv2/exiv2/build_asan/bin/exiv2+0x413168)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==130778==ABORTING
Addition: This bug was found with mem-AFL, which is based on AFL. Mem-AFL is developed by Yanhao(unfuzzable123@gmail.com) & Marsman1996(lqliuyuwei@outlook.com)