[Pkg-libburnia-devel] Bug#774152: libisofs6: null pointer dereference

Jakub Wilk jwilk at debian.org
Mon Dec 29 15:01:13 UTC 2014 

Package: libisofs6
Version: 1.3.2-1.1
Usertags: afl

xorriso crashes trying to read the attached ISO 9660 image:

$ xorriso -signal_handling off -dev crash.iso -ls
xorriso 1.3.2 : RockRidge filesystem manipulator, libburnia project.

libisoburn: WARNING : ISO image size 311s larger than readable size 308s
xorriso : NOTE : Loading ISO image tree from LBA 0
Segmentation fault


The crash can be reproduced using the libisofs demo, so I assume the bug 
lies in the library itself. GDB says it's a null pointer dereference:

Program received signal SIGSEGV, Segmentation fault.
0xf7e61a3e in iso_file_source_lstat (src=0x8261b00, info=0xffffd490) at libisofs/fsource.c:67
67          return src->class->lstat(src, info);
(gdb) print src->class
$1 = (const IsoFileSourceIface *) 0x0
(gdb) bt
#0  0xf7e61a3e in iso_file_source_lstat (src=0x8261b00, info=0xffffd490) at libisofs/fsource.c:67
#1  0xf7e68042 in iso_image_import (image=0x804c070, src=0x804c600, opts=0x804c5d8, features=0xffffd548) at libisofs/fs_image.c:3578
#2  0xf7edaf0d in isoburn_read_image (d=0xf7dde300 <drive_array>, read_opts=0x804c4f0, image=0xffffd5ec) at libisoburn/isofs_wrap.c:301
#3  0xf7f3311e in Xorriso_aquire_drive (xorriso=0xf77a7008, adr=0x804ba30 "crash.iso", show_adr=0x804ba30 "crash.iso", flag=3) at xorriso/drive_mgt.c:533
#4  0xf7f17679 in Xorriso_option_dev (xorriso=0xf77a7008, in_adr=0x804ba30 "crash.iso", flag=3) at xorriso/opts_d_h.c:116
#5  0xf7f0a80c in Xorriso_interpreter (xorriso=0xf77a7008, argc=6, argv=0x804b9c0, idx=0xffffd79c, flag=2) at xorriso/parse_exec.c:1185
#6  0x08048b1f in main (argc=6, argv=0x804b9c0) at xorriso/xorriso_main.c:265


This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl

Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the 
first crash (which took a few minutes). It's likely that extensive 
fuzzing would uncover more interesting crashers. I'd encourage libisofs 
maintainers to perform fuzzing with AFL on their own. :-)


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libisofs6 depends on:
ii  libacl1  2.2.52-2
ii  libc6    2.19-13
ii  libjte1  1.20-1
ii  zlib1g   1:1.2.8.dfsg-2+b1

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash.iso.xz
Type: application/x-xz
Size: 1208 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libburnia-devel/attachments/20141229/4ccfaf70/attachment.bin>

More information about the Pkg-libburnia-devel mailing list