Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap buffer overflow while running wavpack #28

Closed
sebastinas opened this issue Feb 4, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@sebastinas
Copy link
Contributor

commented Feb 4, 2018

We got another one (https://bugs.debian.org/889559):

heap buffer overflow running wavpack with "-y poc.wav" option

Running 'wavpack -y poc.wav' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

june@june:~/temp/report/wavpack/00009776$ ../../binary/wavpack-5.1.0/cli/.libs/wavpack -y poc.wav

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

creating poc.wv,=================================================================
==3834==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef91 at pc 0x7ffff6e8105b bp 0x7fffffffb2e0 sp 0x7fffffffaa90
READ of size 2 at 0x60200000ef91 thread T0
    #0 0x7ffff6e8105a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4305a)
    #1 0x55555557ad85 in ParseDsdiffHeaderConfig /home/june/temp/report/binary/wavpack-5.1.0/cli/dsdiff.c:171
    #2 0x555555567c3a in pack_file /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
    #3 0x555555565e5e in main /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
    #4 0x7ffff65902b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #5 0x5555555609a9 in _start (/home/june/temp/report/binary/wavpack-5.1.0/cli/.libs/wavpack+0xc9a9)

0x60200000ef91 is located 0 bytes to the right of 1-byte region [0x60200000ef90,0x60200000ef91)
allocated by thread T0 here:
    #0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x55555557ac4a in ParseDsdiffHeaderConfig /home/june/temp/report/binary/wavpack-5.1.0/cli/dsdiff.c:156
    #2 0x555555567c3a in pack_file /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
    #3 0x555555565e5e in main /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
    #4 0x7ffff65902b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4305a)
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa[01]fa fa fa fd fd fa fa 03 fa fa fa 00 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3834==ABORTING

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

poc.wav is available at https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889559;filename=poc.wav;msg=5.

dbry added a commit that referenced this issue Feb 11, 2018

@dbry

This comment has been minimized.

Copy link
Owner

commented Feb 11, 2018

Thanks for reporting this!

@dbry dbry closed this Feb 11, 2018

dbry added a commit that referenced this issue Feb 12, 2018

@carnil

This comment has been minimized.

Copy link

commented Feb 20, 2018

CVE-2018-7253 was assigned by MITRE to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.