Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A Stack Buffer Overflow was discovered in internal/dcraw_common.cpp #99

Closed
Twi1ight opened this issue Sep 8, 2017 · 11 comments

Comments

Projects
None yet
4 participants
@Twi1ight
Copy link

commented Sep 8, 2017

A Stack Buffer Overflow was discovered in internal/dcraw_common.cpp:5685(LibRaw::xtrans_interpolate). It could allow remote denial of service
and code execution attack.

command to reproduce: ./simple_dcraw crash-xtrans_interpolate-stack-overflow
the latest version is vulnerable. other versions may also be affected.

the sanitizer output:

==96836==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc31555040 at pc 0x7fb90cf370b4 bp 0x7ffc31554f50 sp 0x7ffc31554f48
WRITE of size 4 at 0x7ffc31555040 thread T0
    #0 0x7fb90cf370b3 in LibRaw::xtrans_interpolate(int) /root/Desktop/fuzz/src/LibRaw/internal/dcraw_common.cpp:5836:29
    #1 0x7fb90d230469 in LibRaw::dcraw_process() /root/Desktop/fuzz/src/LibRaw/src/libraw_cxx.cpp:4829:9
    #2 0x514e1e in main /root/Desktop/fuzz/src/LibRaw/samples/simple_dcraw.cpp:159:24
    #3 0x7fb90b9dff44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #4 0x41a6bb in _start (/root/Desktop/fuzz/src/LibRaw/bin/.libs/lt-simple_dcraw+0x41a6bb)

Address 0x7ffc31555040 is located in stack of thread T0 at offset 224 in frame
    #0 0x7fb90cf3192f in LibRaw::xtrans_interpolate(int) /root/Desktop/fuzz/src/LibRaw/internal/dcraw_common.cpp:5686

  This frame has 5 object(s):
    [32, 64) 'hm' (line 5688)
    [96, 112) 'avg' (line 5688)
    [128, 224) 'color' (line 5688) <== Memory access at offset 224 overflows this variable
    [256, 544) 'allhex' (line 5693)
    [608, 632) 'diff' (line 5697)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/Desktop/fuzz/src/LibRaw/internal/dcraw_common.cpp:5836:29 in LibRaw::xtrans_interpolate(int)
Shadow bytes around the buggy address:
  0x1000062a29b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000062a29c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000062a29d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000062a29e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1000062a29f0: 00 00 00 00 f2 f2 f2 f2 00 00 f2 f2 00 00 00 00
=>0x1000062a2a00: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
  0x1000062a2a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000062a2a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000062a2a30: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3
  0x1000062a2a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000062a2a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==96836==ABORTING

in internal/dcraw_common.cpp:5688 (xtrans_interpolate), color was defined as:

  int val, ndir, pass, hm[8], avg[4], color[3][8];

with the input testcase in gdb, we could see that the h is 3, which leads stack overflow

(gdb) f 2
#2  0x0000000000650838 in LibRaw::xtrans_interpolate (this=0x7ffffff72c60, passes=3) at internal/dcraw_common.cpp:5836
5836	                color[h][d] = g + rix[i << c][h] + rix[-i << c][h];
(gdb) p h
$24 = 3
(gdb) p d
$25 = 0
@LibRaw

This comment has been minimized.

Copy link
Owner

commented Sep 8, 2017

You have not attach crash-xtrans_interpolate-stack-overflow file

@LibRaw

This comment has been minimized.

Copy link
Owner

commented Sep 8, 2017

Meanwhile this patch should help
0xtrans-cfa-range.txt

@Twi1ight

This comment has been minimized.

Copy link
Author

commented Sep 8, 2017

@LibRaw

This comment has been minimized.

Copy link
Owner

commented Sep 8, 2017

Thanks a log.

Unfortunately 1st patch does not solve this problem (but will solve another one).
Here is addiional CFA pattern check:
1xtrans-cfa-range.txt

@carnil

This comment has been minimized.

Copy link

commented Sep 12, 2017

This was assigned CVE-2017-14265

@kirotawa

This comment has been minimized.

Copy link

commented Sep 26, 2017

Hello there!

Is there any fix available for this issue?

tks in advance!

@LibRaw

This comment has been minimized.

Copy link
Owner

commented Sep 27, 2017

It was fixed in 0.18.3
Current release is 0.18.5

@kirotawa

This comment has been minimized.

Copy link

commented Sep 27, 2017

What is the commit that fix it, do you know?
I want to cherry pick it to fix this CVE in an old version, so can't just jump to the current release right now.

@LibRaw

This comment has been minimized.

Copy link
Owner

commented Sep 27, 2017

this one: 82616ef

@kirotawa

This comment has been minimized.

Copy link

commented Sep 27, 2017

In this commit has info about CVE-2017-13735 not CVE-2017-14265. Can I suppose it fix both?

tks!

@LibRaw

This comment has been minimized.

Copy link
Owner

commented Sep 27, 2017

There are two lines in Changelog related to 0.18.3:

  • Fix for CVE-2017-13735
  • Additional check for X-Trans CFA pattern data
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.