Skip to content
Permalink
Browse files

add several gentoo blog cases

  • Loading branch information...
whyisyoung whyisyoung
whyisyoung authored and whyisyoung committed May 25, 2018
1 parent e10ddbb commit 9176fe102b728ffc343330caa1ec6c8f8389195c
@@ -28,18 +28,14 @@ In folder

## Vulnerability Details and Patch

### Root Cause
n/a

## Root Cause

n/a

## Stack Trace

### Stack Trace
```
==988==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001ccff at pc 0x0000004bc00c bp 0x7fff920da690 sp 0x7fff920d9e40WRITE of size 1 at 0x62100001ccff thread T0#1 0x7f49edd6af0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2
## References
```
### Patch
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a

## References

@@ -11,10 +11,14 @@ tiffcp -i $FILE /tmp/foo
## PoC
In folder
## Vulnerability Details and Patch

### Root Cause
n/a
## Root Cause
n/a
## Stack Trace
### Stack Trace
```
==20438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fef2adde803 at pc 0x00000051befa bp 0x7ffd3ee26b50 sp 0x7ffd3ee26b48WRITE of size 16 at 0x7fef2adde803 thread T0#0 0x51bef9 in cpStripToTile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1171:11
```
### Patch
https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
## References
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
@@ -11,10 +11,14 @@ tiff2pdf $FILE -o foo
## PoC
In folder
## Vulnerability Details and Patch
n/a

## Root Cause
n/a
## Stack Trace
```
==31315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea11 at pc 0x0000004bc10c bp 0x7fffd59abc40 sp 0x7fffd59ab3f0WRITE of size 2 at 0x60200000ea11 thread T0#1 0x7fd49c1adf0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2
```
### Patch
https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c
## References
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
@@ -11,10 +11,61 @@ tiffsplit $FILE
## PoC
In folder
## Vulnerability Details and Patch

### Root Cause
n/a
## Root Cause
n/a
## Stack Trace
TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.===================================================================10362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f3824f00090 at pc 0x7f3829624fbb bp 0x7fffe0eb1da0 sp 0x7fffe0eb1d98WRITE of size 4 at 0x7f3824f00090 thread T0#0 0x7f3829624fba in _TIFFVGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1077:29#1 0x7f382960f202 in TIFFVGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1198:6#2 0x7f382960f202 in TIFFGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1182#3 0x50a719 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:183:2#4 0x50a719 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:89#5 0x7f382871561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289#6 0x419a78 in _init (/usr/bin/tiffsplit+0x419a78)Address 0x7f3824f00090 is located in stack of thread T0 at offset 144 in frame#0 0x5099cf in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:59This frame has 18 object(s):[32, 40) 'bytecounts.i263.i'[64, 72) 'bytecounts.i.i'[96, 98) 'bitspersample.i'[112, 114) 'samplesperpixel.i'[128, 130) 'compression.i'[144, 146) 'shortv.i' 0x0fe7849d8010: 02 f2[02]f2 00 f2 f2 f2 04 f2 04 f2 04 f2 00 f20x0fe7849d8020: f2 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f20x0fe7849d8030: f2 f2 00 f2 f2 f2 02 f3 00 00 00 00 00 00 00 000x0fe7849d8040: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f50x0fe7849d8050: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f50x0fe7849d8060: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cb==10362==ABORTING
### Stack Trace
TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.
=================================================================
==10362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f3824f00090 at pc 0x7f3829624fbb bp 0x7fffe0eb1da0 sp 0x7fffe0eb1d98
WRITE of size 4 at 0x7f3824f00090 thread T0
#0 0x7f3829624fba in _TIFFVGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1077:29
#1 0x7f382960f202 in TIFFVGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1198:6
#2 0x7f382960f202 in TIFFGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1182
#3 0x50a719 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:183:2
#4 0x50a719 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:89
#5 0x7f382871561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#6 0x419a78 in _init (/usr/bin/tiffsplit+0x419a78)
Address 0x7f3824f00090 is located in stack of thread T0 at offset 144 in frame
#0 0x5099cf in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:59
This frame has 18 object(s):
[32, 40) 'bytecounts.i263.i'
[64, 72) 'bytecounts.i.i'
[96, 98) 'bitspersample.i'
[112, 114) 'samplesperpixel.i'
[128, 130) 'compression.i'
[144, 146) 'shortv.i' 0x0fe7849d8010: 02 f2[02]f2 00 f2 f2 f2 04 f2 04 f2 04 f2 00 f2
0x0fe7849d8020: f2 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
0x0fe7849d8030: f2 f2 00 f2 f2 f2 02 f3 00 00 00 00 00 00 00 00
0x0fe7849d8040: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0fe7849d8050: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0fe7849d8060: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10362==ABORTING
### Patch
https://blogs.gentoo.org/ago/2017/01/01/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c/
## References
https://blogs.gentoo.org/ago/2017/01/01/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c/
@@ -11,10 +11,15 @@ tiffcp -i $FILE /tmp/foo
## PoC
In folder
## Vulnerability Details and Patch

### Root Cause
n/a
## Root Cause
n/a
## Stack Trace
### Stack Trace
```
==16440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000e861 at pc 0x0000004531de bp 0x7ffd2aba5c30 sp 0x7ffd2aba53e0READ of size 78490 at 0x62500000e861 thread T0#1 0x7f280456d37b in _tiffWriteProc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:115:23
```
### Patch
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df

## References
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
@@ -11,10 +11,14 @@ tiffcp -i $FILE /tmp/foo
## PoC
In folder
## Vulnerability Details and Patch

### Root Cause
n/a
## Root Cause
n/a
## Stack Trace
### Stack Trace
```
==10398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef4 at pc 0x0000004bc235 bp 0x7fff3ebfa700 sp 0x7fff3ebf9eb0READ of size 512 at 0x60200000eef4 thread T0#1 0x7fcaf590cf0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2
```
### Patch
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
## References
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
@@ -11,10 +11,14 @@ tiffcp -i $FILE /tmp/foo
## PoC
In folder
## Vulnerability Details and Patch

### Root Cause
n/a
## Root Cause
n/a
## Stack Trace
### Stack Trace
```
==15106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd8 at pc 0x7f33918c5de3 bp 0x7ffc5abe6ba0 sp 0x7ffc5abe6b98READ of size 8 at 0x60200000edd8 thread T0#0 0x7f33918c5de2 in TIFFFillStrip /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:523:22
```
### Patch
https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
## References
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
@@ -11,10 +11,16 @@ tiffcrop -i $FILE /tmp/foo
## PoC
In folder
## Vulnerability Details and Patch

### Root Cause
n/a
## Root Cause
n/a
## Stack Trace
==9181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd3b2e277f8 at pc 0x7fd3b7a762cc bp 0x7ffffd6e2550 sp 0x7ffffd6e2548READ of size 1 at 0x7fd3b2e277f8 thread T0#0 0x7fd3b7a762cb in _TIFFFax3fillruns /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_fax3.c:413:13
### Stack Trace
```
==9181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd3b2e277f8 at pc 0x7fd3b7a762cc bp 0x7ffffd6e2550 sp 0x7ffffd6e2548
READ of size 1 at 0x7fd3b2e277f8 thread T0
#0 0x7fd3b7a762cb in _TIFFFax3fillruns /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_fax3.c:413:13
```
### Patch
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
## References
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
@@ -11,10 +11,16 @@ tiffcrop -i $FILE /tmp/foo
## PoC
In folder
## Vulnerability Details and Patch

### Root Cause
n/a
## Root Cause
n/a
## Stack Trace
### Stack Trace
```
==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00000a3fc at pc 0x0000004bc48c bp 0x7ffd6f23c680 sp 0x7ffd6f23be30WRITE of size 2048 at 0x62d00000a3fc thread T0#1 0x7fcac5ac0033 in NeXTDecode /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_next.c:64:9
```
### Patch
Upstream said that the previous changes, fixes this too. It needs to be bisected.
From the bisect the fix is:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
## References
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/
Oops, something went wrong.

0 comments on commit 9176fe1

Please sign in to comment.
You can’t perform that action at this time.