search

mpruett / audiofile

Audio File Library
https://audiofile.68k.org/
GNU Lesser General Public License v2.1
155 stars 42 forks source link

out of bound heap access in SimpleModule.h #55

Open cuanduo opened 5 years ago

cuanduo commented 5 years ago

There exists one out of bound heap access in SwapModule::runSwap, in SimpleModule.h:82, which allows an attacker to cause a denial of service via a crafted file.

sfconvert $poc output format caf poc.zip

asan output

root@ubuntu:~/fuzz/audiofile# /home/tim/audiofile-santi/sfcommands/sfconvert /home/tim/Downloads/poc output format caf
ASAN:DEADLYSIGNAL
=================================================================
==30065==ERROR: AddressSanitizer: SEGV on unknown address 0x625000010000 (pc 0x7ffff6becb40 bp 0x60c000000340 sp 0x7fffffffe200 T0)
==30065==The signal is caused by a READ memory access.
    #0 0x7ffff6becb3f in void SwapModule::runSwap<8, long>(long const*, long*, int) /home/tim/audiofile-santi/libaudiofile/modules/SimpleModule.h:81
    #1 0x7ffff6becb3f in void SwapModule::run<8, long>(Chunk&, Chunk&) /home/tim/audiofile-santi/libaudiofile/modules/SimpleModule.h:74
    #2 0x7ffff6becb3f in SwapModule::run(Chunk&, Chunk&) /home/tim/audiofile-santi/libaudiofile/modules/SimpleModule.h:63
    #3 0x7ffff6bdc218 in afReadFrames (/home/tim/audiofile-santi/libaudiofile/.libs/libaudiofile.so.1+0x32218)
    #4 0x555555555fdd in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:340
    #5 0x555555555620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
    #6 0x7ffff67dab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x555555555c79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/tim/audiofile-santi/libaudiofile/modules/SimpleModule.h:81 in void SwapModule::runSwap<8, long>(long const*, long*, int)
==30065==ABORTING

gdb output

gdb-peda$ r /home/tim/Downloads/poc output format caf
Starting program: /home/tim/fuzz/audiofile/sfconvert /home/tim/Downloads/poc output format caf

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x7ffff7f5b010 --> 0x2e736e6400000000 ('')
RDX: 0x0 
RSI: 0x55555587ac40 --> 0x646e732e ('.snd')
RDI: 0x0 
RBP: 0x200000028 
RSP: 0x7fffffffe320 --> 0x555555877f28 --> 0x3e9 
RIP: 0x5555555c82b5 (<SwapModule::run(Chunk&, Chunk&)+1525>:    mov    rdx,QWORD PTR [rsi+r10*1+0x18])
R8 : 0x0 
R9 : 0x0 
R10: 0xc3a8 
R11: 0x0 
R12: 0x555555877f28 --> 0x3e9 
R13: 0x555555878660 --> 0x5555558643f8 --> 0x5555555c72d0 (<SwapModule::~SwapModule()>: lea    rsp,[rsp-0x98])
R14: 0x0 
R15: 0x1
EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555c82a8 <SwapModule::run(Chunk&, Chunk&)+1512>:   mov    r8,QWORD PTR [rsi+r10*1+0x10]
   0x5555555c82ad <SwapModule::run(Chunk&, Chunk&)+1517>:   bswap  r8
   0x5555555c82b0 <SwapModule::run(Chunk&, Chunk&)+1520>:   mov    QWORD PTR [rcx+r10*1+0x10],r8
=> 0x5555555c82b5 <SwapModule::run(Chunk&, Chunk&)+1525>:   mov    rdx,QWORD PTR [rsi+r10*1+0x18]
   0x5555555c82ba <SwapModule::run(Chunk&, Chunk&)+1530>:   bswap  rdx
   0x5555555c82bd <SwapModule::run(Chunk&, Chunk&)+1533>:   mov    QWORD PTR [rcx+r10*1+0x18],rdx
   0x5555555c82c2 <SwapModule::run(Chunk&, Chunk&)+1538>:   mov    rax,QWORD PTR [rsi+r10*1+0x20]
   0x5555555c82c7 <SwapModule::run(Chunk&, Chunk&)+1543>:   bswap  rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe320 --> 0x555555877f28 --> 0x3e9 
0008| 0x7fffffffe328 --> 0x5 
0016| 0x7fffffffe330 --> 0x555555878b70 --> 0x3 
0024| 0x7fffffffe338 --> 0x55555556a266 (<afReadFrames(AFfilehandle, int, void*, int)+1702>:    movzx  r15d,BYTE PTR [r12+0x169])
0032| 0x7fffffffe340 --> 0x5 
0040| 0x7fffffffe348 --> 0x855877f28 
0048| 0x7fffffffe350 --> 0x7ffff7f5b010 --> 0x2e736e6400000000 ('')
0056| 0x7fffffffe358 --> 0xfffffffffffffc06 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555c82b5 in SwapModule::runSwap<8, long> (this=<optimized out>, sampleCount=<optimized out>, output=0x7ffff7f5b010, input=0x55555587ac40) at SimpleModule.h:82
82              output[i] = byteswap(input[i]);
gdb-peda$ bt
#0  0x00005555555c82b5 in SwapModule::runSwap<8, long> (this=<optimized out>, sampleCount=<optimized out>, output=0x7ffff7f5b010, input=0x55555587ac40) at SimpleModule.h:82
#1  SwapModule::run<8, long> (this=<optimized out>, outChunk=..., inChunk=...) at SimpleModule.h:74
#2  SwapModule::run (this=<optimized out>, inChunk=..., outChunk=...) at SimpleModule.h:63
#3  0x000055555556a266 in afReadFrames (file=<optimized out>, trackid=<optimized out>, samples=0x7ffff7f5b010, nvframeswanted=<optimized out>) at data.cpp:222
#4  0x000055555555ab4d in copyaudiodata (infile=0x555555877e90, outfile=0x5555558786a0, trackid=0x3e9) at sfconvert.c:340
#5  0x0000555555559331 in main (argc=argc@entry=0x5, argv=argv@entry=0x7fffffffe548) at sfconvert.c:248
#6  0x00007ffff72deb97 in __libc_start_main (main=0x555555558b70 <main>, argc=0x5, argv=0x7fffffffe548, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe538) at ../csu/libc-start.c:310
#7  0x000055555555a62a in _start ()
gdb-peda$ vmmap 
Start              End                Perm  Name
0x0000555555554000 0x0000555555663000 r-xp  /home/tim/fuzz/audiofile/sfconvert
0x0000555555863000 0x0000555555865000 r--p  /home/tim/fuzz/audiofile/sfconvert
0x0000555555865000 0x0000555555866000 rw-p  /home/tim/fuzz/audiofile/sfconvert
0x0000555555866000 0x0000555555887000 rw-p  [heap]
0x00007ffff70a5000 0x00007ffff70bc000 r-xp  /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff70bc000 0x00007ffff72bb000 ---p  /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff72bb000 0x00007ffff72bc000 r--p  /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff72bc000 0x00007ffff72bd000 rw-p  /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff72bd000 0x00007ffff74a4000 r-xp  /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff74a4000 0x00007ffff76a4000 ---p  /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff76a4000 0x00007ffff76a8000 r--p  /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff76a8000 0x00007ffff76aa000 rw-p  /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff76aa000 0x00007ffff76ae000 rw-p  mapped
0x00007ffff76ae000 0x00007ffff784b000 r-xp  /lib/x86_64-linux-gnu/libm-2.27.so
0x00007ffff784b000 0x00007ffff7a4a000 ---p  /lib/x86_64-linux-gnu/libm-2.27.so
0x00007ffff7a4a000 0x00007ffff7a4b000 r--p  /lib/x86_64-linux-gnu/libm-2.27.so
0x00007ffff7a4b000 0x00007ffff7a4c000 rw-p  /lib/x86_64-linux-gnu/libm-2.27.so
0x00007ffff7a4c000 0x00007ffff7bc5000 r-xp  /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
0x00007ffff7bc5000 0x00007ffff7dc5000 ---p  /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
0x00007ffff7dc5000 0x00007ffff7dcf000 r--p  /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
0x00007ffff7dcf000 0x00007ffff7dd1000 rw-p  /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
0x00007ffff7dd1000 0x00007ffff7dd5000 rw-p  mapped
0x00007ffff7dd5000 0x00007ffff7dfc000 r-xp  /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7f5b000 0x00007ffff7fe2000 rw-p  mapped
0x00007ffff7ff7000 0x00007ffff7ffa000 r--p  [vvar]
0x00007ffff7ffa000 0x00007ffff7ffc000 r-xp  [vdso]
0x00007ffff7ffc000 0x00007ffff7ffd000 r--p  /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7ffd000 0x00007ffff7ffe000 rw-p  /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7ffe000 0x00007ffff7fff000 rw-p  mapped
0x00007ffffffde000 0x00007ffffffff000 rw-p  [stack]
0xffffffffff600000 0xffffffffff601000 r-xp  [vsyscall]
gdb-peda$
cuanduo commented 5 years ago

ignore it, may same like https://github.com/mpruett/audiofile/issues/46