Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack buffer overflow in LibRaw::identify_process_dng_fields in identify.cpp #330

Closed
sleicasper opened this issue Aug 19, 2020 · 2 comments

Comments

@sleicasper
Copy link

poc:
poc.tiff.zip

reproduce steps:

  1. compile libraw with Address sanitizer
  2. run command dcraw_emu poc.tiff

result:

=================================================================
==28701==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc48fb70a0 at pc 0x0000006b4b25 bp 0x7ffc48fb6f90 sp 0x7ffc48fb6f88
READ of size 8 at 0x7ffc48fb70a0 thread T0
    #0 0x6b4b24 in LibRaw::identify_process_dng_fields() /home/casper/targets/struct/libraw/afl/BUILD/src/metadata/identify.cpp:1309:24
    #1 0x69688e in LibRaw::identify() /home/casper/targets/struct/libraw/afl/BUILD/src/metadata/identify.cpp:1055:4
    #2 0x53e843 in LibRaw::open_datastream(LibRaw_abstract_datastream*) /home/casper/targets/struct/libraw/afl/BUILD/src/utils/open.cpp:390:4
    #3 0x53d0fe in LibRaw::open_file(char const*, long long) /home/casper/targets/struct/libraw/afl/BUILD/src/utils/open.cpp:61:13
    #4 0x4f5efa in main /home/casper/targets/struct/libraw/afl/BUILD/samples/dcraw_emu.cpp:562:28
    #5 0x7f24ee8f1b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41d829 in _start (/home/casper/targets/struct/libraw/afl/smallrun/dcraw_emu+0x41d829)

Address 0x7ffc48fb70a0 is located in stack of thread T0 at offset 256 in frame
    #0 0x6adf8f in LibRaw::identify_process_dng_fields() /home/casper/targets/struct/libraw/afl/BUILD/src/metadata/identify.cpp:1216

  This frame has 10 object(s):
    [32, 40) 'illidx' (line 1247)
    [64, 72) 'cmidx' (line 1247)
    [96, 104) 'calidx' (line 1247)
    [128, 256) 'cc' (line 1263) <== Memory access at offset 256 overflows this variable
    [288, 384) 'cm' (line 1263)
    [416, 512) 'cam_xyz' (line 1263)
    [544, 560) 'csum' (line 1485)
    [576, 592) 'ccount' (line 1485)
    [608, 624) 'csum1359' (line 1504)
    [640, 656) 'ccount1360' (line 1504)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/casper/targets/struct/libraw/afl/BUILD/src/metadata/identify.cpp:1309:24 in LibRaw::identify_process_dng_fields()
Shadow bytes around the buggy address:
  0x1000091eedc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000091eedd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000091eede0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000091eedf0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2
  0x1000091eee00: 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000091eee10: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
  0x1000091eee20: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x1000091eee30: 00 00 00 00 f2 f2 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2
  0x1000091eee40: f8 f8 f2 f2 f8 f8 f3 f3 00 00 00 00 00 00 00 00
  0x1000091eee50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000091eee60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==28701==ABORTING
@LibRaw
Copy link
Owner

LibRaw commented Aug 20, 2020

Already fixed by: 4feaed4

@LibRaw LibRaw closed this as completed Aug 20, 2020
@sleicasper
Copy link
Author

CVE-2020-24870 is allocated for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants