search

sahaRatul / sela

SimplE Lossless Audio
https://seladoc.netlify.com/
MIT License
209 stars 23 forks source link

various BOF in sela decoder #17

Closed xer0times closed 4 years ago

xer0times commented 6 years ago

Hey Ratul,

when i was fuzzing the SELA decoder, i found many unique crash that i report them in this and maybe other issues:

id_000000,sig_06,src_000004,op_flip1,pos_10.zip

. 

SimplE Lossless Audio Decoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : crash/id:000000,sig:06,src:000004,op:flip1,pos:10
Output : out.wav

Stream Information
------------------
Sample rate : 22050 Hz
Bits per sample : 16
Channels : 129

Metadata
--------
No metadata found
=================================================================
==2752==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd8218ef20 at pc 0x00000049e5ac bp 0x7ffd8218a410 sp 0x7ffd82189bc0
WRITE of size 9304 at 0x7ffd8218ef20 thread T0
    #0 0x49e5ab in fread (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x49e5ab)
    #1 0x516d16 in main /home/xer0days/Service_test/sela-latest/core/decode.c:146:12
    #2 0x7f49379e582f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a188 in _start (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x41a188)

Address 0x7ffd8218ef20 is located in stack of thread T0 at offset 18944 in frame
    #0 0x515daf in main /home/xer0days/Service_test/sela-latest/core/decode.c:13

  This frame has 28 object(s):
    [32, 36) 'magic_number' (line 30)
    [48, 49) 'channels' (line 42)
    [64, 65) 'curr_channel' (line 42)
    [80, 81) 'rice_param_ref' (line 42)
    [96, 97) 'rice_param_residue' (line 42)
    [112, 113) 'opt_lpc_order' (line 42)
    [128, 130) 'bps' (line 43)
    [144, 146) 'num_ref_elements' (line 45)
    [160, 162) 'num_residue_elements' (line 45)
    [176, 178) 'samples_per_channel' (line 45)
    [192, 196) 'sample_rate' (line 46)
    [208, 212) 'temp' (line 48)
    [224, 228) 'estimated_frames' (line 49)
    [240, 640) 's_ref' (line 56)
    [704, 8896) 's_residues' (line 57)
    [9152, 17344) 'rcv_samples' (line 58)
    [17600, 18408) 'lpc' (line 59)
    [18544, 18944) 'compressed_ref' (line 60)
    [19008, 27200) 'compressed_residues' (line 61) <== Memory access at offset 18944 partially underflows this variable
    [27456, 27856) 'decomp_ref' (line 62) <== Memory access at offset 18944 partially underflows this variable
    [27920, 36112) 'decomp_residues' (line 63) <== Memory access at offset 18944 partially underflows this variable
    [36368, 37168) 'ref' (line 64)
    [37296, 117296) 'lpc_mat' (line 65)
    [117552, 117572) 'read_state' (line 68)
    [117616, 117649) 'keys_inst' (line 69)
    [117696, 117720) 'ape_read_list' (line 70)
    [117760, 117792) 'read_header' (line 71)
    [117824, 117868) 'hdr' (line 124)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x49e5ab) in fread
Shadow bytes around the buggy address:
  0x100030429d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429da0: 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x100030429db0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100030429de0: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x100030429df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030429e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2752==ABORTING

the compressed_ref variable is defined like:

uint32_t compressed_ref[MAX_LPC_ORDER];

but there is something wrong :

<PEDA> where
#0  main (argc=0x3, argv=0x7fffffffdf48) at core/decode.c:146
#1  0x00007ffff7725830 in __libc_start_main (main=0x400ae0 <main>, argc=0x3, argv=0x7fffffffdf48, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf38) at ../csu/libc-start.c:291
#2  0x0000000000400a09 in _start ()
<PEDA> p sizeof(uint32_t)
$11 = 0x4
<PEDA> p/d num_ref_elements
$12 = 43605
<PEDA> p i
$13 = 0x1
xer0times commented 6 years ago

for second bug, you will get segmentation fault when you run it without sanitizer and the seladec output is like this:

SimplE Lossless Audio Decoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : crash/id:000001,sig:06,src:000004,op:flip1,pos:20
Output : out.wav
[1]    3058 segmentation fault (core dumped)  ./seladec.origin crash/id:000001,sig:06,src:000004,op:flip1,pos:20 out.wav

here is santizer output:

SimplE Lossless Audio Decoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : crash/id:000001,sig:06,src:000004,op:flip1,pos:20
Output : out.wav

Stream Information
------------------
Sample rate : 22050 Hz
Bits per sample : 16
Channels : 1(Monoaural)

Metadata
--------
No metadata found
=================================================================
==2786==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff90ecf200 at pc 0x000000521915 bp 0x7fff90eca6a0 sp 0x7fff90eca698
READ of size 4 at 0x7fff90ecf200 thread T0
    #0 0x521914 in rice_decode_block /home/xer0days/Service_test/sela-latest/core/rice.c:177:19
    #1 0x516dfb in main /home/xer0days/Service_test/sela-latest/core/decode.c:155:5
    #2 0x7f1dd092482f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a188 in _start (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x41a188)

Address 0x7fff90ecf200 is located in stack of thread T0 at offset 18944 in frame
    #0 0x515daf in main /home/xer0days/Service_test/sela-latest/core/decode.c:13

  This frame has 28 object(s):
    [32, 36) 'magic_number' (line 30)
    [48, 49) 'channels' (line 42)
    [64, 65) 'curr_channel' (line 42)
    [80, 81) 'rice_param_ref' (line 42)
    [96, 97) 'rice_param_residue' (line 42)
    [112, 113) 'opt_lpc_order' (line 42)
    [128, 130) 'bps' (line 43)
    [144, 146) 'num_ref_elements' (line 45)
    [160, 162) 'num_residue_elements' (line 45)
    [176, 178) 'samples_per_channel' (line 45)
    [192, 196) 'sample_rate' (line 46)
    [208, 212) 'temp' (line 48)
    [224, 228) 'estimated_frames' (line 49)
    [240, 640) 's_ref' (line 56)
    [704, 8896) 's_residues' (line 57)
    [9152, 17344) 'rcv_samples' (line 58)
    [17600, 18408) 'lpc' (line 59)
    [18544, 18944) 'compressed_ref' (line 60) <== Memory access at offset 18944 overflows this variable
    [19008, 27200) 'compressed_residues' (line 61)
    [27456, 27856) 'decomp_ref' (line 62)
    [27920, 36112) 'decomp_residues' (line 63)
    [36368, 37168) 'ref' (line 64)
    [37296, 117296) 'lpc_mat' (line 65)
    [117552, 117572) 'read_state' (line 68)
    [117616, 117649) 'keys_inst' (line 69)
    [117696, 117720) 'ape_read_list' (line 70)
    [117760, 117792) 'read_header' (line 71)
    [117824, 117868) 'hdr' (line 124)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/xer0days/Service_test/sela-latest/core/rice.c:177:19 in rice_decode_block
Shadow bytes around the buggy address:
  0x1000721d1df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2
  0x1000721d1e00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00
  0x1000721d1e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000721d1e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000721d1e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000721d1e40:[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x1000721d1e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000721d1e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000721d1e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000721d1e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000721d1e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2786==ABORTING

id_000001,sig_06,src_000004,op_flip1,pos_20.zip

xer0times commented 6 years ago

the third one is like second but with different execution path, here is the execution normally output:

SimplE Lossless Audio Decoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : crash/id:000002,sig:06,src:000004,op:flip1,pos:21
Output : out.wav

Stream Information
------------------
Sample rate : 22050 Hz
Bits per sample : 16
Channels : 1(Monoaural)

Metadata
--------
No metadata found
[1]    3760 segmentation fault (core dumped)  ./seladec  out.wav

and sanitizer output :


SimplE Lossless Audio Decoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : crash/id:000002,sig:06,src:000004,op:flip1,pos:21
Output : out.wav

Stream Information
------------------
Sample rate : 22050 Hz
Bits per sample : 16
Channels : 1(Monoaural)

Metadata
--------
No metadata found
=================================================================
==3698==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc3f027760 at pc 0x00000049e5ac bp 0x7ffc3f022c50 sp 0x7ffc3f022400
WRITE of size 556 at 0x7ffc3f027760 thread T0
    #0 0x49e5ab in fread (/home/xer0days/sela-latest/fuzzing_report/seladec/seladec+0x49e5ab)
    #1 0x516d16 in main /home/xer0days/Service_test/sela-latest/core/decode.c:146:12
    #2 0x7f557e08e82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a188 in _start (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x41a188)

Address 0x7ffc3f027760 is located in stack of thread T0 at offset 18944 in frame
    #0 0x515daf in main /home/xer0days/Service_test/sela-latest/core/decode.c:13

  This frame has 28 object(s):
    [32, 36) 'magic_number' (line 30)
    [48, 49) 'channels' (line 42)
    [64, 65) 'curr_channel' (line 42)
    [80, 81) 'rice_param_ref' (line 42)
    [96, 97) 'rice_param_residue' (line 42)
    [112, 113) 'opt_lpc_order' (line 42)
    [128, 130) 'bps' (line 43)
    [144, 146) 'num_ref_elements' (line 45)
    [160, 162) 'num_residue_elements' (line 45)
    [176, 178) 'samples_per_channel' (line 45)
    [192, 196) 'sample_rate' (line 46)
    [208, 212) 'temp' (line 48)
    [224, 228) 'estimated_frames' (line 49)
    [240, 640) 's_ref' (line 56)
    [704, 8896) 's_residues' (line 57)
    [9152, 17344) 'rcv_samples' (line 58)
    [17600, 18408) 'lpc' (line 59)
    [18544, 18944) 'compressed_ref' (line 60)
    [19008, 27200) 'compressed_residues' (line 61) <== Memory access at offset 18944 partially underflows this variable
    [27456, 27856) 'decomp_ref' (line 62)
    [27920, 36112) 'decomp_residues' (line 63)
    [36368, 37168) 'ref' (line 64)
    [37296, 117296) 'lpc_mat' (line 65)
    [117552, 117572) 'read_state' (line 68)
    [117616, 117649) 'keys_inst' (line 69)
    [117696, 117720) 'ape_read_list' (line 70)
    [117760, 117792) 'read_header' (line 71)
    [117824, 117868) 'hdr' (line 124)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x49e5ab) in fread
Shadow bytes around the buggy address:
  0x100007dfce90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100007dfcea0: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2
  0x100007dfceb0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x100007dfcec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100007dfced0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100007dfcee0: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x100007dfcef0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x100007dfcf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100007dfcf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100007dfcf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100007dfcf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3698==ABORTING

id_000002,sig_06,src_000004,op_flip1,pos_21.zip

xer0times commented 6 years ago

this one is global-buffer-overflow.

SimplE Lossless Audio Decoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : crash/id:000006,sig:06,src:000004,op:flip1,pos:5870
Output : out.wav

Stream Information
------------------
Sample rate : 22050 Hz
Bits per sample : 16
Channels : 1(Monoaural)

Metadata
--------
No metadata found
[                         ]=================================================================
==3979==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000547050 at pc 0x0000005262bd bp 0x7ffcb10bc4b0 sp 0x7ffcb10bc4a8
READ of size 8 at 0x000000547050 thread T0
    #0 0x5262bc in dqtz_ref_cof /home/xer0days/Service_test/sela-latest/core/lpc.c:283:13
    #1 0x516ea3 in main /home/xer0days/Service_test/sela-latest/core/decode.c:163:5
    #2 0x7f9ef3e0082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a188 in _start (/home/xer0days/Service_test/sela-latest/fuzzing_report/seladec/seladec+0x41a188)

0x000000547050 is located 176 bytes to the right of global variable 'lookup_2nd_order_coeffs' defined in 'core/lpc.c:37:1' (0x546ba0) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /home/xer0days/Service_test/sela-latest/core/lpc.c:283:13 in dqtz_ref_cof
Shadow bytes around the buggy address:
  0x0000800a0db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0df0: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0000800a0e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9
  0x0000800a0e10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3979==ABORTING

id_000006,sig_06,src_000004,op_flip1,pos_5870.zip

sahaRatul commented 4 years ago

Feel free to recheck this as the entire code has been rewritten