Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out of bounds read in the function d2alaw_array() and d2ulaw_array() of libsndfile 1.0.29pre1 #344

Closed
my123px opened this issue Dec 7, 2017 · 4 comments

Comments

Projects
None yet
4 participants
@my123px
Copy link

commented Dec 7, 2017

root@yhk-RH2485-V2:~/ljl/libsndfile_new/programs# ./sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
crash_case.tar.gz

ASAN:SIGSEGV

==123453== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000485b74 sp 0x7fff2ffa4290 bp 0x7fff2ffa42c0 T0)
AddressSanitizer can not provide additional info.
#0 0x485b73 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x485b73)
#1 0x486860 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x486860)
#2 0x417667 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x417667)
#3 0x40360f (/root/ljl/libsndfile_new/programs/sndfile-convert+0x40360f)
#4 0x402fd2 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x402fd2)
#5 0x7f06e1f6bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#6 0x401a28 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x401a28)
==123453== ABORTING
root@yhk-RH2485-V2:/ljl/libsndfile_new/programs# gdb sndfile-convert
GNU gdb (Ubuntu 7.7.1-0ubuntu5
14.04.3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sndfile-convert...done.
(gdb) r -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Starting program: /root/ljl/libsndfile_new/programs/sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
warning: the debug information found in "/lib/x86_64-linux-gnu/libc-2.19.so" does not match "/lib/x86_64-linux-gnu/libc.so.6" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000485b74 in d2alaw_array ()
(gdb) bt
#0 0x0000000000485b74 in d2alaw_array ()
#1 0x0000000000486861 in alaw_write_d2alaw ()
#2 0x0000000000417668 in sf_writef_double ()
#3 0x0000000000403610 in sfe_copy_data_fp ()
#4 0x0000000000402fd3 in main ()
(gdb) i r
rax 0x800000000075b300 -9223372036847062272
rbx 0x7fffffffd079 140737488343161
rcx 0x10000000800e3660 1152921506755262048
rdx 0x8000000000000000 -9223372036854775808
rsi 0x2 2
rdi 0x763100 7745792
rbp 0x7fffffffc130 0x7fffffffc130
rsp 0x7fffffffc100 0x7fffffffc100
r8 0x10007fff7c00 17594333494272
r9 0x0 0
r10 0x7fffffffbec0 140737488338624
r11 0x7ffff4b6fcd0 140737299021008
r12 0x7fffffffe714 140737488348948
r13 0x7fffffffe450 140737488348240
r14 0x0 0
r15 0x0 0
rip 0x485b74 0x485b74 <d2alaw_array+412>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/4i $pc
=> 0x485b74 <d2alaw_array+412>: movzbl (%rcx),%ecx
0x485b77 <d2alaw_array+415>: test %cl,%cl
0x485b79 <d2alaw_array+417>: setne %dil
0x485b7d <d2alaw_array+421>: mov %rax,%rsi

==18519== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004d0b24 sp 0x7ffd1ba8fea0 bp 0x7ffd1ba8fed0 T0)
AddressSanitizer can not provide additional info.
#0 0x4d0b23 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x4d0b23)
#1 0x4d1810 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x4d1810)
#2 0x417667 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x417667)
#3 0x40360f (/root/ljl/libsndfile_new/programs/sndfile-convert+0x40360f)
#4 0x402fd2 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x402fd2)
#5 0x7fe0cd4f9f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#6 0x401a28 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x401a28)
==18519== ABORTING
root@yhk-RH2485-V2:/ljl/libsndfile_new/programs# gdb sndfile-convert
GNU gdb (Ubuntu 7.7.1-0ubuntu5
14.04.3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sndfile-convert...done.
(gdb) r -ulaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Starting program: /root/ljl/libsndfile_new/programs/sndfile-convert -ulaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
warning: the debug information found in "/lib/x86_64-linux-gnu/libc-2.19.so" does not match "/lib/x86_64-linux-gnu/libc.so.6" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004d0b24 in d2ulaw_array ()
(gdb) bt
#0 0x00000000004d0b24 in d2ulaw_array ()
#1 0x00000000004d1811 in ulaw_write_d2ulaw ()
#2 0x0000000000417668 in sf_writef_double ()
#3 0x0000000000403610 in sfe_copy_data_fp ()
#4 0x0000000000402fd3 in main ()
(gdb) i r
rax 0x800000000075f700 -9223372036847044864
rbx 0x7fffffffd079 140737488343161
rcx 0x10000000800e3ee0 1152921506755264224
rdx 0x8000000000000000 -9223372036854775808
rsi 0x2 2
rdi 0x763100 7745792
rbp 0x7fffffffc130 0x7fffffffc130
rsp 0x7fffffffc100 0x7fffffffc100
r8 0x10007fff7c00 17594333494272
r9 0x0 0
r10 0x7fffffffbec0 140737488338624
r11 0x7ffff4b6fcd0 140737299021008
r12 0x7fffffffe713 140737488348947
r13 0x7fffffffe450 140737488348240
r14 0x0 0
r15 0x0 0
rip 0x4d0b24 0x4d0b24 <d2ulaw_array+412>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/4i $pc
=> 0x4d0b24 <d2ulaw_array+412>: movzbl (%rcx),%ecx
0x4d0b27 <d2ulaw_array+415>: test %cl,%cl
0x4d0b29 <d2ulaw_array+417>: setne %dil
0x4d0b2d <d2ulaw_array+421>: mov %rax,%rsi

crash_case.tar.gz
usage: ./sndfile-convert -alaw(-ulaw) crash_case 1.raw

@my123px

This comment has been minimized.

Copy link
Author

commented Dec 7, 2017

A similar threat seems to have appeared in 1.0.28, but not well-fixed in 1.0.29pre1

@carnil

This comment has been minimized.

Copy link

commented Dec 7, 2017

CVE-2017-17456 and CVE-2017-17457 were assigned for those two issues

@evpobr evpobr added the Bug label Nov 23, 2018

hlef added a commit to hlef/libsndfile that referenced this issue Dec 14, 2018

a/ulaw: fix multiple buffer overflows
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.

In this case round - INT_MIN to INT_MAX and proceed as usual.

f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.

In this case, arbitrarily set the buffer value to 0.

This commit fixes erikd#429 (CVE-2018-19661 and CVE-2018-19662) and
fixes erikd#344 (CVE-2017-17456 and CVE-2017-17457).

hlef added a commit to hlef/libsndfile that referenced this issue Dec 15, 2018

a/ulaw: fix multiple buffer overflows
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.

In this case round - INT_MIN to INT_MAX and proceed as usual.

f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.

In this case, arbitrarily set the buffer value to 0.

This commit fixes erikd#429 (CVE-2018-19661 and CVE-2018-19662) and
fixes erikd#344 (CVE-2017-17456 and CVE-2017-17457).
@hlef

This comment has been minimized.

Copy link
Contributor

commented Dec 19, 2018

OK, this issue is identical to #317.

Rationale:

both issues share the exact same crash path.

CVE-2017-17457 (#344):

[...]
Program received signal SIGSEGV, Segmentation fault.
0x0000000000485b74 in d2alaw_array ()
(gdb) bt
#0 0x00000000004d0b24 in d2ulaw_array ()
#1 0x00000000004d1811 in ulaw_write_d2ulaw ()
#2 0x0000000000417668 in sf_writef_double ()
#3 0x0000000000403610 in sfe_copy_data_fp ()
#4 0x0000000000402fd3 in main ()
[...]

CVE-2017-14246 (#317):

[...]
Program received signal SIGSEGV, Segmentation fault.
0x0000000000453781 in d2ulaw_array (...) at ulaw.c:853
(gdb) bt
#0 0x0000000000453781 in d2ulaw_array (...) at ulaw.c:853
#1 0x0000000000453e89 in ulaw_write_d2ulaw (...) at ulaw.c:1041
#2 0x0000000000409a7c in sf_writef_double (...) at sndfile.c:2570
#3 0x00000000004024a1 in sfe_copy_data_fp (...) at common.c:79
#4 0x0000000000402122 in main (...) at sndfile-convert.c:338
[...]

Further debugging shows that the root issue is identical as well: NaN and Infinity values are passed to the d2ulaw_array function which uses these numbers as index to access an array, leading to OOB read.

I have notified the MITRE team for CVE update.

@evpobr

This comment has been minimized.

Copy link
Collaborator

commented Dec 19, 2018

Duplicate of #317

@evpobr evpobr marked this as a duplicate of #317 Dec 19, 2018

@evpobr evpobr added the duplicate label Dec 19, 2018

hlef added a commit to hlef/libsndfile that referenced this issue Dec 23, 2018

a/ulaw: fix multiple buffer overflows
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.

In this case round - INT_MIN to INT_MAX and proceed as usual.

f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.

In this case, arbitrarily set the buffer value to 0.

This commit fixes erikd#429 (CVE-2018-19661 and CVE-2018-19662) and
fixes erikd#344 (CVE-2017-17456 and CVE-2017-17457).

@erikd erikd closed this in 8ddc442 Dec 24, 2018

erikd added a commit that referenced this issue Jan 1, 2019

a/ulaw: fix multiple buffer overflows (#432)
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.

In this case round - INT_MIN to INT_MAX and proceed as usual.

f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.

In this case, arbitrarily set the buffer value to 0.

This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
fixes #344 (CVE-2017-17456 and CVE-2017-17457).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.