agostino's blog

libdwarf: memory allocation failure in do_decompress_zlib (dwarf_init_finish.c)

Posted on November 7, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzz on an updated version revealed a memory allocation failure.

The complete ASan output:

# dwarfdump $FILE
==27994==WARNING: AddressSanitizer failed to allocate 0x62696c2f7273752f bytes 
==27994==AddressSanitizer's allocator is terminating the process instead of returning 0 
==27994==If you don't like this behavior set allocator_may_return_null=1 
==27994==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) 
   #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67 
   #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159 
   #2 0x4cec76 in __sanitizer::ReportAllocatorCannotReturnNull() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 
   #3 0x42204c in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::ReturnNullOrDie() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1317 
   #4 0x42204c in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:359 
   #5 0x42204c in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718 
   #6 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53 
   #7 0x5b582e in do_decompress_zlib /tmp/dwarf-20161021/libdwarf/dwarf_init_finish.c:1085:12 
   #8 0x5b582e in _dwarf_load_section /tmp/dwarf-20161021/libdwarf/dwarf_init_finish.c:1159 
   #9 0x5bb479 in dwarf_srcfiles /tmp/dwarf-20161021/libdwarf/./dwarf_line.c:336:11 
   #10 0x5145cd in print_one_die_section /tmp/dwarf-20161021/dwarfdump/print_die.c:812:28 
   #11 0x512262 in print_infos /tmp/dwarf-20161021/dwarfdump/print_die.c:371:16 
   #12 0x4faafa in process_one_file /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:1371:9 
   #13 0x4faafa in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:654 
   #14 0x7f578f45a61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 
   #15 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

Affected version:
20161021

Fixed version:
20161124

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00024-libdwarf-memalloc-do_decompress_zlib

Timeline:
2016-11-02: bug discovered and reported to upstream
2016-11-05: upstream released a patch
2016-11-07: blog post about the issue
2016-11-24: upstream released 20161124

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: memory allocation failure in do_decompress_zlib (dwarf_init_finish.c)

Posted in advisories, security | Leave a comment

libdwarf: heap-based buffer overflow in dwarf_get_aranges_list (dwarf_arange.c)

Posted on November 7, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzz on an updated version revealed a buffer overflow.

The complete ASan output:

# dwarfdump $FILE
==27460==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff4 at pc 0x00000047349b bp 0x7ffd9feadaf0 sp 0x7ffd9fead2a0
READ of size 2 at 0x60600000eff4 thread T0
    #0 0x47349a in memcpy /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:438
    #1 0x56cbe0 in dwarf_get_aranges_list /tmp/dwarf-20161021/libdwarf/dwarf_arange.c:118:9
    #2 0x56c0dc in dwarf_get_aranges /tmp/dwarf-20161021/libdwarf/dwarf_arange.c:318:11
    #3 0x50f103 in print_aranges /tmp/dwarf-20161021/dwarfdump/print_aranges.c:145:12
    #4 0x4fb2bf in process_one_file /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:1420:9
    #5 0x4fb2bf in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:654
    #6 0x7f2b42a4461f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #7 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

0x60600000eff4 is located 0 bytes to the right of 52-byte region [0x60600000efc0,0x60600000eff4)
allocated by thread T0 here:
    #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f2b43b1e206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c7fff9df0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00[04]fa
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27460==ABORTING

Affected version:
20161021

Fixed version:
20161124

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9276

Reproducer:
https://github.com/asarubbo/poc/blob/master/00026-libdwarf-heapoverflow-dwarf_get_aranges_list

Timeline:
2016-11-02: bug discovered and reported to upstream
2016-11-05: upstream released a patch
2016-11-07: blog post about the issue
2016-11-11: CVE assigned
2016-11-24: upstream released 20161124

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: heap-based buffer overflow in dwarf_get_aranges_list (dwarf_arange.c)

Posted in advisories, security | Leave a comment

libdwarf: heap-based buffer overflow in get_attr_value (print_die.c)

Posted on November 7, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzz on an updated version revealed a buffer overflow.

The complete ASan output:

# dwarfdump $FILE
==27395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000de1c at pc 0x000000528cd3 bp 0x7ffd980a63b0 sp 0x7ffd980a63a8
READ of size 1 at 0x61300000de1c thread T0
    #0 0x528cd2 in get_attr_value /tmp/dwarf-20161021/dwarfdump/print_die.c:4978:21
    #1 0x51e4a4 in print_attribute /tmp/dwarf-20161021/dwarfdump/print_die.c:3357:13
    #2 0x51a651 in print_one_die /tmp/dwarf-20161021/dwarfdump/print_die.c:1458:38
    #3 0x51710c in print_die_and_children_internal /tmp/dwarf-20161021/dwarfdump/print_die.c:1047:36
    #4 0x517c6b in print_die_and_children_internal /tmp/dwarf-20161021/dwarfdump/print_die.c:1142:13
    #5 0x5147cc in print_die_and_children /tmp/dwarf-20161021/dwarfdump/print_die.c:921:5
    #6 0x5147cc in print_one_die_section /tmp/dwarf-20161021/dwarfdump/print_die.c:831
    #7 0x512262 in print_infos /tmp/dwarf-20161021/dwarfdump/print_die.c:371:16
    #8 0x4faafa in process_one_file /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:1371:9
    #9 0x4faafa in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:654
    #10 0x7f883beec61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #11 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

0x61300000de1c is located 0 bytes to the right of 348-byte region [0x61300000dcc0,0x61300000de1c)
allocated by thread T0 here:
    #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f883cfc6206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dwarf-20161021/dwarfdump/print_die.c:4978:21 in get_attr_value
Shadow bytes around the buggy address:
  0x0c267fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9b80: 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa fa
  0x0c267fff9b90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c267fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bc0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27395==ABORTING

Affected version:
20161021

Fixed version:
20161124

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00025-libdwarf-heapoverflow-get_attr_value

Timeline:
2016-11-02: bug discovered and reported to upstream
2016-11-05: upstream released a patch
2016-11-07: blog post about the issue
2016-11-24: upstream released 20161124

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: heap-based buffer overflow in get_attr_value (print_die.c)

Posted in advisories, security | Leave a comment

libdwarf: heap-based buffer overflow in _dwarf_skim_forms (dwarf_macro5.c)

Posted on November 7, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzz on an updated version revealed a buffer overflow.

The complete ASan output:

# dwarfdump $FILE
==2437==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62000000fe5b at pc 0x000000462c7c bp 0x7ffea0d4b690 sp 0x7ffea0d4ae40
READ of size 29 at 0x62000000fe5b thread T0
    #0 0x462c7b in __interceptor_strlen /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:581
    #1 0x5edea2 in _dwarf_skim_forms /tmp/dwarf-20161021/libdwarf/dwarf_macro5.c:185:17
    #2 0x5edea2 in _dwarf_get_macro_ops_count_internal /tmp/dwarf-20161021/libdwarf/dwarf_macro5.c:346
    #3 0x5eb886 in _dwarf_internal_macro_context_by_offset /tmp/dwarf-20161021/libdwarf/dwarf_macro5.c:1338:11
    #4 0x5eb886 in _dwarf_internal_macro_context /tmp/dwarf-20161021/libdwarf/dwarf_macro5.c:1201
    #5 0x5ed10e in dwarf_get_macro_context_by_offset /tmp/dwarf-20161021/libdwarf/dwarf_macro5.c:1467:11
    #6 0x54f7be in print_macros_5style_this_cu /tmp/dwarf-20161021/dwarfdump/print_macro.c:288:16
    #7 0x514d0f in print_one_die_section /tmp/dwarf-20161021/dwarfdump/print_die.c:869:21
    #8 0x512262 in print_infos /tmp/dwarf-20161021/dwarfdump/print_die.c:371:16
    #9 0x4faafa in process_one_file /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:1371:9
    #10 0x4faafa in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:654
    #11 0x7f74b22e761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

0x62000000fe5b is located 0 bytes to the right of 3547-byte region [0x62000000f080,0x62000000fe5b)
allocated by thread T0 here:
    #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f74b33c1206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:581 in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c407fff9f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c407fff9fc0: 00 00 00 00 00 00 00 00 00 00 00[03]fa fa fa fa
  0x0c407fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2437==ABORTING

Affected version:
20161021

Fixed version:
20161124

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9275

Reproducer:
https://github.com/asarubbo/poc/blob/master/00027-libdwarf-heapoverflow-_dwarf_skim_forms

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: heap-based buffer overflow in _dwarf_skim_forms (dwarf_macro5.c)

Posted in advisories, security | Leave a comment

jasper: use after free in jas_realloc (jas_malloc.c)

Posted on November 7, 2016 by ago

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

A crafted image, maybe posted in the past as testcase for another bug, causes in the 1.900.18 version a use-after-free. No fuzzers involved at this time.

The complete ASan output:

# imginfo -f $FILE
Corrupt JPEG data: 19 extraneous bytes before marker 0xda                                                                                                                                                                                                                      
=================================================================                                                                                                                                                                                                              
==21990==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009b80 at pc 0x7fce4229d29d bp 0x7fffab22f9a0 sp 0x7fffab22f998                                                                                                                                       
READ of size 8 at 0x619000009b80 thread T0                                                                                                                                                                                                                                     
    #0 0x7fce4229d29c in jas_realloc /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:182:21                                                                                                                                       
    #1 0x7fce422a5e38 in mem_resize /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:1001:14                                                                                                                                       
    #2 0x7fce422a5e38 in mem_write /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:1027                                                                                                                                           
    #3 0x7fce422a30e5 in jas_stream_flushbuf /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:822:7                                                                                                                                
    #4 0x7fce422a4b4c in jas_stream_flush /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:752:9                                                                                                                                   
    #5 0x7fce422a4b4c in jas_stream_seek /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:659                                                                                                                                      
    #6 0x7fce42273928 in jas_image_cmpt_create /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:351:4                                                                                                                               
    #7 0x7fce42276986 in jas_image_addcmpt /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:723:18                                                                                                                                  
    #8 0x7fce4233e3fc in jpg_mkimage /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/jpg/jpg_dec.c:268:7                                                                                                                                            
    #9 0x7fce4233e3fc in jpg_decode /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/jpg/jpg_dec.c:183                                                                                                                                               
    #10 0x7fce422749bd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:396:16                                                                                                                                  
    #11 0x4f1330 in main /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/appl/imginfo.c:203:16                                                                                                                                                                
    #12 0x7fce4138961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #13 0x418cb8 in _init (/usr/bin/imginfo+0x418cb8)                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                               
0x619000009b80 is located 0 bytes inside of 1056-byte region [0x619000009b80,0x619000009fa0)                                                                                                                                                                                   
freed by thread T0 here:                                                                                                                                                                                                                                                       
    #0 0x4bff00 in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38                                                                                                                                     
    #1 0x7fce4229d359 in jas_free /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:225:3                                                                                                                                           
                                                                                                                                                                                                                                                                               
previously allocated by thread T0 here:                                                                                                                                                                                                                                        
    #0 0x4c0208 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                                                                                                   
    #1 0x7fce4229d0b2 in jas_malloc /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:148:13                                                                                                                                        
                                                                                                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:182:21 in jas_realloc                                                                                                              
Shadow bytes around the buggy address:                                                                                                                                                                                                                                         
  0x0c327fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c327fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c327fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c327fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c327fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
=>0x0c327fff9370:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff9380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff93a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff93b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff93c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21990==ABORTING

Affected version:
1.900.18

Fixed version:
1.900.22

Commit fix:
https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9262

Reproducer:
https://github.com/asarubbo/poc/blob/master/00028-jasper-uaf-jas_realloc

Timeline:
2016-11-02: bug discovered and reported to upstream
2016-11-06: upstream released a patch and 1.900.22
2016-11-07: blog post about the issue
2016-11-10: CVE assigned

Note:
This bug was found with Address Sanitizer.

Permalink:

jasper: use after free in jas_realloc (jas_malloc.c)

Posted in advisories, security | Leave a comment

elfutils: memory allocation failure in allocate_elf (common.h)

Posted on November 4, 2016 by ago

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

During the fuzz of libdwarf, I noticed a memory allocation failure which involves elfutils.
Actually there is a proposed patch on the elfutils mailing list, but nobody commented.
EDIT: The patch has been committed, see below.

The complete ASan output:

# dwarfdump $FILE
==21982==ERROR: AddressSanitizer failed to allocate 0x3401fb3000 (223371538432) bytes of LargeMmapAllocator (error code: 12)
==21982==Process memory map follows:
        0x000000400000-0x0000006bc000   /usr/bin/dwarfdump-asan
        0x0000008bb000-0x0000008c3000   /usr/bin/dwarfdump-asan
        0x0000008c3000-0x000000900000   /usr/bin/dwarfdump-asan
        0x000000900000-0x0000015a4000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x603000000000
        0x603000000000-0x603000010000
        0x603000010000-0x604000000000
        0x604000000000-0x604000010000
        0x604000010000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x640000000000
        0x640000000000-0x640000003000
        0x7f9f19d00000-0x7f9f19e00000
        0x7f9f19f00000-0x7f9f1a000000
        0x7f9f1a0a9000-0x7f9f1c3fb000
        0x7f9f1c3fb000-0x7f9f1c58e000   /lib64/libc-2.22.so
        0x7f9f1c58e000-0x7f9f1c78e000   /lib64/libc-2.22.so
        0x7f9f1c78e000-0x7f9f1c792000   /lib64/libc-2.22.so
        0x7f9f1c792000-0x7f9f1c794000   /lib64/libc-2.22.so
        0x7f9f1c794000-0x7f9f1c798000
        0x7f9f1c798000-0x7f9f1c7ae000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f9f1c7ae000-0x7f9f1c9ad000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f9f1c9ad000-0x7f9f1c9ae000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f9f1c9ae000-0x7f9f1c9af000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7f9f1c9af000-0x7f9f1c9b1000   /lib64/libdl-2.22.so
        0x7f9f1c9b1000-0x7f9f1cbb1000   /lib64/libdl-2.22.so
        0x7f9f1cbb1000-0x7f9f1cbb2000   /lib64/libdl-2.22.so
        0x7f9f1cbb2000-0x7f9f1cbb3000   /lib64/libdl-2.22.so
        0x7f9f1cbb3000-0x7f9f1ccb0000   /lib64/libm-2.22.so
        0x7f9f1ccb0000-0x7f9f1ceaf000   /lib64/libm-2.22.so
        0x7f9f1ceaf000-0x7f9f1ceb0000   /lib64/libm-2.22.so
        0x7f9f1ceb0000-0x7f9f1ceb1000   /lib64/libm-2.22.so
        0x7f9f1ceb1000-0x7f9f1ceb7000   /lib64/librt-2.22.so
        0x7f9f1ceb7000-0x7f9f1d0b7000   /lib64/librt-2.22.so
        0x7f9f1d0b7000-0x7f9f1d0b8000   /lib64/librt-2.22.so
        0x7f9f1d0b8000-0x7f9f1d0b9000   /lib64/librt-2.22.so
        0x7f9f1d0b9000-0x7f9f1d0d0000   /lib64/libpthread-2.22.so
        0x7f9f1d0d0000-0x7f9f1d2cf000   /lib64/libpthread-2.22.so
        0x7f9f1d2cf000-0x7f9f1d2d0000   /lib64/libpthread-2.22.so
        0x7f9f1d2d0000-0x7f9f1d2d1000   /lib64/libpthread-2.22.so
        0x7f9f1d2d1000-0x7f9f1d2d5000
        0x7f9f1d2d5000-0x7f9f1d2ea000   /lib64/libz.so.1.2.8
        0x7f9f1d2ea000-0x7f9f1d4e9000   /lib64/libz.so.1.2.8
        0x7f9f1d4e9000-0x7f9f1d4ea000   /lib64/libz.so.1.2.8
        0x7f9f1d4ea000-0x7f9f1d4eb000   /lib64/libz.so.1.2.8
        0x7f9f1d4eb000-0x7f9f1d502000   /usr/lib64/libelf-0.166.so
        0x7f9f1d502000-0x7f9f1d702000   /usr/lib64/libelf-0.166.so
        0x7f9f1d702000-0x7f9f1d703000   /usr/lib64/libelf-0.166.so
        0x7f9f1d703000-0x7f9f1d704000   /usr/lib64/libelf-0.166.so
        0x7f9f1d704000-0x7f9f1d726000   /lib64/ld-2.22.so
        0x7f9f1d8b2000-0x7f9f1d91a000
        0x7f9f1d91a000-0x7f9f1d925000
        0x7f9f1d925000-0x7f9f1d926000   /lib64/ld-2.22.so
        0x7f9f1d926000-0x7f9f1d927000   /lib64/ld-2.22.so
        0x7f9f1d927000-0x7f9f1d928000
        0x7ffc7e844000-0x7ffc7e865000   [stack]
        0x7ffc7e905000-0x7ffc7e907000   [vvar]
        0x7ffc7e907000-0x7ffc7e909000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==21982==End of process memory map.
==21982==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d1111 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4da14a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42493a in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42493a in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42493a in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x420003 in __asan::Allocator::Calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:557
    #8 0x420003 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:722
    #9 0x4c0c3a in calloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67
    #10 0x7f9f1d4ee5e0 in allocate_elf /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/common.h:74
    #11 0x7f9f1d4ee5e0 in file_read_elf /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_begin.c:282
    #12 0x7f9f1d4ef2b8 in read_unmmaped_file /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_begin.c:584
    #13 0x7f9f1d4ef2b8 in read_file /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_begin.c:670
    #14 0x4f9676 in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:585:11
    #15 0x7f9f1c41b61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #16 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

Affected version:
0.166

Fixed version:
0.168

Proposed patch:
https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.fedorahosted.org/message/EJWVY7TMRDEMWPAPNVU3V4MZYG5HANF2/

Commit Fix:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=191000fdedba3fafe4d5b8cddad3f3318b49c3fb

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-10254

Reproducer:
https://github.com/asarubbo/poc/raw/master/00011-elfutils-memalloc-allocate_elf

Timeline:
2016-10-24: bug discovered and reported to upstream
2016-11-04: blog post about the issue
2016-11-10: upstream committed the proposed patch
2016-12-27: upstream released 0.168
2017-03-22: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: memory allocation failure in allocate_elf (common.h)

Posted in advisories, security | Leave a comment

elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)

Posted on November 4, 2016 by ago

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

During the fuzz of libdwarf, I noticed a memory allocation failure which involves elfutils.
To have a double-check, the bug was first reported to the libdwarf maintainer and then to the elfutils maintainer. Actually there is a proposed patch on the elfutils mailing list, but nobody commented.
EDIT: The patch has been committed, see below.

The complete ASan output:

# dwarfdump $FILE
==30083==ERROR: AddressSanitizer failed to allocate 0x8000003000 (549755826176) bytes of LargeMmapAllocator (error code: 12)
==30083==Process memory map follows:
	0x000000400000-0x0000006bb000	/usr/bin/dwarfdump-asan
	0x0000008ba000-0x0000008c2000	/usr/bin/dwarfdump-asan
	0x0000008c2000-0x0000008ff000	/usr/bin/dwarfdump-asan
	0x0000008ff000-0x0000015a3000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x613000000000	
	0x613000000000-0x613000010000	
	0x613000010000-0x614000000000	
	0x614000000000-0x614000020000	
	0x614000020000-0x619000000000	
	0x619000000000-0x619000020000	
	0x619000020000-0x61c000000000	
	0x61c000000000-0x61c000020000	
	0x61c000020000-0x61d000000000	
	0x61d000000000-0x61d000020000	
	0x61d000020000-0x624000000000	
	0x624000000000-0x624000020000	
	0x624000020000-0x625000000000	
	0x625000000000-0x625000020000	
	0x625000020000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f0afdc00000-0x7f0afdd00000	
	0x7f0afde00000-0x7f0afdf00000	
	0x7f0afdff0000-0x7f0b00342000	
	0x7f0b00342000-0x7f0b004d5000	/lib64/libc-2.22.so
	0x7f0b004d5000-0x7f0b006d5000	/lib64/libc-2.22.so
	0x7f0b006d5000-0x7f0b006d9000	/lib64/libc-2.22.so
	0x7f0b006d9000-0x7f0b006db000	/lib64/libc-2.22.so
	0x7f0b006db000-0x7f0b006df000	
	0x7f0b006df000-0x7f0b006f5000	/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
	0x7f0b006f5000-0x7f0b008f4000	/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f4000-0x7f0b008f5000	/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f5000-0x7f0b008f6000	/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f6000-0x7f0b008f8000	/lib64/libdl-2.22.so
	0x7f0b008f8000-0x7f0b00af8000	/lib64/libdl-2.22.so
	0x7f0b00af8000-0x7f0b00af9000	/lib64/libdl-2.22.so
	0x7f0b00af9000-0x7f0b00afa000	/lib64/libdl-2.22.so
	0x7f0b00afa000-0x7f0b00bf7000	/lib64/libm-2.22.so
	0x7f0b00bf7000-0x7f0b00df6000	/lib64/libm-2.22.so
	0x7f0b00df6000-0x7f0b00df7000	/lib64/libm-2.22.so
	0x7f0b00df7000-0x7f0b00df8000	/lib64/libm-2.22.so
	0x7f0b00df8000-0x7f0b00dfe000	/lib64/librt-2.22.so
	0x7f0b00dfe000-0x7f0b00ffe000	/lib64/librt-2.22.so
	0x7f0b00ffe000-0x7f0b00fff000	/lib64/librt-2.22.so
	0x7f0b00fff000-0x7f0b01000000	/lib64/librt-2.22.so
	0x7f0b01000000-0x7f0b01017000	/lib64/libpthread-2.22.so
	0x7f0b01017000-0x7f0b01216000	/lib64/libpthread-2.22.so
	0x7f0b01216000-0x7f0b01217000	/lib64/libpthread-2.22.so
	0x7f0b01217000-0x7f0b01218000	/lib64/libpthread-2.22.so
	0x7f0b01218000-0x7f0b0121c000	
	0x7f0b0121c000-0x7f0b01231000	/lib64/libz.so.1.2.8
	0x7f0b01231000-0x7f0b01430000	/lib64/libz.so.1.2.8
	0x7f0b01430000-0x7f0b01431000	/lib64/libz.so.1.2.8
	0x7f0b01431000-0x7f0b01432000	/lib64/libz.so.1.2.8
	0x7f0b01432000-0x7f0b01449000	/usr/lib64/libelf-0.166.so
	0x7f0b01449000-0x7f0b01649000	/usr/lib64/libelf-0.166.so
	0x7f0b01649000-0x7f0b0164a000	/usr/lib64/libelf-0.166.so
	0x7f0b0164a000-0x7f0b0164b000	/usr/lib64/libelf-0.166.so
	0x7f0b0164b000-0x7f0b0166d000	/lib64/ld-2.22.so
	0x7f0b017f7000-0x7f0b01860000	
	0x7f0b01860000-0x7f0b0186c000	
	0x7f0b0186c000-0x7f0b0186d000	/lib64/ld-2.22.so
	0x7f0b0186d000-0x7f0b0186e000	/lib64/ld-2.22.so
	0x7f0b0186e000-0x7f0b0186f000	
	0x7ffff2f19000-0x7ffff2f3a000	[stack]
	0x7ffff2f3d000-0x7ffff2f3f000	[vvar]
	0x7ffff2f3f000-0x7ffff2f41000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==30083==End of process memory map.
==30083==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d1111 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4da14a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x4224df in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x4224df in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x4224df in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x4224df in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7f0b0143c206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318
    #10 0x7f0b0143c5db in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:521
    #11 0x580659 in dwarf_elf_object_access_load_section /tmp/dwarf-20161001/libdwarf/dwarf_elf_access.c:1312:16
    #12 0x5b5142 in _dwarf_load_section /tmp/dwarf-20161001/libdwarf/dwarf_init_finish.c:1139:11
    #13 0x6082ae in _dwarf_load_debug_info /tmp/dwarf-20161001/libdwarf/dwarf_util.c:855:11
    #14 0x57043f in _dwarf_next_cu_header_internal /tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:819:32
    #15 0x572fcd in dwarf_next_cu_header_d /tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:629:15
    #16 0x512f4f in print_one_die_section /tmp/dwarf-20161001/dwarfdump/print_die.c:660:16
    #17 0x512262 in print_infos /tmp/dwarf-20161001/dwarfdump/print_die.c:371:16
    #18 0x4faaea in process_one_file /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9
    #19 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654
    #20 0x7f0b0036261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

Affected version:
0.166

Fixed version:
0.168

Proposed patch:
https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.fedorahosted.org/thread/Q4LE47FPEVRZANMV6JE2NMHYO4H5MHGJ/

Commit Fix:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=09ec02ec7f7e6913d10943148e2a898264345b07

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-10255

Reproducer:
https://github.com/asarubbo/poc/blob/master/00031-elfutils-memalloc-__libelf_set_rawdata_wrlock

Timeline:
2016-10-03: bug discovered
2016-10-21: bug reported to upstream
2016-11-04: blog post about the issue
2016-11-10: upstream committed the proposed patch
2016-12-27: upstream released 0.168
2017-03-22: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)

Posted in advisories, security | Leave a comment

jasper: use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c)

Posted on November 4, 2016 by ago

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

I decided to try another round of fuzzing with the Memory Sanitizer enabled, and I discovered that there is an use-of-uninitialized-value in jpc_pi_nextcprl

The complete MSan output:

# imginfo -f $FILE
warning: trailing garbage in marker segment (14 bytes)                                                                                                                                                                                                                         
warning: trailing garbage in marker segment (14 bytes)                                                                                                                                                                                                                         
warning: ignoring unknown marker segment                                                                                                                                                                                                                                       
type = 0xff41 (UNKNOWN); len = 20;01 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 warning: trailing garbage in marker segment (14 bytes)                                                                                                                                 
==7937==WARNING: MemorySanitizer: use-of-uninitialized-value                                                                                                                                                                                                                   
    #0 0x7fc562323907 in jpc_pi_nextcprl /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2cod.c:482:12                                                                                                                                     
    #1 0x7fc562323907 in jpc_pi_next /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2cod.c:125                                                                                                                                            
    #2 0x7fc56232aadc in jpc_dec_decodepkts /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2dec.c:441:14                                                                                                                                  
    #3 0x7fc5621fa9f1 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:594:6                                                                                                                                    
    #4 0x7fc56220c574 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:391:10                                                                                                                                        
    #5 0x7fc56220c574 in jpc_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:255                                                                                                                                               
    #6 0x7fc5621ac5a4 in jp2_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:215:21                                                                                                                                            
    #7 0x7fc5620d69d1 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:396:16                                                                                                                                   
    #8 0x557bb7618831 in main /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/appl/imginfo.c:203:16                                                                                                                                                           
    #9 0x7fc5611e961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #10 0x557bb7599a28 in _init (/usr/bin/imginfo+0x1aa28)                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                               
  Uninitialized value was created by a heap allocation                                                                                                                                                                                                                         
    #0 0x557bb75bf639 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/msan/msan_interceptors.cc:1002                                                                                                                           
    #1 0x7fc5621507d4 in jas_malloc /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_malloc.c:148:13                                                                                                                                        
    #2 0x7fc562152520 in jas_alloc2 /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_malloc.c:275:9                                                                                                                                         
    #3 0x7fc56233360c in jpc_dec_pi_create /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2dec.c:506:30                                                                                                                                   
    #4 0x7fc5621f2c71 in jpc_dec_tileinit /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:911:19                                                                                                                                      
    #5 0x7fc5621f2c71 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:560                                                                                                                                      
    #6 0x7fc56220c574 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:391:10                                                                                                                                        
    #7 0x7fc56220c574 in jpc_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:255                                                                                                                                               
    #8 0x7fc5621ac5a4 in jp2_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:215:21                                                                                                                                            
    #9 0x7fc5620d69d1 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:396:16                                                                                                                                   
    #10 0x557bb7618831 in main /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/appl/imginfo.c:203:16                                                                                                                                                          
    #11 0x7fc5611e961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
                                                                                                                                                                                                                                                                               
SUMMARY: MemorySanitizer: use-of-uninitialized-value /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_t2cod.c:482:12 in jpc_pi_nextcprl                                                                                                      
Exiting

Affected version:
1.900.17

Fixed version:
1.900.20

Commit fix:
https://github.com/mdadams/jasper/commit/1f0dfe5a42911b6880a1445f13f6d615ddb55387

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-10251

Reproducer:
https://github.com/asarubbo/poc/blob/master/00029-jasper-uninitvalue-jpc_pi_nextcprl

Timeline:
2016-11-03: bug discovered and reported to upstream
2016-11-04: upstream released a patch
2016-11-04: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c)

Posted in advisories, security | Leave a comment

jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887)

Posted on October 23, 2016 by ago

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing on an updated version (1.900.10) revealed that the NULL pointer access identified as CVE-2016-8887 which upstream declared to be fixed in the version 1.900.10 is still here.

The complete ASan output:

# imginfo -f $FILE
ASAN:DEADLYSIGNAL
=================================================================
==20885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc4e4a4550 T0)
    #0 0x41defc in atomic_compare_exchange_strong /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
    #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:465
    #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:525
    #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:709
    #4 0x4c008c in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:41
    #5 0x7faeeeb2d430 in jp2_colr_destroy /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:450:3
    #6 0x7faeeeb32b0e in jp2_box_destroy /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:211:3
    #7 0x7faeeeb32b0e in jp2_box_get /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:314
    #8 0x7faeeeb369a0 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:156:16
    #9 0x7faeeeac6a29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16
    #10 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16
    #11 0x7faeedbd361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong
==20885==ABORTING

Affected version:
1.900.10

Fixed version:
1.900.13

Commit fix:
https://github.com/mdadams/jasper/commit/bdfe95a6e81ffb4b2fad31a76b57943695beed20

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-10250

Reproducer:
https://github.com/asarubbo/poc/blob/master/00002-jasper-NULLptr-jp2_colr_destroy

Timeline:
2016-10-22: bug re-discovered
2016-10-22: bug re-reported to upstream
2016-10-23: blog post about the issue
2016-10-23: upstream released a patch and 1.900.13
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887)

Posted in advisories, security | Leave a comment

jasper: heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)

Posted on October 23, 2016 by ago

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing on an updated version (1.900.10) a buffer over read because of an integer overflow.

The complete ASan output:

# imginfo -f $FILE
warning: not enough tile data (9 bytes)                                                                                                                                                        
=================================================================                                                                                                                              
==15870==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f0c6a964770 at pc 0x7f0c729e93a4 bp 0x7ffd08758cf0 sp 0x7ffd08758ce8                                                      
READ of size 8 at 0x7f0c6a964770 thread T0                                                                                                                                                     
    #0 0x7f0c729e93a3 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1126:43                                                   
    #1 0x7f0c729d9567 in jpc_dec_process_eoc /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1170:8                                                   
    #2 0x7f0c729e20c4 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:390:10                                                        
    #3 0x7f0c729e20c4 in jpc_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:254                                                               
    #4 0x7f0c729afc41 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:215:21                                                            
    #5 0x7f0c7293fa29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16                                                   
    #6 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16                                                                                 
    #7 0x7f0c71a4c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #8 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                           

0x7f0c6a964770 is located 0 bytes to the right of 64749424-byte region [0x7f0c66ba4800,0x7f0c6a964770)                                                                                         
allocated by thread T0 here:                                                                                                                                                                   
    #0 0x4c03b8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                   
    #1 0x7f0c7297efbe in jas_malloc /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_malloc.c:105:11                                                        
    #2 0x7f0c7297efbe in jas_alloc2 /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_malloc.c:136                                                           
    #3 0x7f0c7297fb44 in jas_matrix_create /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_seq.c:129:25                                                    
    #4 0x7f0c7297f71b in jas_seq2d_create /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_seq.c:90:17                                                      
    #5 0x7f0c729d4280 in jpc_dec_tileinit /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:702:23                                                      
    #6 0x7f0c729d4280 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:559                                                      
    #7 0x7f0c729e20c4 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:390:10                                                        
    #8 0x7f0c729e20c4 in jpc_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:254                                                               
    #9 0x7f0c729afc41 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:215:21                                                            
    #10 0x7f0c7293fa29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16                                                  
    #11 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16
    #12 0x7f0c71a4c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1126:43 in jpc_dec_tiledecode
Shadow bytes around the buggy address:
  0x0fe20d524890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe20d5248e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x0fe20d5248f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15870==ABORTING

Affected version:
1.900.10

Fixed version:
1.900.12

Commit fix:
https://github.com/mdadams/jasper/commit/988f8365f7d8ad8073b6786e433d34c553ecf568

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-10249

Reproducer:
https://github.com/asarubbo/poc/blob/master/00001-jasper-heapoverflow-jpc_dec_tiledecode

Timeline:
2016-10-22: bug discovered
2016-10-22: bug reported to upstream
2016-10-22: upstream released the patch
2016-10-23: upstream released 1.900.12
2016-10-23: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)

Posted in advisories, security | Leave a comment

libdwarf: memory allocation failure in do_decompress_zlib (dwarf_init_finish.c)

libdwarf: heap-based buffer overflow in dwarf_get_aranges_list (dwarf_arange.c)

libdwarf: heap-based buffer overflow in get_attr_value (print_die.c)

libdwarf: heap-based buffer overflow in _dwarf_skim_forms (dwarf_macro5.c)

jasper: use after free in jas_realloc (jas_malloc.c)

elfutils: memory allocation failure in allocate_elf (common.h)

elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)

jasper: use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c)

jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887)

jasper: heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)

Recent Posts

Recent Comments

Archives

Categories

Meta