[<prev] [next>] [day] [month] [year] [list]
Message-ID: <189251.155450137-sendEmail@localhost>
Date: Mon, 1 May 2017 11:29:58 +0000
From: "Agostino Sarubbo" <ago@...too.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: libsndfile: global buffer overflow in i2les_array (pcm.c)
Description:
libsndfile is a C library for reading and writing files containing sampled sound.
The complete ASan output of the issue:
# sndfile-convert $FILE out.wav
==27948==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013cd13c at pc 0x7f59caaaaace bp 0x7ffcab360cf0 sp 0x7ffcab360ce8
READ of size 4 at 0x0000013cd13c thread T0
#0 0x7f59caaaaacd in i2les_array /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/pcm.c:670:15
#1 0x7f59caaaaacd in pcm_write_i2les /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/pcm.c:1696
#2 0x7f59ca7bf831 in sf_writef_int /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/sndfile.c:2342:10
#3 0x514b70 in sfe_copy_data_int /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/common.c:88:3
#4 0x5138d1 in main /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/sndfile-convert.c:340:3
#5 0x7f59c974178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#6 0x419e18 in _init (/usr/bin/sndfile-convert+0x419e18)
0x0000013cd13c is located 4092 bytes to the right of global variable 'data' defined in '/tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/common.c:80:14'
(0x13c8140) of size 16384
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/pcm.c:670:15 in i2les_array
Shadow bytes around the buggy address:
0x0000802719d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000802719e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000802719f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000080271a00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000080271a10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x000080271a20: f9 f9 f9 f9 f9 f9 f9[f9]00 00 00 00 00 00 00 00
0x000080271a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080271a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080271a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080271a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080271a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27948==ABORTING
Affected version:
1.0.28
Fixed version:
N/A
Commit fix:
https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-8365
Reproducer:
https://github.com/asarubbo/poc/blob/master/00263-libsndfile-globaloverflow-i2les_array
Timeline:
2017-04-11: bug discovered and reported to upstream
2017-04-12: upstream released a patch
2017-04-29: blog post about the issue
2017-04-30: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-i2les_array-pcm-c/
--
Agostino Sarubbo
Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
