Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack buffer overflow while running wavpack #27

Closed
sebastinas opened this issue Feb 3, 2018 · 4 comments
Closed

stack buffer overflow while running wavpack #27

sebastinas opened this issue Feb 3, 2018 · 4 comments

Comments

@sebastinas
Copy link
Contributor

Forwarding a bug report we received in the Debian bug tracker (https://bugs.debian.org/889276):

stack buffer overflow running wavpack with "-y poc.wav" option

Running 'wavpack -y poc.wav' with the attached file raises stack buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

june@june:~/temp/report/wavpack/00000235$ ../../binary/wavpack-5.1.0/cli/.libs/wavpack -y poc.wav

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

creating poc.wv,=================================================================
==13961==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffb3fc at pc 0x7ffff6e9af7f bp 0x7fffffffb1f0 sp 0x7fffffffa9a0
READ of size 108 at 0x7fffffffb3fc thread T0
    #0 0x7ffff6e9af7e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
    #1 0x7ffff6c258c2  (/usr/lib/x86_64-linux-gnu/libwavpack.so.1+0x128c2)
    #2 0x5555555738e2 in ParseRiffHeaderConfig /home/june/temp/report/binary/wavpack-5.1.0/cli/riff.c:110
    #3 0x555555567c3a in pack_file /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
    #4 0x555555565e5e in main /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
    #5 0x7ffff65902b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #6 0x5555555609a9 in _start (/home/june/temp/report/binary/wavpack-5.1.0/cli/.libs/wavpack+0xc9a9)

Address 0x7fffffffb3fc is located in stack of thread T0 at offset 316 in frame
    #0 0x555555573341 in ParseRiffHeaderConfig /home/june/temp/report/binary/wavpack-5.1.0/cli/riff.c:54

  This frame has 6 object(s):
    [32, 36) 'bcount'
    [96, 104) 'chunk_header'
    [160, 172) 'riff_chunk_header'
    [224, 236) 'cs64_chunk'
    [288, 316) 'ds64_chunk'
    [352, 392) 'WaveHeader' <== Memory access at offset 316 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
Shadow bytes around the buggy address:
  0x10007fff7620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7650: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4
  0x10007fff7660: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 04 f4 f4
=>0x10007fff7670: f2 f2 f2 f2 00 04 f4 f4 f2 f2 f2 f2 00 00 00[04]
  0x10007fff7680: f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4 f3 f3 f3 f3
  0x10007fff7690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff76a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff76b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007fff76c0: f1 f1 01 f4 f4 f4 f2 f2 f2 f2 01 f4 f4 f4 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13961==ABORTING

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

poc.wav can be downloaded from https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889276;filename=poc.wav;msg=5.

@dbry
Copy link
Owner

dbry commented Feb 4, 2018

Thanks for filing this; I appreciate it! It should be fixed in d5bf76b

However, I do have a question. It is indicated that a remote attacker could exploit this issue. I am not a security expert by any measure, but I don't understand how that would happen. To exploit this an attacker would have to get a user to download a malicious WAV file and then have the user attempt to compress the file with the wavpack command-line program (which is not a default hander for any file type). Am I missing something?

@sebastinas
Copy link
Contributor Author

That would be the attack scenario, I guess. I'm not sure if Joonun Jang had something else in mind as well.

@dbry
Copy link
Owner

dbry commented Feb 6, 2018

Okay, cool, thanks for confirming my assumption. I'll get to the other two in a few days.

@dbry dbry closed this as completed Feb 6, 2018
@carnil
Copy link

carnil commented Feb 7, 2018

This issue has been assigned CVE-2018-6767

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants