New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-19607: SEGV in Exiv2::isoSpeed at easyaccess.cpp:178 #561

Closed
Marsman1996 opened this Issue Nov 23, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@Marsman1996

Marsman1996 commented Nov 23, 2018

Tested in ubuntu 16.04 64bit, exiv2 (master 3f2e0de && 0.27-RC2)
$ exiv2 $POC

POC file

gdb info:

Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
31	../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __strcmp_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
#1  0x00007ffff794b9ff in Exiv2::isoSpeed (ed=...)
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/easyaccess.cpp:178
#2  0x0000000000425aef in Action::Print::printTag (this=0x65dde0, 
    exifData=..., 
    easyAccessFct=0x412390 <Exiv2::isoSpeed(Exiv2::ExifData const&)@plt>, 
    label="ISO speed")
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:500
#3  0x0000000000424038 in Action::Print::printSummary (this=0x65dde0)
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:387
#4  0x0000000000422901 in Action::Print::run (this=0x65dde0, 
    path="/home/marsman/Desktop/poc9-isoSpeed")
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:246
#5  0x0000000000412e39 in main (argc=2, argv=0x7fffffffdda8)
    at /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/exiv2.cpp:169

ASAN info:

==91500==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f186e2da05a bp 0x7fff4e8fe260 sp 0x7fff4e8fd9f0 T0)
    #0 0x7f186e2da059  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x47059)
    #1 0x7f186db38b0c in Exiv2::isoSpeed(Exiv2::ExifData const&) /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/easyaccess.cpp:178
    #2 0x42f9fd in Action::Print::printTag(Exiv2::ExifData const&, std::_List_const_iterator<Exiv2::Exifdatum> (*)(Exiv2::ExifData const&), std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:500
    #3 0x42d6c2 in Action::Print::printSummary() /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:387
    #4 0x42b9db in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/actions.cpp:246
    #5 0x4139a6 in main /home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/src/exiv2.cpp:169
    #6 0x7f186cf9a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x413308 in _start (/home/marsman/Desktop/crashana/exiv2/exiv2-3f2e0de/build_asan/bin/exiv2+0x413308)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??

Addition: This bug was found with mem-AFL, which is based on AFL. Mem-AFL is developed by Yanhao(unfuzzable123@gmail.com) & Marsman1996(lqliuyuwei@outlook.com)

@piponazo piponazo added the bug label Nov 26, 2018

@piponazo

This comment has been minimized.

Collaborator

piponazo commented Nov 26, 2018

Confirmed. I could reproduce the issue in my desktop with Ubuntu 18.04 and gcc-7.3.

Thanks for reporting! We will try to fix this issue ASAP.

@piponazo piponazo self-assigned this Nov 26, 2018

piponazo added a commit to piponazo/exiv2 that referenced this issue Nov 26, 2018

piponazo added a commit to piponazo/exiv2 that referenced this issue Nov 26, 2018

piponazo added a commit that referenced this issue Nov 26, 2018

piponazo added a commit that referenced this issue Nov 26, 2018

@piponazo

This comment has been minimized.

Collaborator

piponazo commented Nov 26, 2018

@Marsman1996 the issue should be fixed now. Could you please confirm?

@Marsman1996

This comment has been minimized.

Marsman1996 commented Nov 26, 2018

@piponazo I think this issue should be fixed, since exiv2 (master 6e42c1b) no longer crashes or something else when open the poc file.

@carnil

This comment has been minimized.

carnil commented Nov 30, 2018

This issue has been assigned CVE-2018-19607

@fgeek fgeek changed the title from SEGV in Exiv2::isoSpeed at easyaccess.cpp:178 to CVE-2018-19607: SEGV in Exiv2::isoSpeed at easyaccess.cpp:178 Dec 1, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment