stack-buffer-overflow in WriteMP3GainAPETag, apetag.c:578
Analyzes and adjusts the volume of MP3 files
Brought to you by:
snelg
Menu
▾
▴
#47 stack-buffer-overflow in WriteMP3GainAPETag, apetag.c:578
POC file: https://github.com/zjuchenyuan/fuzzpoc/raw/master/mp3gain_poc5
Step 11/12 : RUN cp /fuzzpoc/mp3gain_poc5 /tmp/poc && /tmp/asan/mp3gain /tmp/poc || exit 0
---> Running in 6846233ac18d
Delaying a frame in decoding with old libmpg123.
=================================================================
==8==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa024 at pc 0x7ffff6ecb9f5 bp 0x7fffffff9da0 sp 0x7fffffff9530
WRITE of size 181 at 0x7fffffffa024 thread T0
/tmp/poc
Recommended "Track" dB change: -5500000000000000283159454210816670147492432353798899003243711366275334032009659721516422830325794340130464936851432254159503751971898424056661867456142507311642682046021632.000000
Recommended "Track" mp3 gain change: 2147483647
Max PCM sample at current gain: 0.000000
Max mp3 global gain field: 40
Min mp3 global gain field: 0
#0 0x7ffff6ecb9f4 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x619f4)
#1 0x7ffff6ecbcc9 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61cc9)
#2 0x425edb in WriteMP3GainAPETag /mp3gain-code/mp3gain/apetag.c:578
#3 0x40400b in main /mp3gain-code/mp3gain/mp3gain.c:2723
#4 0x7ffff655a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x4101c8 in _start (/tmp/asan/mp3gain+0x4101c8)
Address 0x7fffffffa024 is located in stack of thread T0 at offset 260 in frame
#0 0x42422f in WriteMP3GainAPETag /mp3gain-code/mp3gain/apetag.c:404
This frame has 3 object(s):
[32, 64) 'newFooter'
[96, 128) 'newHeader'
[160, 260) 'valueString' <== Memory access at offset 260 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_vsprintf
Shadow bytes around the buggy address:
0x10007fff73b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff73c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff73d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff73e0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2
0x10007fff73f0: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
=>0x10007fff7400: 00 00 00 00[04]f4 f4 f4 f3 f3 f3 f3 00 00 00 00
0x10007fff7410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7430: 00 00 f1 f1 f1 f1 01 f4 f4 f4 f2 f2 f2 f2 01 f4
0x10007fff7440: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 04 f4
0x10007fff7450: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==8==ABORTING
Removing intermediate container 6846233ac18d
---> 6233dac19913
Step 12/12 : RUN cp /fuzzpoc/mp3gain_poc5 /tmp/poc && valgrind -v /tmp/justafl/mp3gain /tmp/poc || exit 0
---> Running in fcebdc8ef69a
==8== Memcheck, a memory error detector
==8== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==8== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==8== Command: /tmp/justafl/mp3gain /tmp/poc
==8==
--8-- Valgrind options:
--8-- -v
--8-- Contents of /proc/version:
--8-- Linux version 4.9.87-xxxx-std-ipv6-64 (kernel@kernel.ovh.net) (gcc version 7.3.0 (GCC) ) #1 SMP Tue Mar 13 18:41:47 CET 2018
--8--
--8-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-rdtscp-sse3-avx
--8-- Page sizes: currently 4096, max supported 4096
/tmp/poc
Recommended "Track" dB change: -5500000000000000283159454210816670147492432353798899003243711366275334032009659721516422830325794340130464936851432254159503751971898424056661867456142507311642682046021632.000000
Recommended "Track" mp3 gain change: 2147483647
Max PCM sample at current gain: 0.000000
Max mp3 global gain field: 40
Min mp3 global gain field: 0
*** buffer overflow detected ***: /tmp/justafl/mp3gain terminated
--8-- Reading syms from /lib/x86_64-linux-gnu/libgcc_s.so.1
--8-- Considering /lib/x86_64-linux-gnu/libgcc_s.so.1 ..
--8-- .. CRC mismatch (computed b9a68419 wanted 29d51b00)
--8-- object doesn't have a symbol table
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x54177e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x54b915c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x54b7160]
/lib/x86_64-linux-gnu/libc.so.6(+0x1166c9)[0x54b66c9]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x541b6b0]
/lib/x86_64-linux-gnu/libc.so.6(+0x5225a)[0x53f225a]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1f49)[0x53ef0b9]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x54b6754]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x54b66ad]
/tmp/justafl/mp3gain[0x422adc]
/tmp/justafl/mp3gain[0x40869c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x53c0830]
/tmp/justafl/mp3gain[0x412349]
======= Memory map: ========
00400000-0043b000 r-xp 00000000 08:03 85873176 /tmp/justafl/mp3gain
0063a000-0063b000 r--p 0003a000 08:03 85873176 /tmp/justafl/mp3gain
0063b000-0063c000 rw-p 0003b000 08:03 85873176 /tmp/justafl/mp3gain
0063c000-00adc000 rw-p 00000000 00:00 0
04000000-04026000 r-xp 00000000 08:03 79308906 /lib/x86_64-linux-gnu/ld-2.23.so
04026000-04028000 rw-p 00000000 00:00 0
0402d000-04030000 rw-p 00000000 00:00 0
04225000-04226000 r--p 00025000 08:03 79308906 /lib/x86_64-linux-gnu/ld-2.23.so
04226000-04227000 rw-p 00026000 08:03 79308906 /lib/x86_64-linux-gnu/ld-2.23.so
04227000-04228000 rw-p 00000000 00:00 0
04228000-04229000 rwxp 00000000 00:00 0
04a28000-04a29000 r-xp 00000000 08:03 85874366 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04a29000-04c28000 ---p 00001000 08:03 85874366 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c28000-04c29000 r--p 00000000 08:03 85874366 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c29000-04c2a000 rw-p 00001000 08:03 85874366 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c2a000-04c39000 r-xp 00000000 08:03 85874378 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04c39000-04e38000 ---p 0000f000 08:03 85874378 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e38000-04e39000 r--p 0000e000 08:03 85874378 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e39000-04e3a000 rw-p 0000f000 08:03 85874378 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e3a000-04f42000 r-xp 00000000 08:03 79309647 /lib/x86_64-linux-gnu/libm-2.23.so
04f42000-05141000 ---p 00108000 08:03 79309647 /lib/x86_64-linux-gnu/libm-2.23.so
05141000-05142000 r--p 00107000 08:03 79309647 /lib/x86_64-linux-gnu/libm-2.23.so
05142000-05143000 rw-p 00108000 08:03 79309647 /lib/x86_64-linux-gnu/libm-2.23.so
05143000-0518f000 r-xp 00000000 08:03 85464091 /usr/lib/x86_64-linux-gnu/libmpg123.so.0.41.2
0518f000-0538e000 ---p 0004c000 08:03 85464091 /usr/lib/x86_64-linux-gnu/libmpg123.so.0.41.2
0538e000-0538f000 r--p 0004b000 08:03 85464091 /usr/lib/x86_64-linux-gnu/libmpg123.so.0.41.2
0538f000-05390000 rw-p 0004c000 08:03 85464091 /usr/lib/x86_64-linux-gnu/libmpg123.so.0.41.2
05390000-053a0000 rw-p 00000000 00:00 0
053a0000-05560000 r-xp 00000000 08:03 79309615 /lib/x86_64-linux-gnu/libc-2.23.so
05560000-05760000 ---p 001c0000 08:03 79309615 /lib/x86_64-linux-gnu/libc-2.23.so
05760000-05764000 r--p 001c0000 08:03 79309615 /lib/x86_64-linux-gnu/libc-2.23.so
05764000-05766000 rw-p 001c4000 08:03 79309615 /lib/x86_64-linux-gnu/libc-2.23.so
05766000-0576a000 rw-p 00000000 00:00 0
0576a000-05b6a000 rwxp 00000000 00:00 0
05b6a000-05b80000 r-xp 00000000 08:03 79309636 /lib/x86_64-linux-gnu/libgcc_s.so.1
05b80000-05d7f000 ---p 00016000 08:03 79309636 /lib/x86_64-linux-gnu/libgcc_s.so.1
05d7f000-05d80000 rw-p 00015000 08:03 79309636 /lib/x86_64-linux-gnu/libgcc_s.so.1
38000000-3821f000 r-xp 00000000 08:03 85874304 /usr/lib/valgrind/memcheck-amd64-linux
3841f000-38422000 rw-p 0021f000 08:03 85874304 /usr/lib/valgrind/memcheck-amd64-linux
38422000-395d8000 rw-p 00000000 00:00 0 [heap]
802001000-802af6000 rwxp 00000000 00:00 0
802b8c000-802bac000 rwxp 00000000 00:00 0
802bac000-802bae000 ---p 00000000 00:00 0
802bae000-802cae000 rwxp 00000000 00:00 0
802cae000-802cb0000 ---p 00000000 00:00 0
Recommended "Album" dB change for all files: -5500000000000000283159454210816670147492432353798899003243711366275334032009659721516422830325794340130464936851432254159503751971898424056661867456142507311642682046021632.000000
Recommended "Album" mp3 gain change for all files: 2147483647
802cb0000-802cb1000 rw-s 00000000 08:03 85872790 /tmp/vgdb-pipe-shared-mem-vgdb-8-by-???-on-fcebdc8ef69a
802cb1000-805150000 rwxp 00000000 00:00 0
805450000-805750000 rwxp 00000000 00:00 0
805850000-805950000 rwxp 00000000 00:00 0
805c45000-805e69000 rwxp 00000000 00:00 0
ffeff9000-fff001000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffd000 r--p 00000000 00:00 0 [vvar]
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
==8==
==8== Process terminating with default action of signal 6 (SIGABRT)
==8== at 0x53D5428: raise (raise.c:54)
==8== by 0x53D7029: abort (abort.c:89)
==8== by 0x54177E9: __libc_message (libc_fatal.c:175)
==8== by 0x54B915B: __fortify_fail (fortify_fail.c:37)
==8== by 0x54B715F: __chk_fail (chk_fail.c:28)
==8== by 0x54B66C8: _IO_str_chk_overflow (vsprintf_chk.c:31)
==8== by 0x541B6AF: _IO_default_xsputn (genops.c:455)
==8== by 0x53F2259: __printf_fp_l (printf_fp.c:1236)
==8== by 0x53EF0B8: vfprintf (vfprintf.c:1631)
==8== by 0x54B6753: __vsprintf_chk (vsprintf_chk.c:82)
==8== by 0x54B66AC: __sprintf_chk (sprintf_chk.c:31)
==8== by 0x422ADB: sprintf (stdio2.h:33)
==8== by 0x422ADB: WriteMP3GainAPETag (apetag.c:578)
--8-- Discarding syms at 0x5b6ca70-0x5b7c8b5 in /lib/x86_64-linux-gnu/libgcc_s.so.1 due to munmap()
==8==
==8== HEAP SUMMARY:
==8== in use at exit: 669 bytes in 6 blocks
==8== total heap usage: 39 allocs, 33 frees, 78,755 bytes allocated
==8==
==8== Searching for pointers to 6 not-freed blocks
==8== Checked 4,993,640 bytes
==8==
==8== LEAK SUMMARY:
==8== definitely lost: 0 bytes in 0 blocks
==8== indirectly lost: 0 bytes in 0 blocks
==8== possibly lost: 0 bytes in 0 blocks
==8== still reachable: 669 bytes in 6 blocks
==8== suppressed: 0 bytes in 0 blocks
==8== Rerun with --leak-check=full to see details of leaked memory
==8==
==8== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==8== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
/bin/bash: line 1: 8 Aborted valgrind -v /tmp/justafl/mp3gain /tmp/poc
dockerized poc image has been pushed to dockerhub, you can do this to verify this crash:
docker run -it --rm zjuchenyuan/dockerized_poc:mp3gain /bin/bash
# in the container
# cp /fuzzpoc/mp3gain_poc5 /tmp/poc && /tmp/asan/mp3gain /tmp/poc
# cp /fuzzpoc/mp3gain_poc5 /tmp/poc && valgrind -v /tmp/justafl/mp3gain /tmp/poc
The attached patch seems to do the trick.