[Debian-astro-maintainers] Bug#1087911: Memory leaks in dcraw

Ajin Deepak ajindeepak0007 at gmail.com
Wed Nov 20 05:28:49 GMT 2024 

Package: dcraw
Version: 9.28-7

Found a memory leak in the latest version of dcraw.

Here is a transcript:
osboxes at osboxes:~/Desktop$ dcraw -g 2.2 1.0 -b 1.2 -j leak
fseek(0x5a1841ba9430, -2145648639,0): Invalid argument
osboxes at osboxes:~/Desktop$

For reference:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=memory+leak

Impact:

Memory leaks can create vulnerabilities. Attackers might exploit them
to degrade service (denial of service attacks) or infer information
about memory layouts, aiding other exploits.
These also affect the previous versions too.

Tested machine and version:

osboxes at osboxes:~/Desktop$ uname -a
Linux osboxes 6.8.0-49-generic #49-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 4
02:06:24 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
osboxes at osboxes:~/Desktop$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="
https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
osboxes at osboxes:~/Desktop$ sudo dpkg -l | grep -i dcraw
ii dcraw 9.28-7 amd64 decode raw digital camera images
osboxes at osboxes:~/Desktop$

How to reproduce:

Use the file attached with dcraw
dcraw -g 2.2 1.0 -b 1.2 -j leak

Reproducing using msan and afl:

Compiling using AFL and memory santizier
~/Desktop/AFL/AFLplusplus/afl-clang-lto -fsanitize=memory,undefined -o
dcraw -O4 dcraw.c -lm -DNODEPS

Fuzzing :

/home/fuzzing-android/Desktop/AFL/AFLplusplus/afl-fuzz -m none -i in/
-o out/ -S slave3 -- ./dcraw -g 2.2 1.0 -b 1.2 -j  @@

 Reproducing:

fuzzing-android at fuzzingandroid:~/Desktop/dcraw_latest/dcraw_9.28.orig$
./dcraw out/master/crashes.2024-11-20-05\:00\:07/id\:000034\,sig\:06\,src\:000466\,time\:3816438\,execs\:137174\,op\:havoc\,rep\:17
dcraw.c:315:17: runtime error: left shift of 255 by 24 places cannot
be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior dcraw.c:315:17 in
dcraw.c:313:49: runtime error: left shift of 128 by 24 places cannot
be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior dcraw.c:313:49 in
Uninitialized bytes in __interceptor_strncmp at offset 0 inside
[0x7ffcff567c80, 1)
==334245==WARNING: MemorySanitizer: use-of-uninitialized-value
==334245==WARNING: external symbolizer didn't start up correctly!
fuzzing-android at fuzzingandroid:~/Desktop/dcraw_latest/dcraw_9.28.orig$

The compiled program and crashes are uploaded in tar file:

 dcraw.tar
<https://drive.google.com/file/d/1KYsHpkPv6CUfnwxapPzxO4g3Gy8Eih_y/view?usp=drive_web>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-astro-maintainers/attachments/20241120/13033196/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: leak
Type: application/octet-stream
Size: 949 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-astro-maintainers/attachments/20241120/13033196/attachment-0001.obj>

More information about the Debian-astro-maintainers mailing list