-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-17725: exiv2 library: heap-buffer-overflow in Exiv2::getULong (types.cpp) #188
Comments
Thanks for your report. With which version of exiv2 did you try this? The |
@D4N Thanks for reply. |
I'm working on 'master' and unable to reproduced this on Linux/MacOS/Cygwin. Here's my result:
I'm not going to close this issue as it deserves more investigation. I'm currently working on long-term maintenance of our msvc/ and autotools/ and buildserver support. I will add the file poc_3.tiff to our test suite to ensure that this issue does not regress. May I ask you to name give the "poc" files more meaningful/unique names that we can track. For example, add the date (in iso format). poc_2018-12-12 |
Thank you very much for your testing. Did you build exiv2 with Address Sanitizer? Also, I have named the poc with poc_2018-12-12_issue188. Note: please do not use wget to get the file from the URL directly, it will not be the one I uploaded, which will cause the result "Exiv2 exception in print action for file...". Please click the link and press the download button to get the file I submitted in the github. For your convenience, I also uploaded the poc to https://bugzilla.redhat.com/attachment.cgi?id=1366916, which can be get directly by using wget. Thanks again. |
Thanks @youwei1988. I will investigate all your concerns. And thank you for using my file-date suggestion. As I said: this issue as it deserves more investigation I'll build the code as you've suggested. |
Hi, I could reproduce the issue in my Linux box:
I would be happy to work on this issue :) |
@piponazo Happy to accept your offer. I wonder why you've reproduced this and I have not. Puzzling. I'm using the latest MacOS-X + clang. Ubuntu 16.04LTS + GCC 5.something. |
Did you try to do what @youwei1988 suggested ? These are the exact steps I did to reproduce the issue:
|
Note that if you use clang instead of gcc you might need to use other flags. I have been a long time without playing with sanitizers. |
I have been debugging the code and I think I have detected where is the issue. In the file jp2image.cpp line 254 we are reading the Jp2BoxHeader "subBoxes". After reading some subboxes we reach a case where its lenght is 4294967293. Then in lines 270 and 271 we hit the issue. I am not very sure about how to fix the issue. @D4N maybe you can give me some hints about how to fix these issues since you have been fixing many of them lately ;) |
This is the output that I get (after adding the DEBUG compiler definition: #192 ):
|
The problem is two-fold:
I think there are two things that should be done here:
|
I can't remember what a box is either - something in the architecture on the JPEG2000 file format. This is very good work indeed, @D4N. Thanks you very much. May I say something concerning 32bit vs 64bit? There's an overflow detect in tiff visitor_int.cpp about line 1523 that's based on uintptr_t. It's working OK in 64 bits, and not in 32 bits (on MSVC for sure, I haven't tested other platforms). Do you think it's possible to move the overflow detector into a utility function which we can call from different locations. By having the detector in a single function, we can "tune" it for 32/64 bit builds. Gentlemen (@D4N and @piponazo) Thank You very much indeed for all your hard work. Believe me, it is appreciated. |
Coincidentally, I have started just started working on such an overflow detector on Wednesday. I'll make an issue/PR about it soon, since there are some details to discuss about it (especially concerning how we are going to handle failures). |
I think we can close this, or is there anything left to do? |
I have tested the latest version and found this vulnerability has been fixed. Thanks for all your work. |
This has been assigned CVE-2017-17725 |
Description
on exiv2 0.26 (the latest version):
there is a heap-based buffer overflow in the Exiv2::getULong function (src/types.cpp), which can be triggered by crafted tiff file.
Note that this vulnerability is different from CVE-2017-14864 (issue 73), which is a an invalid memory address dereference.
./bin/exiv2 poc_3.tiff
=================================================================
==16413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef73 at pc 0x7f990f1613de bp 0x7ffee8097c30 sp 0x7ffee8097c20
READ of size 4 at 0x60200000ef73 thread T0
#0 0x7f990f1613dd in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) /home/fuzz/exiv2/master/src/types.cpp:246
#1 0x7f990f053d2c in Exiv2::Jp2Image::readMetadata() /home/fuzz/exiv2/master/src/jp2image.cpp:271
#2 0x469742 in Action::Print::printSummary() /home/fuzz/exiv2/master/src/actions.cpp:288
#3 0x46e2e7 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/fuzz/exiv2/master/src/actions.cpp:240
#4 0x40c18b in main /home/fuzz/exiv2/master/src/exiv2.cpp:166
#5 0x7f990e33d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x40cd48 in _start (/home/fuzz/exiv2/master/bin/exiv2+0x40cd48)
0x60200000ef75 is located 0 bytes to the right of 5-byte region [0x60200000ef70,0x60200000ef75)
allocated by thread T0 here:
#0 0x7f990faed6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x7f990f053c49 in Exiv2::DataBuf::DataBuf(long) /home/fuzz/exiv2/master/include/exiv2/types.hpp:206
#2 0x7f990f053c49 in Exiv2::Jp2Image::readMetadata() /home/fuzz/exiv2/master/src/jp2image.cpp:269
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/exiv2/master/src/types.cpp:246 Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder)
Shadow bytes around the buggy address:
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[05]fa
0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fd
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==16413==ABORTING
PoC
PoC: https://github.com/youwei1988/poc/tree/master/exiv2/poc_3.tiff
Author
Credit to Wei You, please contact [email protected] for more details.
The text was updated successfully, but these errors were encountered: