Menu

#50 heap-buffer-overflow & stack-buffer-overflow in 1.6.2 version

v1.0 (example)
open
nobody
bug (2)
5
2023-09-13
2023-09-13
No

Hi, developers of MP3Gain:
When I tested mp3gain, I found multiple bugs.

Environment

  • Ubuntu 20.04
  • mp3gain complied with ASAN
  • mp3gain version: 1.62

Bug1

  • command line : ./mp3gain -s i ./poc_1 /dev/null
./mp3gain -s i ./poc_1 /dev/null                                                                                                                                
=================================================================           
==162875==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000015 at pc 0x5562c2cf9524 bp 0x7ffea38bbc70 sp 0x7ffea38bbc60         READ of size 1 at 0x602000000015 thread T0                                                                                   
    #0 0x5562c2cf9523 in id3_parse_v2_tag /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:659                 #1 0x5562c2cf9d51 in id3_search_tag /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:996                                                         #2 0x5562c2cfc880 in ReadMP3GainID3Tag /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:1145               #3 0x5562c2cd7838 in main_impl /home/siang/software_test/target/mp3gain-code/mp3gain/mp3gain.c:1842                                                       #4 0x7fcc1bba9082 in __libc_start_main ../csu/libc-start.c:308                   #5 0x5562c2ccad4d in _start (/home/siang/software_test/report/mp3gain/mp3gain+0x7d4d)                                                                         
0x602000000015 is located 0 bytes to the right of 5-byte region [0x602000000010,0x602000000015)                                                                   
allocated by thread T0 here:                                                     
    #0 0x7fcc1c033808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144                        #1 0x5562c2cf6b75 in id3_parse_v2_tag /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:612                                                      

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:659 in id3_parse_v2_tag
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==162875==ABORTING

Bug2

  • command line : ./mp3gain -a -s i ./poc_2 /dev/null
./mp3gain -a -s i ./poc_2 /dev/null                                                                                                                             
=================================================================               
==162233==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdfb23ba3f at pc 0x5592ab00b2f0 bp 0x7ffdfb23b9a0 sp 0x7ffdfb23b990         READ of size 1 at 0x7ffdfb23ba3f thread T0                                       

     #0 0x5592ab00b2ef in id3_parse_v1_tag /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:963                 #1 0x5592ab00b2ef in id3_search_tag /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:1082                                                       
      #2 0x5592ab00b880 in ReadMP3GainID3Tag /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:1145               #3 0x5592aafe6838 in main_impl /home/siang/software_test/target/mp3gain-code/mp3gain/mp3gain.c:1842                                                       #4 0x7ff1d1a8e082 in __libc_start_main ../csu/libc-start.c:308                   #5 0x5592aafd9d4d in _start (/home/siang/software_test/report/mp3gain/mp3gain+0x7d4d)                                                                         
Address 0x7ffdfb23ba3f is located in stack of thread T0 at offset 95 in frame     #0 0x5592ab008c3f in id3_search_tag /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:989 

This frame has 3 object(s):                                                       [32, 64) 'buf' (line 990)                                                       [96, 128) 'sbuf' (line 893) <== Memory access at offset 95 underflows this variable                                                                           [160, 288) 'buf' (line 892)                                                                                                                                   
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork                                                   (longjmp and C++ exceptions *are* supported)                                                                                                                
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/siang/software_test/target/mp3gain-code/mp3gain/id3tag.c:963 in id3_parse_v1_tag                           
Shadow bytes around the buggy address:                                             0x10003f63f6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 0x10003f63f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 0x10003f63f710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 0x10003f63f720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 0x10003f63f730: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1                =>0x10003f63f740: 00 00 00 00 f2 f2 f2[f2]00 00 00 00 f2 f2 f2 f2
      0x10003f63f750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10003f63f760: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x10003f63f770: 00 00 f1 f1 f1 f1 00 00 00 00 f3 f3 f3 f3 00 00
      0x10003f63f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10003f63f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==162233==ABORTING
1 Attachments

Discussion


Log in to post a comment.