Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections #7

Closed
Fstark-prog opened this issue Oct 22, 2020 · 3 comments
Closed

Comments

@Fstark-prog
Copy link

poc:https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1900821/+attachment/5424955/+files/poc%20%282%29

fstark@fstark-virtual-machine:~/jhead$ ./jhead fuzz1\:id\:000015\,sig\:06\,src\:000476\,time\:412880\,op\:arith8\,pos\:31\,val\:+29
=================================================================
==957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd2 at pc 0x7f6d38f94676 bp 0x7ffd0abe47d0 sp 0x7ffd0abe3f78
READ of size 4 at 0x60200000efd2 thread T0
    #0 0x7f6d38f94675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
    #1 0x40e810 in ReadJpegSections /home/fstark/jhead/jpgfile.c:285
    #2 0x410e86 in ReadJpegSections /home/fstark/jhead/jpgfile.c:125
    #3 0x410e86 in ReadJpegFile /home/fstark/jhead/jpgfile.c:378
    #4 0x40858b in ProcessFile /home/fstark/jhead/jhead.c:905
    #5 0x402f2c in main /home/fstark/jhead/jhead.c:1756
    #6 0x7f6d3886a83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #7 0x406708 in _start (/home/fstark/jhead/jhead+0x406708)

0x60200000efd2 is located 0 bytes to the right of 2-byte region [0x60200000efd0,0x60200000efd2)
allocated by thread T0 here:
    #0 0x7f6d38fb5602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40e4a8 in ReadJpegSections /home/fstark/jhead/jpgfile.c:172

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa 02 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==957==ABORTING
@Matthias-Wandel
Copy link
Owner

Matthias-Wandel commented Oct 22, 2020 via email

@Fstark-prog
Copy link
Author

I got the other ones fixed, but I need to know what command to run here. The command you list doesn't refer to any files, and running jhead on just the file doesn't produce an error.

------ Original Message ------ From: "Fstark" notifications@github.com To: "Matthias-Wandel/jhead" jhead@noreply.github.com Cc: "Subscribed" subscribed@noreply.github.com Sent: 2020-10-22 6:49:54 AM Subject: [Matthias-Wandel/jhead] heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections (#7)
poc:https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1900821/+attachment/5424955/+files/poc%20%282%29 @.***:~/jhead$ ./jhead fuzz1:id:000015,sig:06,src:000476,time:412880,op:arith8,pos:31,val:+29 ================================================================= ==957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd2 at pc 0x7f6d38f94676 bp 0x7ffd0abe47d0 sp 0x7ffd0abe3f78 READ of size 4 at 0x60200000efd2 thread T0 #0 0x7f6d38f94675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675) #1 0x40e810 in ReadJpegSections /home/fstark/jhead/jpgfile.c:285 #2 0x410e86 in ReadJpegSections /home/fstark/jhead/jpgfile.c:125 #3 0x410e86 in ReadJpegFile /home/fstark/jhead/jpgfile.c:378 #4 0x40858b in ProcessFile /home/fstark/jhead/jhead.c:905 #5 0x402f2c in main /home/fstark/jhead/jhead.c:1756 #6 0x7f6d3886a83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #7 0x406708 in _start (/home/fstark/jhead/jhead+0x406708) 0x60200000efd2 is located 0 bytes to the right of 2-byte region [0x60200000efd0,0x60200000efd2) allocated by thread T0 here: #0 0x7f6d38fb5602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x40e4a8 in ReadJpegSections /home/fstark/jhead/jpgfile.c:172 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa 02 fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==957==ABORTING — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#7>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOSCO3ADACHBDK75V3MA7MDSL754FANCNFSM4S26QYMA.

You should use ASAN mode to increase the sensitivity of the detection, or you can use what I have compiled. I git clone from the master 5 minutes ago

fuzzer&poc.zip

@Matthias-Wandel
Copy link
Owner

Fixed by 5186ddc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants