New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global-buffer-overflow in the function i2alaw_array and i2ulaw_array #429

Open
YourButterfly opened this Issue Nov 27, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@YourButterfly

YourButterfly commented Nov 27, 2018

version

  • libsndfile: Version released 1.0.28
  • libsndfile-1.0.29pre1.

description

An issue was discovered in libsndfile 1.0.28. There is a global-buffer-overflow at the function i2alaw_array and i2ulaw_array, will lead to a denial of service or the others.
similar this issue but occur at the function i2alaw_array and i2ulaw_array.

target

./sndfile-convert -alaw  poc out.raw
./sndfile-convert -ulaw  poc out.raw

ASAN report

=================================================================
==25251==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f259292a260 at pc 0x7f259289fdda bp 0x7ffc0e3efe50 sp 0x7ffc0e3efe48
READ of size 1 at 0x7f259292a260 thread T0
    #0 0x7f259289fdd9 in i2alaw_array /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/alaw.c:332:28
    #1 0x7f259289fdd9 in alaw_write_i2alaw /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/alaw.c:488
    #2 0x7f259276ebd2 in sf_writef_int /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/sndfile.c:2328:10
    #3 0x507211 in sfe_copy_data_int /home/pwd/fuzz/fuzz-wavpack/libsndfile/programs/common.c:88:3
    #4 0x5065d3 in main /home/pwd/fuzz/fuzz-wavpack/libsndfile/programs/sndfile-convert.c:352:3
    #5 0x7f2591763b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a349 in _start (/home/pwd/fuzz/fuzz-wavpack/libsndfile/installed-asan/bin/sndfile-convert+0x41a349)

0x7f259292a260 is located 927 bytes to the right of global variable 'ulaw_encode' defined in 'src/ulaw.c:107:15' (0x7f2592927ec0) of size 8193
SUMMARY: AddressSanitizer: global-buffer-overflow /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/alaw.c:332:28 in i2alaw_array
Shadow bytes around the buggy address:
  0x0fe53251d3f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe53251d400: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe53251d410: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe53251d420: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe53251d430: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0fe53251d440: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9
  0x0fe53251d450: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe53251d460: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe53251d470: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe53251d480: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe53251d490: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25251==ABORTING

and

=================================================================
==25248==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f714254dec0 at pc 0x7f71424c539a bp 0x7ffcd08c2370 sp 0x7ffcd08c2368
READ of size 1 at 0x7f714254dec0 thread T0
    #0 0x7f71424c5399 in i2ulaw_array /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/ulaw.c:833:28
    #1 0x7f71424c5399 in ulaw_write_i2ulaw /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/ulaw.c:989
    #2 0x7f7142396bd2 in sf_writef_int /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/sndfile.c:2328:10
    #3 0x507211 in sfe_copy_data_int /home/pwd/fuzz/fuzz-wavpack/libsndfile/programs/common.c:88:3
    #4 0x5065d3 in main /home/pwd/fuzz/fuzz-wavpack/libsndfile/programs/sndfile-convert.c:352:3
    #5 0x7f714138bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a349 in _start (/home/pwd/fuzz/fuzz-wavpack/libsndfile/installed-asan/bin/sndfile-convert+0x41a349)

0x7f714254dec0 is located 32 bytes to the left of global variable '<string literal>' defined in 'src/command.c:47:3' (0x7f714254dee0) of size 26
  '<string literal>' is ascii string 'AU (Sun/Next 8-bit u-law)'
0x7f714254dec0 is located 29 bytes to the right of global variable '<string literal>' defined in 'src/command.c:43:31' (0x7f714254dea0) of size 3
  '<string literal>' is ascii string 'au'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/ulaw.c:833:28 in i2ulaw_array
Shadow bytes around the buggy address:
  0x0feea84a1b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feea84a1b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feea84a1ba0: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 05 f9 f9 f9
  0x0feea84a1bb0: f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 05 f9 f9 f9
  0x0feea84a1bc0: f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9 00 00 00 01
=>0x0feea84a1bd0: f9 f9 f9 f9 03 f9 f9 f9[f9]f9 f9 f9 00 00 00 02
  0x0feea84a1be0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0feea84a1bf0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 04 f9 f9
  0x0feea84a1c00: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 07 f9
  0x0feea84a1c10: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 05
  0x0feea84a1c20: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25248==ABORTING

poc.tar.gz

@msmeissn

This comment has been minimized.

msmeissn commented Nov 30, 2018

isnt this similar to CVE-2017-17456 and CVE-2017-17457

@hlef

This comment has been minimized.

hlef commented Dec 9, 2018

Regarding the ulaw issue:

i2ulaw_array (const int *ptr, int count, unsigned char *buffer)

i2ulaw_array fills buffer with encoded values from ptr. The encoding works by doing something like

buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)]

meaning that we have to make sure ptr [count] >= 0.

If ptr [count] < 0 we do

buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)]

but in this case ptr [count] = -2147483648 so - ptr [count] is UB and we perform OOB read.

A trivial patch would be something like

diff --git a/src/ulaw.c b/src/ulaw.c
index e50b4cb5..7134e561 100644
--- a/src/ulaw.c
+++ b/src/ulaw.c
@@ -830,7 +830,7 @@ i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
        {       if (ptr [count] >= 0)
                        buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
                else
-                       buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
+                       buffer [count] = 0x7F & ulaw_encode [- (unsigned int) ptr [count] >> (16 + 2)] ;
                } ;
 } /* i2ulaw_array */

I'll investigate further and submit a PR when ready.

@hlef

This comment has been minimized.

hlef commented Dec 9, 2018

FTR: CVE-2017-17456 and CVE-2017-17457 (issue #344) are very similar (same bug with abs(-2147483648)) but not duplicates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment