Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security/libwav/
security/libwav/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.

SEGV in function apply_gain in wav_gain.c(CVE-2018-14052)

I use Clang 6.0 and AddressSanitizer to build libwav, this file can cause SEGV signal in function apply_gain when running the wav_gain in folder tools/wav_gain with the following command:

./wav_gain wav_gain__crash__SEGV_apply_gain 1.wav

This is the ASAN information:

LibWAV v. 0.0.1 A (c) 2016 - 2017 Marc Volker Dickmann

AddressSanitizer:DEADLYSIGNAL
=================================================================
==22143==ERROR: AddressSanitizer: SEGV on unknown address 0x00005d5dd1d4 (pc 0x000000518934 bp 0x7ffd5b957f40 sp 0x7ffd5b957e40 T0)
==22143==The signal is caused by a WRITE memory access.
    #0 0x518933 in apply_gain /home/fouzhe/my_fuzz/libwav/tools/wav_gain/wav_gain.c:11:20
    #1 0x518933 in gain_file /home/fouzhe/my_fuzz/libwav/tools/wav_gain/wav_gain.c:26
    #2 0x518933 in main /home/fouzhe/my_fuzz/libwav/tools/wav_gain/wav_gain.c:43
    #3 0x7f3b4c60582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x419f08 in _start (/home/fouzhe/my_fuzz/libwav/tools/wav_gain/wav_gain+0x419f08)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fouzhe/my_fuzz/libwav/tools/wav_gain/wav_gain.c:11:20 in apply_gain
==22143==ABORTING

SEGV in function wrap_free in libwav.c(CVE-2018-14050)

I use Clang 6.0 and AddressSanitizer to build libwav, this file can cause SEGV signal in function wrap_free when running the wav_gain in folder tools/wav_gain with the following command:

./wav_gain wav_gain__crash__SEGV_gain_file 1.wav

This is the ASAN information:

LibWAV v. 0.0.1 A (c) 2016 - 2017 Marc Volker Dickmann

ASAN:DEADLYSIGNAL
=================================================================
==89112==ERROR: AddressSanitizer: SEGV on unknown address 0x0000ff564147 (pc 0x0001060e8809 bp 0x7fff59b24ee0 sp 0x7fff59b24eb0 T0)
==89112==The signal is caused by a WRITE memory access.
    #0 0x1060e8808 in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x3808)
    #1 0x10613e130 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59130)
    #2 0x1060db8fc in wav_free libwav.c:196
    #3 0x1060dc54f in gain_file wav_gain.c:33
    #4 0x1060dc3b2 in main wav_gain.c:43
    #5 0x7fff8bb96234 in start (libdyld.dylib:x86_64+0x5234)

==89112==Register values:
rax = 0x0000000000000002  rbx = 0x00000000ff564157  rcx = 0x00007fff59b24f03  rdx = 0x0000000000000000
rdi = 0x00000000ff564157  rsi = 0x00000000ff564157  rbp = 0x00007fff59b24ee0  rsp = 0x00007fff59b24eb0
 r8 = 0x0000000000000001   r9 = 0x000000000000001e  r10 = 0x000000000000002e  r11 = 0x000000010613dfa0
r12 = 0x00000000ff564147  r13 = 0x0000000000000000  r14 = 0x00007fff59b24f08  r15 = 0x0000000000000001
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x3808) in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==89112==ABORTING
Abort trap: 6

Infinite loop in wav_read in libwav.c(CVE-2018-14051)

I use Clang 6.0 and AddressSanitizer to build libwav, this file can cause infinite loop in function wav_read when running the wav_gain in folder tools/wav_gain with the following command:

./wav_gain wav_gain__crash__infinite_loop 1.wav

Here is the gdb information:

(gdb) bt
#0  0x00007ffff6ba7447 in lseek64 () at ../sysdeps/unix/syscall-template.S:84
#1  0x00007ffff6b18571 in _IO_new_file_seekoff (fp=0x61600000fc80, offset=<optimized out>, dir=1, mode=<optimized out>) at fileops.c:1118
#2  0x00007ffff6b15f79 in __GI_fseek (fp=0x61600000fc80, offset=<optimized out>, whence=<optimized out>) at fseek.c:36
#3  0x0000000000401e12 in wav_read (wavfile=0x7fffffffe2c0, filename=0x7fffffffe6f1 "wav_gain__crash__infinite_loop") at ../../libwav.c:268
#4  0x0000000000402121 in gain_file (filename=0x7fffffffe6f1 "wav_gain__crash__infinite_loop", filename_out=0x7fffffffe710 "1.wav") at wav_gain.c:20
#5  0x0000000000402275 in main (argc=3, argv=0x7fffffffe448) at wav_gain.c:43

The infinite loop is caused by this:

	while (!feof (f))
	{
		wav_chunk_read (&chunk, f);
		
		switch (chunk.chunk_id.hash)
		{
			case WAV_CHUNKID_FORMAT:
				wavfile->format = chunk.content.format;
				break;
			case WAV_CHUNKID_DATA:
				wavfile->datablocks = chunk.chunk_size / sizeof (int);
				wavfile->data = chunk.content.data;
				fclose (f);
				return WAV_OK;
			default:
				// NOTE: Unknown chunk!
				fseek (f, chunk.chunk_size, SEEK_CUR);
				break;
		}
	}

SEGV in function print_info in wav_info.c(CVE-2018-14049)

I use Clang 6.0 and AddressSanitizer to build libwav, this file can cause SEGV signal in function print_info when running the wav_info in folder tools/wav_info with the following command:

./wav_info ./wav_info__crash__print_info

This is the ASAN information:

LibWAV v. 0.0.1 A (c) 2016 - 2017 Marc Volker Dickmann

Riff Type:	��
Format:		0
Channels:	0
Samplerate:	5344226
Bytespersec:	0
Blockalign:	640
Bitwidth:	47712
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32370==ERROR: AddressSanitizer: SEGV on unknown address 0x000026007fef (pc 0x000000424c5f bp 0x7ffcba5ff820 sp 0x7ffcba5ff7c0 T0)
==32370==The signal is caused by a WRITE memory access.
    #0 0x424c5e in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order) /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
    #1 0x424c5e in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:540
    #2 0x424c5e in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:617
    #3 0x424c5e in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:847
    #4 0x4ddf53 in __interceptor_cfree.localalias.0 /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79
    #5 0x518a82 in print_info /home/fouzhe/my_fuzz/libwav/tools/wav_info/wav_info.c:18:2
    #6 0x518a82 in main /home/fouzhe/my_fuzz/libwav/tools/wav_info/wav_info.c:28
    #7 0x7fb30338e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x419f08 in _start (/home/fouzhe/my_fuzz/libwav/tools/wav_info/wav_info+0x419f08)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order)
==32370==ABORTING

SEGV in function wav_write in libwav.c(CVE-2018-14549)

I use Clang 6.0 and AddressSanitizer to build libwav, this file can cause SEGV signal in function wav_write in libwav.c when running the wav_gain in folder tools/wav_gain with the following command:

./wav_gain wav_gain__crash__wav_write 1.wav

This is the ASAN information:

LibWAV v. 0.0.1 A (c) 2016 - 2017 Marc Volker Dickmann

AddressSanitizer:DEADLYSIGNAL
=================================================================
==32413==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004fffc0 bp 0x000000000000 sp 0x7fffefa377d0 T0)
==32413==The signal is caused by a READ memory access.
==32413==Hint: address points to the zero page.
    #0 0x4fffbf in __sanitizer::StackDepotPut(__sanitizer::StackTrace) /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_stackdepotbase.h:65
    #1 0x42324b in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:496
    #2 0x423f46 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:856
    #3 0x4de114 in __interceptor_malloc /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:89
    #4 0x7f9ea1723cdc  (/lib/x86_64-linux-gnu/libc.so.6+0x6dcdc)
    #5 0x49627a in __interceptor_fopen /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5528
    #6 0x51719d in wav_write /home/fouzhe/my_fuzz/libwav/tools/wav_gain/../../libwav.c:202:12
    #7 0x518b10 in gain_file /home/fouzhe/my_fuzz/libwav/tools/wav_gain/wav_gain.c:28:6
    #8 0x518b10 in main /home/fouzhe/my_fuzz/libwav/tools/wav_gain/wav_gain.c:43
    #9 0x7f9ea16d682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x419f08 in _start (/home/fouzhe/my_fuzz/libwav/tools/wav_gain/wav_gain+0x419f08)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_stackdepotbase.h:65 in __sanitizer::StackDepotPut(__sanitizer::StackTrace)
==32413==ABORTING