Bug#883198: bs1770gain: use after free while running bs1770gain with "poc output" option

Joonun Jang joonun.jang at gmail.com
Thu Nov 30 16:17:04 UTC 2017 

Package: bs1770gain
Version: 0.4.12-2+b1
Severity: important
Tags: security

use after free while running bs1770gain with "poc output" option

Running 'bs1770gain poc output' with the attached file raises use after free
which may allow a remote attack to cause a denial-of-service attack or other unspecified
impace with a crafted file
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/workspace/bugre/poc/bs1770gain/1$ ~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc output
analyzing ...
  [1/1] "poc": Error finding decoder: ffsox_frame_reader_create(), "ffsox_frame_reader.c" (41).
Error creating frame reader: ffsox_frame_reader_new(), "ffsox_frame_reader.c" (92).
Error creating frame reader: ffsox_analyze(), "ffsox_analyze.c" (68).
=================================================================
==10074==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000640 at pc 0x555555582800 bp 0x7fffffffda60 sp 0x7fffffffda58
READ of size 8 at 0x610000000640 thread T0
    #0 0x5555555827ff in ffsox_packet_consumer_list_free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff)
    #1 0x55555559b91a in pbu_list_free_full (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x4791a)
    #2 0x5555555773fe in ffsox_source_link_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x233fe)
    #3 0x5555555762b5 in source_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x222b5)
    #4 0x555555570a2f in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1ca2f)
    #5 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
    #6 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
    #7 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x5555555614e9 in _start (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9)

0x610000000640 is located 0 bytes inside of 184-byte region [0x610000000640,0x6100000006f8)
freed by thread T0 here:
    #0 0x7ffff6eff8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x55555557393b in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f93b)
    #2 0x55555556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7)
    #3 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
    #4 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
    #5 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
    #0 0x7ffff6effc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x555555573841 in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f841)
    #2 0x55555556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7)
    #3 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
    #4 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
    #5 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff) in ffsox_packet_consumer_list_free
Shadow bytes around the buggy address:
  0x0c207fff8070: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
    0x0c207fff8080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c207fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff80b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c207fff80c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c207fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10074==ABORTING

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bs1770gain depends on:
ii  libavcodec57    7:3.4-3
ii  libavformat57   7:3.4-3
ii  libavutil55     7:3.4-3
ii  libc6           2.24-17
ii  libsox3         14.4.2-2
ii  libswresample2  7:3.4-3

bs1770gain recommends no packages.

bs1770gain suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 70 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171201/495c8ee5/attachment.obj>

More information about the pkg-multimedia-maintainers mailing list