[bug-libextractor] crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621

bug-libextractor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-libextractor] crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621

From:	黄金
Subject:	[bug-libextractor] crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621
Date:	Thu, 12 Jul 2018 15:00:59 +0800 (CST)

Problem:
stack buffer underflow vulnerbility in function ec_read_file_func().

Tested Version:
extract v1.6

System Information:
Ubuntu 16.04.4 LTS \n \l

Details:
Function ec_read_file_func(unzip.c) can cause stack overflow vulnerbility while 
extracting a malformed file. 

address@hidden:~/Desktop$extract crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621 
Keywords for file crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621:
mimetype - audio/ogg
audio preview - (binary, 2249 bytes)
duration - 0:00:01.348299320
mimetype - audio/ogg
mimetype - audio/x-vorbis
created by software - REAPER
comment - index=0
encoder - Xiph.Org libVorbis I 20101101 (Schaufenugget)
encoder version - 0
audio codec - Vorbis
container format - Ogg
channels - 2
sample rate - 44100
audio depth - 32
audio bitrate - 112000
*** stack smashing detected ***: extract terminated 

the details reported by ASan:

=================================================================
==350==ERROR: AddressSanitizer: stack-buffer-underflow on address 
0x7ffce3dbb2e0 at pc 0x000000436b36 bp 0x7ffce3dba980 sp 0x7ffce3dba120
WRITE of size 1028 at 0x7ffce3dbb2e0 thread T0
    #0 0x436b35 in memcpy 
/tmp/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:779:5
    #1 0x7fafc629a39a in memcpy 
/usr/x86_64-linux-gnu/include/bits/string_fortified.h:34
    #2 0x7fafc629a39a in ec_read_file_func 
/media/septem/S1TB/fuzz_targets/libextractor_backup/src/common/unzip.c:1353
    #3 0x7fafc629a53f in locate_central_directory 
/media/septem/S1TB/fuzz_targets/libextractor_backup/src/common/unzip.c:492
    #4 0x7fafc629a53f in unzip_open_using_ffd.constprop.1 
/media/septem/S1TB/fuzz_targets/libextractor_backup/src/common/unzip.c:740
    #5 0x7fafc629b2c3 in EXTRACTOR_common_unzip_open 
/media/septem/S1TB/fuzz_targets/libextractor_backup/src/common/unzip.c:1413
    #6 0x7fafc662dc2a in EXTRACTOR_odf_extract_method 
/media/septem/S1TB/fuzz_targets/libextractor_backup/src/plugins/odf_extractor.c:167
    #7 0x4fcf37 in handle_start_message 
/media/septem/S1TB/fuzz_targets/libextractor/src/main/extractor_plugin_main.c:480:3
    #8 0x4fcf37 in process_requests 
/media/septem/S1TB/fuzz_targets/libextractor/src/main/extractor_plugin_main.c:531
    #9 0x4fcf37 in EXTRACTOR_plugin_main_ 
/media/septem/S1TB/fuzz_targets/libextractor/src/main/extractor_plugin_main.c:632
    #10 0x4fb13d in EXTRACTOR_IPC_channel_create_ 
/media/septem/S1TB/fuzz_targets/libextractor/src/main/extractor_ipc_gnu.c:355:7
    #11 0x4f0e18 in EXTRACTOR_extract 
/media/septem/S1TB/fuzz_targets/libextractor/src/main/extractor.c:659:17
    #12 0x4eda22 in LLVMFuzzerTestOneInput 
/media/septem/S1TB/fuzz_targets/fuzz_libextractor.cpp:6:2
    #13 0x508b94 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) 
/media/septem/S1TB/libfuzzer-workshop/libFuzzer/Fuzzer/FuzzerLoop.cpp:451:13
    #14 0x508dc1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) 
/media/septem/S1TB/libfuzzer-workshop/libFuzzer/Fuzzer/FuzzerLoop.cpp:408:3
    #15 0x50976c in fuzzer::Fuzzer::MutateAndTestOne() 
/media/septem/S1TB/libfuzzer-workshop/libFuzzer/Fuzzer/FuzzerLoop.cpp:587:30
    #16 0x5099d7 in fuzzer::Fuzzer::Loop() 
/media/septem/S1TB/libfuzzer-workshop/libFuzzer/Fuzzer/FuzzerLoop.cpp:615:5
    #17 0x502314 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/media/septem/S1TB/libfuzzer-workshop/libFuzzer/Fuzzer/FuzzerDriver.cpp:644:6
    #18 0x4feda0 in main 
/media/septem/S1TB/libfuzzer-workshop/libFuzzer/Fuzzer/FuzzerMain.cpp:20:10
    #19 0x7fafcc2f8b96 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #20 0x41d6e9 in _start 
(/media/septem/S1TB/fuzz_targets/libextractor_fuzzer+0x41d6e9)

Address 0x7ffce3dbb2e0 is located in stack of thread T0 at offset 0 in frame
    #0 0x4fc86f in EXTRACTOR_plugin_main_ 
/media/septem/S1TB/fuzz_targets/libextractor/src/main/extractor_plugin_main.c:601

  This frame has 5 object(s):
    [32, 48) 'start.i.i' (line 458) <== Memory access at offset 0 partially 
underflows this variable
    [64, 112) 'ec.i.i' (line 459) <== Memory access at offset 0 partially 
underflows this variable
    [144, 145) 'done.i.i' (line 460) <== Memory access at offset 0 partially 
underflows this variable
    [160, 161) 'code.i' (line 514) <== Memory access at offset 0 partially 
underflows this variable
    [176, 240) 'pc' (line 602) <== Memory access at offset 0 partially 
underflows this variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow 
/tmp/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:779:5
 in memcpy
Shadow bytes around the buggy address:
  0x10001c7af600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001c7af610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001c7af620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001c7af630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001c7af640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001c7af650: 00 00 00 00 00 00 00 00 00 00 00 00[f1]f1 f1 f1
  0x10001c7af660: 00 00 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2 01 f2
  0x10001c7af670: 01 f2 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3
  0x10001c7af680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001c7af690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001c7af6a0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==350==ABORTING

CREDIT:
ADLab of Venustech

crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-libextractor] crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621, 黄金 <=
- Re: [bug-libextractor] crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621, Christian Grothoff, 2018/07/12

Prev by Date: [bug-libextractor] Infinite loop in libextractor
Next by Date: [bug-libextractor] stack buffer underflow vulnerbility in function ec_read_file_func()
Previous by thread: [bug-libextractor] Infinite loop in libextractor
Next by thread: Re: [bug-libextractor] crash-19b19795b4eb9a0b31689ba9bf2c08d4c2de0621
Index(es):
- Date
- Thread