search

nu774 / fdkaac

command line encoder frontend for libfdk-aac
Other
260 stars 58 forks source link

Heap-buffer-overflow found in fdkaac #55

Closed mondaylord closed 1 year ago

mondaylord commented 1 year ago

Hi, developers of fdkaac: In the test of the binary fdkaac instrumented with ASAN. There is a Heap-buffer-overflow vulnerability in fdkaac, commit is 03c3c60 which is also the master branch.

Here is the ASAN mode output:

=================================================================
==1664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7efdfca69f00 at pc 0x00000047bf2c bp 0x7ffd4096cfe0 sp 0x7ffd4096c790
READ of size 27 at 0x7efdfca69f00 thread T0
    #0 0x47bf2b in __interceptor_strlen.part.34 /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:375
    #1 0x4f9d94 in caf_info /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:116:19
    #2 0x4f88f2 in caf_parse /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:191:13
    #3 0x4f88f2 in caf_open /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:234:9
    #4 0x541f4f in open_input /home/ferry/hwz/zeroday/fdkaac/src/main.c:754:27
    #5 0x541f4f in main /home/ferry/hwz/zeroday/fdkaac/src/main.c:802:19
    #6 0x7efdfb80883f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41b8a8 in _start (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x41b8a8)

0x7efdfca69f00 is located 0 bytes to the right of 132864-byte region [0x7efdfca49800,0x7efdfca69f00)
allocated by thread T0 here:
    #0 0x4aeca2 in malloc /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x4f9cb1 in caf_info /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:109:34
    #2 0x4f88f2 in caf_parse /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:191:13
    #3 0x4f88f2 in caf_open /home/ferry/hwz/zeroday/fdkaac/src/caf_reader.c:234:9
    #4 0x541f4f in open_input /home/ferry/hwz/zeroday/fdkaac/src/main.c:754:27
    #5 0x541f4f in main /home/ferry/hwz/zeroday/fdkaac/src/main.c:802:19
    #6 0x7efdfb80883f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:375 in __interceptor_strlen.part.34
Shadow bytes around the buggy address:
  0x0fe03f945390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe03f9453a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe03f9453b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe03f9453c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe03f9453d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe03f9453e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe03f9453f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe03f945400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe03f945410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe03f945420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe03f945430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1664==ABORTING

I also found a stack-buffer-overflow in fdkaac, src/main.c:81, read_callback(). Here is the ASAN output.

=================================================================
==30393==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7d3cc380 at pc 0x0000004372a8 bp 0x7ffc7d3ca330 sp 0x7ffc7d3c9ae0
WRITE of size 19584 at 0x7ffc7d3cc380 thread T0
==30393==WARNING: Can't read from symbolizer at fd 4
==30393==WARNING: Can't read from symbolizer at fd 4
==30393==WARNING: Can't read from symbolizer at fd 4
==30393==WARNING: Can't read from symbolizer at fd 4
==30393==WARNING: Failed to use and restart external symbolizer!
    #0 0x4372a7  (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x4372a7)
    #1 0x547356  (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x547356)
    #2 0x568879  (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x568879)

Address 0x7ffc7d3cc380 is located in stack of thread T0 at offset 8224 in frame
    #0 0x5685bf  (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x5685bf)

  This frame has 1 object(s):
    [32, 8224) 'buff' (line 57) <== Memory access at offset 8224 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/ferry/hwz/zeroday/bin/fdkaac-asan/fdkaac+0x4372a7) 
Shadow bytes around the buggy address:
  0x10000fa71820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000fa71830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000fa71840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000fa71850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000fa71860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000fa71870:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10000fa71880: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10000fa71890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000fa718a0: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f8 f2 f8 f2
  0x10000fa718b0: f8 f2 f8 f2 f8 f2 f8 f2 f8 f2 04 f2 00 f3 f3 f3
  0x10000fa718c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30393==ABORTING

Crash input

https://github.com/17ssDP/fuzzer_crashes/blob/main/fdkaac

Validation steps

git clone https://github.com/nu774/fdkaac cd fdkaac/ autoreconf -i CC=clang CXX=clang++ CFLAGS="$CFLAGS -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="$CXXFLAGS -fsanitize=address -fno-omit-frame-pointer" ./configure make ./fdkaac -p5 -b64 fdkaac-hbo -o /dev/null

Environment

Ubuntu 16.04 Clang 10.0.1 gcc 5.5

nu774 commented 1 year ago

Thanks for reporting, fixed on https://github.com/nu774/fdkaac/commit/22dbf72491541aa854835fdf2a9a0d92532728d8