Bug#883198: bs1770gain: use after free while running bs1770gain with "poc output" option
Joonun Jang
joonun.jang at gmail.com
Thu Nov 30 16:17:04 UTC 2017
Package: bs1770gain
Version: 0.4.12-2+b1
Severity: important
Tags: security
use after free while running bs1770gain with "poc output" option
Running 'bs1770gain poc output' with the attached file raises use after free
which may allow a remote attack to cause a denial-of-service attack or other unspecified
impace with a crafted file
I expected the program to terminate without segfault, but the program crashes as follow
-------------------------------------------
june at yuweol:~/workspace/bugre/poc/bs1770gain/1$ ~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc output
analyzing ...
[1/1] "poc": Error finding decoder: ffsox_frame_reader_create(), "ffsox_frame_reader.c" (41).
Error creating frame reader: ffsox_frame_reader_new(), "ffsox_frame_reader.c" (92).
Error creating frame reader: ffsox_analyze(), "ffsox_analyze.c" (68).
=================================================================
==10074==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000640 at pc 0x555555582800 bp 0x7fffffffda60 sp 0x7fffffffda58
READ of size 8 at 0x610000000640 thread T0
#0 0x5555555827ff in ffsox_packet_consumer_list_free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff)
#1 0x55555559b91a in pbu_list_free_full (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x4791a)
#2 0x5555555773fe in ffsox_source_link_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x233fe)
#3 0x5555555762b5 in source_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x222b5)
#4 0x555555570a2f in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1ca2f)
#5 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#6 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#7 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#8 0x5555555614e9 in _start (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9)
0x610000000640 is located 0 bytes inside of 184-byte region [0x610000000640,0x6100000006f8)
freed by thread T0 here:
#0 0x7ffff6eff8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x55555557393b in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f93b)
#2 0x55555556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7)
#3 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#4 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#5 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
previously allocated by thread T0 here:
#0 0x7ffff6effc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x555555573841 in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f841)
#2 0x55555556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7)
#3 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#4 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#5 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: heap-use-after-free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff) in ffsox_packet_consumer_list_free
Shadow bytes around the buggy address:
0x0c207fff8070: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c207fff8080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x0c207fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff80b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c207fff80c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c207fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c207fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10074==ABORTING
-------------------------------------------
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bs1770gain depends on:
ii libavcodec57 7:3.4-3
ii libavformat57 7:3.4-3
ii libavutil55 7:3.4-3
ii libc6 2.24-17
ii libsox3 14.4.2-2
ii libswresample2 7:3.4-3
bs1770gain recommends no packages.
bs1770gain suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 70 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171201/495c8ee5/attachment.obj>
More information about the pkg-multimedia-maintainers
mailing list