What is the vulnerability?
Null pointer Dereference is discovered in abcm2ps (8.14.6-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impacts when a victim opens a specially crafted file.
Synopsis-: We discovered Null pointer dereference in sym_new () at music.c:3171. s->ts_prev->type is not being validated. Due to lack of validation of s->ts_prev->type, therefore it causes Null pointer dereference.
Vulnerable code-:
if (!s->ts_prev || s->ts_prev->type != type)
s->sflags |= S_SEQST;
last_s->ts_prev = s;
if (last_s->type == type && s->voice != last_s->voice) {
last_s->sflags &= ~S_SEQST;
last_s->shrink = 0;
Debug-:
GDB-:
abcm2ps-8.14.6 (2019-11-05)
File NPD1
NPD1: error: Bad character
17 [C8E8]|zE FG- GEC2|[B,3E3][B,D]- [B,4D4]|zD EF- FED|D8|
^
NPD1: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1: error: Chord not closed
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1: error: Bad character 'o'
NPD1: error: Bad character 'n'
NPD1: error: Bad character 'i'
NPD1: error: Bad character 'p'
NPD1: error: Bad character 'r'
NPD1: error: Bad character 'o'
NPD1: error: Bad character 't'
NPD1: error: Bad character 'n'
NPD1: error: Bad character 'o'
NPD1: error: Voice '2' of %%staves has no symbol
NPD1: error: Bad character 'i'
NPD1: error: Bad character 't'
NPD1: error: Bad character 'i'
NPD1: warning: Line overfull (664pt of 652pt)
NPD1: error: Bad tie
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x400
$rbx : 0x0000555555981b30 → 0x0000555555981d88 → 0x0000555555981fe0 → 0x0000555555982240 → 0x00005555559824a0 → 0x00005555559826f8 → 0x0000555555982958 → 0x0000555555982ba8
$rcx : 0x0000555555982958 → 0x0000555555982ba8 → 0x0000555555982e00 → 0x0000555555983058 → 0x00005555559832b0 → 0x0000555555983500 → 0x0000555555983750 → 0x00005555559839a0
$rdx : 0x0000555555943300 → 0x0000000000004852 ("RH"?)
$rsp : 0x00007fffffffdc20 → 0x0000555555943700 → 0x0000000000000031 ("1"?)
$rbp : 0x6
$rsi : 0x2
$rdi : 0x0000555555970890 → 0x0000000000000000
$rip : 0x000055555564e815 → <sym_new+341> movzx edi, BYTE PTR [r12+0x39]
$r8 : 0x0000555555970640 → 0x0000000000000000
$r9 : 0x0
$r10 : 0x1e00
$r11 : 0x000055555598d958 → 0x0000000000000000
$r12 : 0x0
$r13 : 0xff000000ff
$r14 : 0x0000555555943300 → 0x0000000000004852 ("RH"?)
$r15 : 0x0000555555981b30 → 0x0000555555981d88 → 0x0000555555981fe0 → 0x0000555555982240 → 0x00005555559824a0 → 0x00005555559826f8 → 0x0000555555982958 → 0x0000555555982ba8
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffdc20│+0x0000: 0x0000555555943700 → 0x0000000000000031 ("1"?) ← $rsp
0x00007fffffffdc28│+0x0008: 0x0000000000000000
0x00007fffffffdc30│+0x0010: 0x0000000000000002
0x00007fffffffdc38│+0x0018: 0x000055555567e570 → <output_music+61712> movdqu xmm8, XMMWORD PTR [rbx+0x80]
0x00007fffffffdc40│+0x0020: 0x0000000100000000
0x00007fffffffdc48│+0x0028: 0x0000000300000002
0x00007fffffffdc50│+0x0030: 0x00007fffffffdfc0 → 0x0101010101010100
0x00007fffffffdc58│+0x0038: 0x0000555500000001
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x55555564e809 <sym_new+329> mov r12, QWORD PTR [rbx+0x28]
0x55555564e80d <sym_new+333> mov QWORD PTR [r8+0x20], rbx
0x55555564e811 <sym_new+337> mov QWORD PTR [r8+0x28], r12
→ 0x55555564e815 <sym_new+341> movzx edi, BYTE PTR [r12+0x39]
0x55555564e81b <sym_new+347> mov QWORD PTR [r12+0x20], r8
0x55555564e820 <sym_new+352> cmp edi, ebp
0x55555564e822 <sym_new+354> je 0x55555564e864 <sym_new+420>
0x55555564e824 <sym_new+356> lea rsp, [rsp-0x98]
0x55555564e82c <sym_new+364> mov QWORD PTR [rsp], rdx
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:music.c+3171 ────
3166 p_voice->last_sym = s;
3167
3168 s->ts_next = last_s;
3169 s->ts_prev = last_s->ts_prev;
3170 s->ts_prev->ts_next = s;
→ 3171 if (!s->ts_prev || s->ts_prev->type != type)
3172 s->sflags |= S_SEQST;
3173 last_s->ts_prev = s;
3174 if (last_s->type == type && s->voice != last_s->voice) {
3175 last_s->sflags &= ~S_SEQST;
3176 last_s->shrink = 0;
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x55555564e815 → sym_new(type=0x6, p_voice=<optimized out>, last_s=0x555555981b30)
[#1] 0x55555567e570 → init_music_line()
[#2] 0x55555567e570 → set_piece()
[#3] 0x55555567e570 → output_music()
[#4] 0x55555569c1a1 → generate()
[#5] 0x5555556bead1 → gen_ly(eob=0x0)
[#6] 0x5555556bead1 → do_tune()
[#7] 0x555555579865 → abc_parse(p=0x55555597b620 "", fname=0x5555559511d0 " NPD1", ln=0x20)
[#8] 0x555555633893 → txt_add_eos(linenum=0x20, fname=<optimized out>)
[#9] 0x555555633893 → frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=<optimized out>)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
sym_new (type=type@entry=0x6, p_voice=<optimized out>, p_voice@entry=0x555555943700 <voice_tb+1024>, last_s=last_s@entry=0x555555981b30) at music.c:3171
3171 if (!s->ts_prev || s->ts_prev->type != type)
gef➤ p s->ts_prev
$1 = (struct SYMBOL *) 0x0
gef➤ p s->ts_prev->type
Cannot access memory at address 0x39
gef➤ x s->ts_prev->type
Cannot access memory at address 0x39
gef➤ i r
rax 0x400 0x400
rbx 0x555555981b30 0x555555981b30
rcx 0x555555982958 0x555555982958
rdx 0x555555943300 0x555555943300
rsi 0x2 0x2
rdi 0x555555970890 0x555555970890
rbp 0x6 0x6
rsp 0x7fffffffdc20 0x7fffffffdc20
r8 0x555555970640 0x555555970640
r9 0x0 0x0
r10 0x1e00 0x1e00
r11 0x55555598d958 0x55555598d958
r12 0x0 0x0
r13 0xff000000ff 0xff000000ff
r14 0x555555943300 0x555555943300
r15 0x555555981b30 0x555555981b30
rip 0x55555564e815 0x55555564e815 <sym_new+341>
eflags 0x10202 [ IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Valgrind-:
abcm2ps-8.14.6 (2019-11-05)
File NPD1
NPD1:17:51: error: Bad character
17 [C8E8]|zE FG- GEC2|[B,3E3][B,D]- [B,4D4]|zD EF- FED|D8|
^
NPD1:20:53: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1:20:60: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1:20:64: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1:20:70: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1:20:48: error: Chord not closed
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,3][B,,F,]- [B,,4F Sonata for piano
^
NPD1:20:47: error: Bad character 'o'
NPD1:20:47: error: Bad character 'n'
NPD1:20:47: error: Bad character 'i'
NPD1:20:47: error: Bad character 'p'
NPD1:20:47: error: Bad character 'r'
NPD1:20:47: error: Bad character 'o'
NPD1:20:47: error: Bad character 't'
NPD1:20:47: error: Bad character 'n'
NPD1:20:47: error: Bad character 'o'
NPD1:25:0: error: Voice '2' of %%staves has no symbol
NPD1:30:19: error: Bad character 'i'
NPD1:30:19: error: Bad character 't'
NPD1:30:19: error: Bad character 'i'
NPD1:31:38: warning: Line overfull (664pt of 652pt)
NPD1:20:38: error: Bad tie
==16852== Invalid write of size 8
==16852== at 0x131953: sym_new (music.c:3170)
==16852== by 0x13853F: init_music_line (music.c:3293)
==16852== by 0x13853F: set_piece (music.c:4741)
==16852== by 0x13853F: output_music (music.c:5109)
==16852== by 0x13D9C0: generate (parse.c:1041)
==16852== by 0x13DF27: gen_ly (parse.c:1062)
==16852== by 0x143F07: do_tune (parse.c:3635)
==16852== by 0x115B61: abc_parse (abcparse.c:179)
==16852== by 0x12DEE3: txt_add_eos (front.c:379)
==16852== by 0x12E373: frontend (front.c:891)
==16852== by 0x110F1C: treat_file (abcm2ps.c:240)
==16852== by 0x11013B: main (abcm2ps.c:1041)
==16852== Address 0x20 is not stack'd, malloc'd or (recently) free'd
Segmentation fault
What is the vulnerability? Null pointer Dereference is discovered in abcm2ps (8.14.6-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impacts when a victim opens a specially crafted file.
Affected version-: 8.14.6-master
Command-: ./abcm2ps $POC
Reproducer file-: Reproducer
Synopsis-: We discovered Null pointer dereference in
sym_new ()at music.c:3171.s->ts_prev->typeis not being validated. Due to lack of validation ofs->ts_prev->type, therefore it causes Null pointer dereference.Vulnerable code-:
Debug-:
GDB-:
Valgrind-: