{"id":2164,"date":"2017-09-08T16:36:15","date_gmt":"2017-09-08T14:36:15","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=2164"},"modified":"2017-09-13T23:00:59","modified_gmt":"2017-09-13T21:00:59","slug":"mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/09\/08\/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c\/","title":{"rendered":"mp3gain: stack-based buffer overflow in copy_mp (mpglibDBL\/interface.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/mp3gain.sourceforge.net\/\">mp3gain<\/a> is a program to analyze and adjust MP3 files to same volume.<\/p>\n<p>The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL.<br \/>\nThe upstream project seems to be dead, so the issue wasn\u2019t communicated to them.<\/p>\n<p>The complete ASan output of the issue:<\/p>\n<pre><font size=\"2\"># aacgain -f $FILE\r\n==17667==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f71080af610 at pc 0x7f710b824cfb bp 0x7ffd67817fa0 sp 0x7ffd67817750\r\nWRITE of size 72 at 0x7f71080af610 thread T0\r\n    #0 0x7f710b824cfa  (\/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/6.4.0\/libasan.so.3+0x5ccfa)\r\n    #1 0x8a8ad0 in copy_mp \/var\/tmp\/portage\/media-sound\/aacgain-1.9\/work\/aacgain-1.9\/mp3gain\/mpglibDBL\/interface.c:188\r\n    #2 0x8ac8bd in decodeMP3 \/var\/tmp\/portage\/media-sound\/aacgain-1.9\/work\/aacgain-1.9\/mp3gain\/mpglibDBL\/interface.c:685\r\n    #3 0x43e767 in main \/var\/tmp\/portage\/media-sound\/aacgain-1.9\/work\/aacgain-1.9\/mp3gain\/mp3gain.c:2262\r\n    #4 0x7f710ab3d680 in __libc_start_main (\/lib64\/libc.so.6+0x20680)\r\n    #5 0x4426c8 in _start (\/usr\/bin\/aacgain+0x4426c8)\r\n\r\nAddress 0x7f71080af610 is located in stack of thread T0 at offset 50704 in frame\r\n    #0 0x4341ff in main \/var\/tmp\/portage\/media-sound\/aacgain-1.9\/work\/aacgain-1.9\/mp3gain\/mp3gain.c:1411\r\n\r\n  This frame has 7 object(s):\r\n    [32, 33) 'maxgain'\r\n    [96, 97) 'mingain'\r\n    [160, 164) 'nprocsamp'\r\n    [224, 232) 'maxsample'\r\n    [288, 9504) 'lsamples'\r\n    [9536, 18752) 'rsamples'\r\n    [18784, 50704) 'mp' 0x0feea100dec0: 00 00[f4]f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00\r\n  0x0feea100ded0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0feea100dee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0feea100def0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0feea100df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0feea100df10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==17667==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.5.2<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-14411<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00348-aacgain-stackoverflow-copy_mp\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00348-aacgain-stackoverflow-copy_mp<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-08-28: bug discovered<br \/>\n2017-09-08: blog post about the issue<br \/>\n2017-09-13: CVE Assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug was identified with bare metal servers donated by <a href=\"https:\/\/www.packet.net\/\">Packet<\/a>. This work is also supported by the <a href=\"https:\/\/www.coreinfrastructure.org\">Core Infrastructure Initiative<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"xCfLvjDCFS\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/09\/08\/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c\/\">mp3gain: stack-based buffer overflow in copy_mp (mpglibDBL\/interface.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/09\/08\/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c\/embed\/#?secret=xCfLvjDCFS\" data-secret=\"xCfLvjDCFS\" width=\"600\" height=\"338\" title=\"&#8220;mp3gain: stack-based buffer overflow in copy_mp (mpglibDBL\/interface.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: mp3gain is a program to analyze and adjust MP3 files to same volume. The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL. The upstream project seems to &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/09\/08\/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-yU","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2164"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=2164"}],"version-history":[{"count":10,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2164\/revisions"}],"predecessor-version":[{"id":2257,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2164\/revisions\/2257"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=2164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=2164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=2164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}