[Pkg-libburnia-devel] Bug#872545: libisofs6: heap-based buffer overflow in read_aaip_AL()

Jakub Wilk jwilk at jwilk.net
Fri Aug 18 10:55:41 UTC 2017 

Package: libisofs6
Version: 1.4.6-1

xorriso crashes on the attached ISO file:

   $ xorriso -indev overflow.iso -ls
   xorriso 1.4.6 : RockRidge filesystem manipulator, libburnia project.

   libisoburn: WARNING : ISO image size 808464432s larger than readable size 20s
   xorriso : NOTE : Loading ISO image tree from LBA 0

   UNIX-SIGNAL:  SIGSEGV  errno= 2
   xorriso : ABORT : Trying to shut down drive and library
   xorriso : ABORT : Wait the normal burning time before any kill -9
   *** Error in `xorriso': malloc(): memory corruption: 0x57a08340 ***
   ...
   Aborted

Valgrind says it's a heap-based buffer overflow:

   Invalid write of size 1
      at 0x49A9B0F: read_aaip_AL (rockridge_read.c:564)
      by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
      by 0x49865CE: read_dir (fs_image.c:647)
      by 0x49865CE: ifs_open (fs_image.c:718)
      by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
      by 0x498DE91: iso_image_import (fs_image.c:5868)
      by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
      by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
      by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
      by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
      by 0x108BA6: main (xorriso_main.c:265)
    Address 0x51117cc is 0 bytes after a block of size 4 alloc'd
      at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
      by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
      by 0x49865CE: read_dir (fs_image.c:647)
      by 0x49865CE: ifs_open (fs_image.c:718)
      by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
      by 0x498DE91: iso_image_import (fs_image.c:5868)
      by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
      by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
      by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
      by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
      by 0x108BA6: main (xorriso_main.c:265)

   Invalid write of size 4
      at 0x49A9B2B: memcpy (string3.h:53)
      by 0x49A9B2B: read_aaip_AL (rockridge_read.c:567)
      by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
      by 0x49865CE: read_dir (fs_image.c:647)
      by 0x49865CE: ifs_open (fs_image.c:718)
      by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
      by 0x498DE91: iso_image_import (fs_image.c:5868)
      by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
      by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
      by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
      by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
      by 0x108BA6: main (xorriso_main.c:265)
    Address 0x51117cd is 1 bytes after a block of size 4 alloc'd
      at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
      by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
      by 0x49865CE: read_dir (fs_image.c:647)
      by 0x49865CE: ifs_open (fs_image.c:718)
      by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
      by 0x498DE91: iso_image_import (fs_image.c:5868)
      by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
      by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
      by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
      by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
      by 0x108BA6: main (xorriso_main.c:265)

   Invalid write of size 4
      at 0x49A9B42: memcpy (string3.h:53)
      by 0x49A9B42: read_aaip_AL (rockridge_read.c:567)
      by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
      by 0x49865CE: read_dir (fs_image.c:647)
      by 0x49865CE: ifs_open (fs_image.c:718)
      by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
      by 0x498DE91: iso_image_import (fs_image.c:5868)
      by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
      by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
      by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
      by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
      by 0x108BA6: main (xorriso_main.c:265)
    Address 0x51117d0 is 4 bytes after a block of size 4 alloc'd
      at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
      by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
      by 0x49865CE: read_dir (fs_image.c:647)
      by 0x49865CE: ifs_open (fs_image.c:718)
      by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
      by 0x498DE91: iso_image_import (fs_image.c:5868)
      by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
      by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
      by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
      by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
      by 0x108BA6: main (xorriso_main.c:265)

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages libisofs6 depends on:
ii  libacl1  2.2.52-3+b1
ii  libc6    2.24-14
ii  libjte1  1.20-2+b1
ii  zlib1g   1:1.2.8.dfsg-5

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: overflow.iso.gz
Type: application/gzip
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libburnia-devel/attachments/20170818/be028157/attachment-0001.bin>

More information about the Pkg-libburnia-devel mailing list