Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in function sym_new (). #70

Open
Loginsoft-Research opened this issue Feb 4, 2020 · 0 comments
Open

Null pointer dereference in function sym_new (). #70

Loginsoft-Research opened this issue Feb 4, 2020 · 0 comments

Comments

@Loginsoft-Research
Copy link

What is the vulnerability?
Null pointer Dereference is discovered in abcm2ps (8.14.6-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impacts when a victim opens a specially crafted file.

Affected version-: 8.14.6-master

Command-: ./abcm2ps $POC

Reproducer file-: Reproducer

Synopsis-: We discovered Null pointer dereference in sym_new () at music.c:3171. s->ts_prev->type is not being validated. Due to lack of validation of s->ts_prev->type, therefore it causes Null pointer dereference.

Vulnerable code-:

 if (!s->ts_prev || s->ts_prev->type != type)
   		s->sflags |= S_SEQST;
   	last_s->ts_prev = s;
   	 if (last_s->type == type && s->voice != last_s->voice) {
    		last_s->sflags &= ~S_SEQST;
    		last_s->shrink = 0;

Debug-:

GDB-:

abcm2ps-8.14.6 (2019-11-05)
File NPD1
NPD1: error: Bad character
  17 [C8E8]|zE FG- GEC2|[B,3E3][B,D]- [B,4D4]|zD EF- FED|D8|
                                                        ^
NPD1: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                          ^
NPD1: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                                 ^
NPD1: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                                     ^
NPD1: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                                           ^
NPD1: error: Chord not closed
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                     ^
NPD1: error: Bad character 'o'
NPD1: error: Bad character 'n'
NPD1: error: Bad character 'i'
NPD1: error: Bad character 'p'
NPD1: error: Bad character 'r'
NPD1: error: Bad character 'o'
NPD1: error: Bad character 't'
NPD1: error: Bad character 'n'
NPD1: error: Bad character 'o'
NPD1: error: Voice '2' of %%staves has no symbol
NPD1: error: Bad character 'i'
NPD1: error: Bad character 't'
NPD1: error: Bad character 'i'
NPD1: warning: Line overfull (664pt of 652pt)
NPD1: error: Bad tie

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x400             
$rbx   : 0x0000555555981b30  →  0x0000555555981d88  →  0x0000555555981fe0  →  0x0000555555982240  →  0x00005555559824a0  →  0x00005555559826f8  →  0x0000555555982958  →  0x0000555555982ba8
$rcx   : 0x0000555555982958  →  0x0000555555982ba8  →  0x0000555555982e00  →  0x0000555555983058  →  0x00005555559832b0  →  0x0000555555983500  →  0x0000555555983750  →  0x00005555559839a0
$rdx   : 0x0000555555943300  →  0x0000000000004852 ("RH"?)
$rsp   : 0x00007fffffffdc20  →  0x0000555555943700  →  0x0000000000000031 ("1"?)
$rbp   : 0x6               
$rsi   : 0x2               
$rdi   : 0x0000555555970890  →  0x0000000000000000
$rip   : 0x000055555564e815  →  <sym_new+341> movzx edi, BYTE PTR [r12+0x39]
$r8    : 0x0000555555970640  →  0x0000000000000000
$r9    : 0x0               
$r10   : 0x1e00            
$r11   : 0x000055555598d958  →  0x0000000000000000
$r12   : 0x0               
$r13   : 0xff000000ff      
$r14   : 0x0000555555943300  →  0x0000000000004852 ("RH"?)
$r15   : 0x0000555555981b30  →  0x0000555555981d88  →  0x0000555555981fe0  →  0x0000555555982240  →  0x00005555559824a0  →  0x00005555559826f8  →  0x0000555555982958  →  0x0000555555982ba8
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffdc20│+0x0000: 0x0000555555943700  →  0x0000000000000031 ("1"?)	 ← $rsp
0x00007fffffffdc28│+0x0008: 0x0000000000000000
0x00007fffffffdc30│+0x0010: 0x0000000000000002
0x00007fffffffdc38│+0x0018: 0x000055555567e570  →  <output_music+61712> movdqu xmm8, XMMWORD PTR [rbx+0x80]
0x00007fffffffdc40│+0x0020: 0x0000000100000000
0x00007fffffffdc48│+0x0028: 0x0000000300000002
0x00007fffffffdc50│+0x0030: 0x00007fffffffdfc0  →  0x0101010101010100
0x00007fffffffdc58│+0x0038: 0x0000555500000001
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x55555564e809 <sym_new+329>    mov    r12, QWORD PTR [rbx+0x28]
   0x55555564e80d <sym_new+333>    mov    QWORD PTR [r8+0x20], rbx
   0x55555564e811 <sym_new+337>    mov    QWORD PTR [r8+0x28], r12
 → 0x55555564e815 <sym_new+341>    movzx  edi, BYTE PTR [r12+0x39]
   0x55555564e81b <sym_new+347>    mov    QWORD PTR [r12+0x20], r8
   0x55555564e820 <sym_new+352>    cmp    edi, ebp
   0x55555564e822 <sym_new+354>    je     0x55555564e864 <sym_new+420>
   0x55555564e824 <sym_new+356>    lea    rsp, [rsp-0x98]
   0x55555564e82c <sym_new+364>    mov    QWORD PTR [rsp], rdx
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:music.c+3171 ────
   3166	 	p_voice->last_sym = s;
   3167	 
   3168	 	s->ts_next = last_s;
   3169	 	s->ts_prev = last_s->ts_prev;
   3170	 	s->ts_prev->ts_next = s;
 → 3171	 	if (!s->ts_prev || s->ts_prev->type != type)
   3172	 		s->sflags |= S_SEQST;
   3173	 	last_s->ts_prev = s;
   3174	 	if (last_s->type == type && s->voice != last_s->voice) {
   3175	 		last_s->sflags &= ~S_SEQST;
   3176	 		last_s->shrink = 0;
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x55555564e815 → sym_new(type=0x6, p_voice=<optimized out>, last_s=0x555555981b30)
[#1] 0x55555567e570 → init_music_line()
[#2] 0x55555567e570 → set_piece()
[#3] 0x55555567e570 → output_music()
[#4] 0x55555569c1a1 → generate()
[#5] 0x5555556bead1 → gen_ly(eob=0x0)
[#6] 0x5555556bead1 → do_tune()
[#7] 0x555555579865 → abc_parse(p=0x55555597b620 "", fname=0x5555559511d0 " NPD1", ln=0x20)
[#8] 0x555555633893 → txt_add_eos(linenum=0x20, fname=<optimized out>)
[#9] 0x555555633893 → frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=<optimized out>)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
sym_new (type=type@entry=0x6, p_voice=<optimized out>, p_voice@entry=0x555555943700 <voice_tb+1024>, last_s=last_s@entry=0x555555981b30) at music.c:3171
3171		if (!s->ts_prev || s->ts_prev->type != type)
gef➤  p s->ts_prev 
$1 = (struct SYMBOL *) 0x0
gef➤  p s->ts_prev->type 
Cannot access memory at address 0x39
gef➤  x s->ts_prev->type
Cannot access memory at address 0x39
gef➤  i r
rax            0x400	0x400
rbx            0x555555981b30	0x555555981b30
rcx            0x555555982958	0x555555982958
rdx            0x555555943300	0x555555943300
rsi            0x2	0x2
rdi            0x555555970890	0x555555970890
rbp            0x6	0x6
rsp            0x7fffffffdc20	0x7fffffffdc20
r8             0x555555970640	0x555555970640
r9             0x0	0x0
r10            0x1e00	0x1e00
r11            0x55555598d958	0x55555598d958
r12            0x0	0x0
r13            0xff000000ff	0xff000000ff
r14            0x555555943300	0x555555943300
r15            0x555555981b30	0x555555981b30
rip            0x55555564e815	0x55555564e815 <sym_new+341>
eflags         0x10202	[ IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0

Valgrind-:

abcm2ps-8.14.6 (2019-11-05)
File NPD1
NPD1:17:51: error: Bad character
  17 [C8E8]|zE FG- GEC2|[B,3E3][B,D]- [B,4D4]|zD EF- FED|D8|
                                                        ^
NPD1:20:53: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                          ^
NPD1:20:60: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                                 ^
NPD1:20:64: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                                     ^
NPD1:20:70: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                                           ^
NPD1:20:48: error: Chord not closed
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
                                                     ^
NPD1:20:47: error: Bad character 'o'
NPD1:20:47: error: Bad character 'n'
NPD1:20:47: error: Bad character 'i'
NPD1:20:47: error: Bad character 'p'
NPD1:20:47: error: Bad character 'r'
NPD1:20:47: error: Bad character 'o'
NPD1:20:47: error: Bad character 't'
NPD1:20:47: error: Bad character 'n'
NPD1:20:47: error: Bad character 'o'
NPD1:25:0: error: Voice '2' of %%staves has no symbol
NPD1:30:19: error: Bad character 'i'
NPD1:30:19: error: Bad character 't'
NPD1:30:19: error: Bad character 'i'
NPD1:31:38: warning: Line overfull (664pt of 652pt)
NPD1:20:38: error: Bad tie
==16852== Invalid write of size 8
==16852==    at 0x131953: sym_new (music.c:3170)
==16852==    by 0x13853F: init_music_line (music.c:3293)
==16852==    by 0x13853F: set_piece (music.c:4741)
==16852==    by 0x13853F: output_music (music.c:5109)
==16852==    by 0x13D9C0: generate (parse.c:1041)
==16852==    by 0x13DF27: gen_ly (parse.c:1062)
==16852==    by 0x143F07: do_tune (parse.c:3635)
==16852==    by 0x115B61: abc_parse (abcparse.c:179)
==16852==    by 0x12DEE3: txt_add_eos (front.c:379)
==16852==    by 0x12E373: frontend (front.c:891)
==16852==    by 0x110F1C: treat_file (abcm2ps.c:240)
==16852==    by 0x11013B: main (abcm2ps.c:1041)
==16852==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
Segmentation fault
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Loginsoft-Research