New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-14348 Heap buffer overflow in LibRaw::processCanonCameraInfo #100

Closed
fgeek opened this Issue Sep 12, 2017 · 9 comments

Comments

Projects
None yet
4 participants
@fgeek

fgeek commented Sep 12, 2017

Sample: http://bugs.fi/media/afl/libraw/libraw-0.18.3-heap-buffer-overflow-processCanonCameraInfo.cr2
Credit: Henri Salo from Nixu Corporation
Tools: afl-2.51b, afl-utils, GCC AddressSanitizer

./raw-identify 3cf207558915d72a1a77ae9c8ed55b7496c2131e
=================================================================
==12072==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee31 at pc 0x7febd8ff396d bp 0x7ffc53c69e20 sp 0x7ffc53c69e18
WRITE of size 1 at 0x60200000ee31 thread T0
    #0 0x7febd8ff396c in LibRaw::processCanonCameraInfo(unsigned int, unsigned char*, unsigned int) internal/dcraw_common.cpp:5892
    #1 0x7febd9046da9 in LibRaw::parse_makernote(int, int) internal/dcraw_common.cpp:8330
    #2 0x7febd905de27 in LibRaw::parse_exif(int) internal/dcraw_common.cpp:9836
    #3 0x7febd902f3fd in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10717
    #4 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #5 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #6 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #7 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #8 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #9 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #10 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #11 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #12 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #13 0x7febd903d7ea in LibRaw::parse_tiff(int) internal/dcraw_common.cpp:11254
    #14 0x7febd908b0cc in LibRaw::identify() internal/dcraw_common.cpp:14124
    #15 0x7febd91b26c6 in LibRaw::open_datastream(LibRaw_abstract_datastream*) src/libraw_cxx.cpp:1737
    #16 0x7febd91be1b2 in LibRaw::open_file(char const*, long long) src/libraw_cxx.cpp:972
    #17 0x4016a9 in main samples/raw-identify.cpp:141
    #18 0x7febd781db44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #19 0x408459 (/home/afl/builds/libraw/0.18.3/bin/raw-identify+0x408459)

0x60200000ee31 is located 0 bytes to the right of 1-byte region [0x60200000ee30,0x60200000ee31)
allocated by thread T0 here:
    #0 0x7febd94cb73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x7febd915b15b in libraw_memmgr::malloc(unsigned long) libraw/libraw_alloc.h:39
    #2 0x7febd915b15b in LibRaw::malloc(unsigned long) src/libraw_cxx.cpp:475
    #3 0x7febd9045d5e in LibRaw::parse_makernote(int, int) internal/dcraw_common.cpp:8316
    #4 0x7febd905de27 in LibRaw::parse_exif(int) internal/dcraw_common.cpp:9836
    #5 0x7febd902f3fd in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10717
    #6 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #7 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #8 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #9 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #10 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #11 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #12 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #13 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #14 0x7febd90342c1 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:10550
    #15 0x7febd903d7ea in LibRaw::parse_tiff(int) internal/dcraw_common.cpp:11254
    #16 0x7febd908b0cc in LibRaw::identify() internal/dcraw_common.cpp:14124
    #17 0x7febd91b26c6 in LibRaw::open_datastream(LibRaw_abstract_datastream*) src/libraw_cxx.cpp:1737
    #18 0x7febd91be1b2 in LibRaw::open_file(char const*, long long) src/libraw_cxx.cpp:972
    #19 0x4016a9 in main samples/raw-identify.cpp:141
    #20 0x7febd781db44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-buffer-overflow internal/dcraw_common.cpp:5892 LibRaw::processCanonCameraInfo(unsigned int, unsigned char*, unsigned int)
Shadow bytes around the buggy address:
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dc0: fa fa fa fa fa fa[01]fa fa fa 00 07 fa fa fd fd
  0x0c047fff9dd0: fa fa fd fd fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==12072==ABORTING
@LibRaw

This comment has been minimized.

Show comment
Hide comment
@LibRaw

LibRaw Sep 12, 2017

Owner

thanks

Owner

LibRaw commented Sep 12, 2017

thanks

@LibRaw

This comment has been minimized.

Show comment
Hide comment
@LibRaw

LibRaw Sep 12, 2017

Owner

Fixed in 0.18.4 (pushed to github just now)

Owner

LibRaw commented Sep 12, 2017

Fixed in 0.18.4 (pushed to github just now)

@LibRaw LibRaw closed this Sep 12, 2017

@fgeek

This comment has been minimized.

Show comment
Hide comment
@fgeek

fgeek Sep 12, 2017

Please use CVE-2017-14348 for this issue.

fgeek commented Sep 12, 2017

Please use CVE-2017-14348 for this issue.

@fgeek fgeek changed the title from Heap buffer overflow in LibRaw::processCanonCameraInfo to CVE-2017-14348 Heap buffer overflow in LibRaw::processCanonCameraInfo Sep 12, 2017

@LibRaw

This comment has been minimized.

Show comment
Hide comment
@LibRaw

LibRaw Sep 13, 2017

Owner

Guys,
could you please

  1. coordinate with another team (#101)
  2. create single CVE for multiple problems (e.g. once a week, multiple problems in LibRaw)...

It is not hard to patch source every day and publish patches, but too much hassle to publish complete release (distro bundles) every day. I prefer weekly schedule:

  • accumulate patches
  • publish once a week (or two)
  • and publish CVE once a week (or two) too.
    Not everyday.

These bugs are important, but not a very big hurry because no one (AFAIK) run LibRaw on random files come from net from anonymous users.

Owner

LibRaw commented Sep 13, 2017

Guys,
could you please

  1. coordinate with another team (#101)
  2. create single CVE for multiple problems (e.g. once a week, multiple problems in LibRaw)...

It is not hard to patch source every day and publish patches, but too much hassle to publish complete release (distro bundles) every day. I prefer weekly schedule:

  • accumulate patches
  • publish once a week (or two)
  • and publish CVE once a week (or two) too.
    Not everyday.

These bugs are important, but not a very big hurry because no one (AFAIK) run LibRaw on random files come from net from anonymous users.

@LibRaw

This comment has been minimized.

Show comment
Hide comment
@LibRaw

LibRaw Sep 13, 2017

Owner

CVE and credits are noted in last push

d13e8f6

Owner

LibRaw commented Sep 13, 2017

CVE and credits are noted in last push

d13e8f6

@Twi1ight

This comment has been minimized.

Show comment
Hide comment
@Twi1ight

Twi1ight Sep 13, 2017

@LibRaw OK, I will submit bugs once a week later.

Twi1ight commented Sep 13, 2017

@LibRaw OK, I will submit bugs once a week later.

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Sep 15, 2017

The fix for this issue should be 8303e74

carnil commented Sep 15, 2017

The fix for this issue should be 8303e74

@LibRaw

This comment has been minimized.

Show comment
Hide comment
@LibRaw

LibRaw Sep 15, 2017

Owner

yes

Owner

LibRaw commented Sep 15, 2017

yes

@LibRaw

This comment has been minimized.

Show comment
Hide comment
@LibRaw
Owner

LibRaw commented Sep 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment