Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-19607: SEGV in Exiv2::isoSpeed at easyaccess.cpp:178 #561

Closed
Marsman1996 opened this issue Nov 23, 2018 · 4 comments
Closed

CVE-2018-19607: SEGV in Exiv2::isoSpeed at easyaccess.cpp:178 #561

Marsman1996 opened this issue Nov 23, 2018 · 4 comments
Assignees
Labels

Comments

@Marsman1996
Copy link

Marsman1996 commented Nov 23, 2018

Tested in ubuntu 16.04 64bit, exiv2 (master 3f2e0de && 0.27-RC2)
$ exiv2 $POC

POC file

gdb info:

Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
31	../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __strcmp_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
#1  0x00007ffff794b9ff in Exiv2::isoSpeed (ed=...)
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/easyaccess.cpp:178
#2  0x0000000000425aef in Action::Print::printTag (this=0x65dde0, 
    exifData=..., 
    easyAccessFct=0x412390 <Exiv2::isoSpeed(Exiv2::ExifData const&)@plt>, 
    label="ISO speed")
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:500
#3  0x0000000000424038 in Action::Print::printSummary (this=0x65dde0)
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:387
#4  0x0000000000422901 in Action::Print::run (this=0x65dde0, 
    path="/home/marsman/Desktop/poc9-isoSpeed")
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:246
#5  0x0000000000412e39 in main (argc=2, argv=0x7fffffffdda8)
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/exiv2.cpp:169

ASAN info:

==91500==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f186e2da05a bp 0x7fff4e8fe260 sp 0x7fff4e8fd9f0 T0)
    #0 0x7f186e2da059  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x47059)
    #1 0x7f186db38b0c in Exiv2::isoSpeed(Exiv2::ExifData const&) /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/easyaccess.cpp:178
    #2 0x42f9fd in Action::Print::printTag(Exiv2::ExifData const&, std::_List_const_iterator<Exiv2::Exifdatum> (*)(Exiv2::ExifData const&), std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:500
    #3 0x42d6c2 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:387
    #4 0x42b9db in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:246
    #5 0x4139a6 in main /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/exiv2.cpp:169
    #6 0x7f186cf9a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x413308 in _start (/home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/build_asan/bin/exiv2+0x413308)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??

Addition: This bug was found with mem-AFL, which is based on AFL. Mem-AFL is developed by Yanhao(unfuzzable123@gmail.com) & Marsman1996(lqliuyuwei@outlook.com)

@piponazo piponazo added the bug label Nov 26, 2018
@piponazo
Copy link
Collaborator

Confirmed. I could reproduce the issue in my desktop with Ubuntu 18.04 and gcc-7.3.

Thanks for reporting! We will try to fix this issue ASAP.

@piponazo
Copy link
Collaborator

@Marsman1996 the issue should be fixed now. Could you please confirm?

@Marsman1996
Copy link
Author

@piponazo I think this issue should be fixed, since exiv2 (master 6e42c1b) no longer crashes or something else when open the poc file.

@carnil
Copy link

carnil commented Nov 30, 2018

This issue has been assigned CVE-2018-19607

@fgeek fgeek changed the title SEGV in Exiv2::isoSpeed at easyaccess.cpp:178 CVE-2018-19607: SEGV in Exiv2::isoSpeed at easyaccess.cpp:178 Dec 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants