Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

a div zero vul in function new_aubio_source_wavread() in aubio0.4.6 #148

Closed
my123px opened this issue Nov 28, 2017 · 4 comments
Closed

a div zero vul in function new_aubio_source_wavread() in aubio0.4.6 #148

my123px opened this issue Nov 28, 2017 · 4 comments
Labels

Comments

@my123px
Copy link

my123px commented Nov 28, 2017

root@yhk-RH2485-V2:/ljl/aubio/examples# gdb ./aubioquiet
GNU gdb (Ubuntu 7.7.1-0ubuntu5
14.04.3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./aubioquiet...done.
(gdb) r -i id:000007,sig:08,src:000068,op:ext_AO,pos:48
Starting program: /root/ljl/aubio/examples/aubioquiet -i id:000007,sig:08,src:000068,op:ext_AO,pos:48
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
AUBIO ERROR: source_sndfile: Failed opening id:000007,sig:08,src:000068,op:ext_AO,pos:48 (Error in WAV file. No 'data' chunk marker.)

Program received signal SIGFPE, Arithmetic exception.
0x0000000000405969 in new_aubio_source_wavread (
path=path@entry=0x7fffffffe730 "id:000007,sig:08,src:000068,op:ext_AO,pos:48", samplerate=samplerate@entry=0, hop_size=hop_size@entry=256)
at ../src/io/source_wavread.c:256
256 duration = read_little_endian(buf, 4) / blockalign;
(gdb) bt
#0 0x0000000000405969 in new_aubio_source_wavread (
path=path@entry=0x7fffffffe730 "id:000007,sig:08,src:000068,op:ext_AO,pos:48", samplerate=samplerate@entry=0, hop_size=hop_size@entry=256)
at ../src/io/source_wavread.c:256
#1 0x0000000000404626 in new_aubio_source (
uri=0x7fffffffe730 "id:000007,sig:08,src:000068,op:ext_AO,pos:48",
samplerate=0, hop_size=256) at ../src/io/source.c:104
#2 0x00000000004023ba in examples_common_init ()
#3 0x00000000004022d2 in main ()

Program not restarted.
(gdb) i r
rax 0x61746164 1635017060
rbx 0x60d0f0 6344944
rcx 0x6100 24832
rdx 0x0 0
rsi 0x60d230 6345264
rdi 0x3 3
rbp 0x7fffffffe2e0 0x7fffffffe2e0
rsp 0x7fffffffe2c0 0x7fffffffe2c0
r8 0x1000 4096
r9 0x7fffffffe2e0 140737488347872
r10 0x61746198 1635017112
r11 0x246 582
r12 0x61746198 1635017112
r13 0x617461a0 1635017120
r14 0x61746168 1635017064
r15 0x408875 4229237
rip 0x405969 0x405969 <new_aubio_source_wavread+1241>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
(gdb) x/4i $pc
=> 0x405969 <new_aubio_source_wavread+1241>: divl 0x8(%rsp)
0x40596d <new_aubio_source_wavread+1245>: cmp %r12,%r13
0x405970 <new_aubio_source_wavread+1248>: mov %eax,%ebp
0x405972 <new_aubio_source_wavread+1250>:
jne 0x405b98 <new_aubio_source_wavread+1800>
(gdb) x/8xb $rsp+8
0x7fffffffe2c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
id000007,sig08,src000068,opext_AO,pos48.zip

@carnil
Copy link

carnil commented Dec 2, 2017

CVE-2017-17054

@piem
Copy link
Member

piem commented Dec 4, 2017

hello!

Thank you @my123px for the report, and wow, thanks @carnil for the CVE, that's a first for aubio. A quick way to work this around is to recompile with --disable-wavread. We are preparing a patch to fix this issue.

That said, if you do run a service using aubio, please let us know! :-)

best, piem

@piem
Copy link
Member

piem commented Dec 4, 2017

see also #137

@piem
Copy link
Member

piem commented Feb 6, 2018

hi @my123px

Could you try again with current master branch? Commit 25ecb73 for #158 should provide a fix. Otherwise, please re-open this issue providing more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants