Menu

#297 SoX v14.4.2 vulnerable to a heap use-after-free condition after parsing AIFF file and calling sox_append_comments()

closed-fixed
None
5
2018-04-29
2017-08-16
No

Hey there!

I discovered that SoX version 14.4.2 on Linux is vulnerable to a heap use-after-free condition when after parsing a crafted AIFF file, sox_append_comments() in formats.c is called after "comment" has been freed in lsx_aiffstartread() line 280 in aiff.c. This invalid read results in a crash and could lead to information disclosure or code execution.

Below you will be able to see the output from AddressSanitizer, along with the vanilla crash output and Valgrind memcheck output. I will also attach the AIFF file (poc.aff) that is the source of the problem.

I look forward to providing additional details about this should you require it and hope that I can be of help to resolve the issue. Please let me know as soon as you can what the status is on the vulnerability and/or patch, I would like to publish a report with details on this in the near future but I will be mindful of your development schedule.

Thank you very much for your time and I hope to hear from you soon!

Steven Patterson
Vulnerability Researcher at Shogun Lab
http://www.shogunlab.com/

AddressSanitizer output:

=================================================================
==31390==ERROR: AddressSanitizer: heap-use-after-free on address 0xb55005d0 at pc 0xb72579ae bp 0xbff5def8 sp 0xbff5dad0
READ of size 2 at 0xb55005d0 thread T0
    #0 0xb72579ad  (/usr/lib/i386-linux-gnu/libasan.so.3+0x489ad)
    #1 0x800bef9d in sox_append_comments /home/eva/Downloads/sox-14.4.2/src/formats.c:236
    #2 0x801adc4e in lsx_aiffstartread /home/eva/Downloads/sox-14.4.2/src/aiff.c:279
    #3 0x800c1ac8 in open_read /home/eva/Downloads/sox-14.4.2/src/formats.c:545
    #4 0x800c24ed in sox_open_read /home/eva/Downloads/sox-14.4.2/src/formats.c:585
    #5 0x800bc27a in main /home/eva/Downloads/sox-14.4.2/src/sox.c:2945
    #6 0xb6fce275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #7 0x800a1820  (/home/eva/Downloads/sox-14.4.2/src/sox+0x17820)

0xb55005d0 is located 0 bytes inside of 9-byte region [0xb55005d0,0xb55005d9)
freed by thread T0 here:
    #0 0xb72cce5c in free (/usr/lib/i386-linux-gnu/libasan.so.3+0xbde5c)
    #1 0x801adc60 in lsx_aiffstartread /home/eva/Downloads/sox-14.4.2/src/aiff.c:280
    #2 0x800c1ac8 in open_read /home/eva/Downloads/sox-14.4.2/src/formats.c:545
    #3 0x800c24ed in sox_open_read /home/eva/Downloads/sox-14.4.2/src/formats.c:585
    #4 0x800bc27a in main /home/eva/Downloads/sox-14.4.2/src/sox.c:2945
    #5 0xb6fce275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)

previously allocated by thread T0 here:
    #0 0xb72cd4d4 in realloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xbe4d4)
    #1 0x800ccc41 in lsx_realloc /home/eva/Downloads/sox-14.4.2/src/xmalloc.c:37
    #2 0x801afd75 in commentChunk /home/eva/Downloads/sox-14.4.2/src/aiff.c:523
    #3 0x801adc12 in lsx_aiffstartread /home/eva/Downloads/sox-14.4.2/src/aiff.c:273
    #4 0x800c1ac8 in open_read /home/eva/Downloads/sox-14.4.2/src/formats.c:545
    #5 0x800c24ed in sox_open_read /home/eva/Downloads/sox-14.4.2/src/formats.c:585
    #6 0x800bc27a in main /home/eva/Downloads/sox-14.4.2/src/sox.c:2945
    #7 0xb6fce275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/i386-linux-gnu/libasan.so.3+0x489ad) 
Shadow bytes around the buggy address:
  0x36aa0060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa0070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36aa00b0: fa fa 02 fa fa fa 00 fa fa fa[fd]fd fa fa fd fa
  0x36aa00c0: fa fa 00 00 fa fa 05 fa fa fa fd fa fa fa fd fa
  0x36aa00d0: fa fa 00 fa fa fa 00 02 fa fa fd fa fa fa fd fd
  0x36aa00e0: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa fd fd
  0x36aa00f0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 04 fa
  0x36aa0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31390==ABORTING

Valgrind output:

==6943== Memcheck, a memory error detector
==6943== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==6943== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==6943== Command: ./sox crashes/poc poc.wav
==6943== 
==6945== 
==6945== HEAP SUMMARY:
==6945==     in use at exit: 0 bytes in 0 blocks
==6945==   total heap usage: 46 allocs, 46 frees, 4,178 bytes allocated
==6945== 
==6945== All heap blocks were freed -- no leaks are possible
==6945== 
==6945== For counts of detected and suppressed errors, rerun with: -v
==6945== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==6944== Invalid free() / delete / delete[] / realloc()
==6944==    at 0x402F438: free (vg_replace_malloc.c:530)
==6944==    by 0x80C991F: xfree (in /bin/bash)
==6944==    by 0x80ADD49: ??? (in /bin/bash)
==6944==    by 0x80AE17F: run_unwind_frame (in /bin/bash)
==6944==    by 0x80D0CA6: parse_and_execute (in /bin/bash)
==6944==    by 0x809E710: command_substitute (in /bin/bash)
==6944==    by 0x80A5BEC: ??? (in /bin/bash)
==6944==    by 0x80A72CC: ??? (in /bin/bash)
==6944==    by 0x80A73C3: expand_word_unsplit (in /bin/bash)
==6944==    by 0x807F033: execute_command_internal (in /bin/bash)
==6944==    by 0x8080793: execute_command (in /bin/bash)
==6944==    by 0x807E1BD: execute_command_internal (in /bin/bash)
==6944==  Address 0x8194f88 is in the brk data segment 0x8187000-0x8199fff
==6944== 
==6944== 
==6944== HEAP SUMMARY:
==6944==     in use at exit: 0 bytes in 0 blocks
==6944==   total heap usage: 46 allocs, 47 frees, 4,178 bytes allocated
==6944== 
==6944== All heap blocks were freed -- no leaks are possible
==6944== 
==6944== For counts of detected and suppressed errors, rerun with: -v
==6944== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==6946== 
==6946== HEAP SUMMARY:
==6946==     in use at exit: 0 bytes in 0 blocks
==6946==   total heap usage: 46 allocs, 46 frees, 4,178 bytes allocated
==6946== 
==6946== All heap blocks were freed -- no leaks are possible
==6946== 
==6946== For counts of detected and suppressed errors, rerun with: -v
==6946== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==6948== 
==6948== HEAP SUMMARY:
==6948==     in use at exit: 0 bytes in 0 blocks
==6948==   total heap usage: 46 allocs, 46 frees, 4,178 bytes allocated
==6948== 
==6948== All heap blocks were freed -- no leaks are possible
==6948== 
==6948== For counts of detected and suppressed errors, rerun with: -v
==6948== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==6947== Invalid free() / delete / delete[] / realloc()
==6947==    at 0x402F438: free (vg_replace_malloc.c:530)
==6947==    by 0x80C991F: xfree (in /bin/bash)
==6947==    by 0x80ADD49: ??? (in /bin/bash)
==6947==    by 0x80AE17F: run_unwind_frame (in /bin/bash)
==6947==    by 0x80D0CA6: parse_and_execute (in /bin/bash)
==6947==    by 0x809E710: command_substitute (in /bin/bash)
==6947==    by 0x80A5BEC: ??? (in /bin/bash)
==6947==    by 0x80A72CC: ??? (in /bin/bash)
==6947==    by 0x80A7477: expand_string_assignment (in /bin/bash)
==6947==    by 0x809F3ED: ??? (in /bin/bash)
==6947==    by 0x809F9AC: ??? (in /bin/bash)
==6947==    by 0x80A97BC: ??? (in /bin/bash)
==6947==  Address 0x81a54c8 is in the brk data segment 0x8187000-0x81a7fff
==6947== 
==6947== 
==6947== HEAP SUMMARY:
==6947==     in use at exit: 0 bytes in 0 blocks
==6947==   total heap usage: 46 allocs, 47 frees, 4,178 bytes allocated
==6947== 
==6947== All heap blocks were freed -- no leaks are possible
==6947== 
==6947== For counts of detected and suppressed errors, rerun with: -v
==6947== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==6950== Invalid free() / delete / delete[] / realloc()
==6950==    at 0x402F438: free (vg_replace_malloc.c:530)
==6950==    by 0x80C991F: xfree (in /bin/bash)
==6950==    by 0x80ADD49: ??? (in /bin/bash)
==6950==    by 0x80AE17F: run_unwind_frame (in /bin/bash)
==6950==    by 0x80D0CA6: parse_and_execute (in /bin/bash)
==6950==    by 0x809E710: command_substitute (in /bin/bash)
==6950==    by 0x80A5BEC: ??? (in /bin/bash)
==6950==    by 0x80A72CC: ??? (in /bin/bash)
==6950==    by 0x80A7477: expand_string_assignment (in /bin/bash)
==6950==    by 0x809F3ED: ??? (in /bin/bash)
==6950==    by 0x809F9AC: ??? (in /bin/bash)
==6950==    by 0x80A97BC: ??? (in /bin/bash)
==6950==  Address 0x81a42c8 is in the brk data segment 0x8187000-0x81a7fff
==6950== 
==6950== 
==6950== HEAP SUMMARY:
==6950==     in use at exit: 0 bytes in 0 blocks
==6950==   total heap usage: 46 allocs, 47 frees, 4,178 bytes allocated
==6950== 
==6950== All heap blocks were freed -- no leaks are possible
==6950== 
==6950== For counts of detected and suppressed errors, rerun with: -v
==6950== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==6953== Invalid free() / delete / delete[] / realloc()
==6953==    at 0x402F438: free (vg_replace_malloc.c:530)
==6953==    by 0x80C991F: xfree (in /bin/bash)
==6953==    by 0x80ADD49: ??? (in /bin/bash)
==6953==    by 0x80AE17F: run_unwind_frame (in /bin/bash)
==6953==    by 0x80D0CA6: parse_and_execute (in /bin/bash)
==6953==    by 0x809E710: command_substitute (in /bin/bash)
==6953==    by 0x80A5BEC: ??? (in /bin/bash)
==6953==    by 0x80A72CC: ??? (in /bin/bash)
==6953==    by 0x80A7477: expand_string_assignment (in /bin/bash)
==6953==    by 0x809F3ED: ??? (in /bin/bash)
==6953==    by 0x809F9AC: ??? (in /bin/bash)
==6953==    by 0x80A97BC: ??? (in /bin/bash)
==6953==  Address 0x81a5948 is in the brk data segment 0x8187000-0x81a7fff
==6953== 
==6953== 
==6953== HEAP SUMMARY:
==6953==     in use at exit: 0 bytes in 0 blocks
==6953==   total heap usage: 46 allocs, 47 frees, 4,178 bytes allocated
==6953== 
==6953== All heap blocks were freed -- no leaks are possible
==6953== 
==6953== For counts of detected and suppressed errors, rerun with: -v
==6953== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==6955== 
==6955== HEAP SUMMARY:
==6955==     in use at exit: 0 bytes in 0 blocks
==6955==   total heap usage: 46 allocs, 46 frees, 4,178 bytes allocated
==6955== 
==6955== All heap blocks were freed -- no leaks are possible
==6955== 
==6955== For counts of detected and suppressed errors, rerun with: -v
==6955== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==6954== Invalid free() / delete / delete[] / realloc()
==6954==    at 0x402F438: free (vg_replace_malloc.c:530)
==6954==    by 0x80C991F: xfree (in /bin/bash)
==6954==    by 0x80ADD49: ??? (in /bin/bash)
==6954==    by 0x80AE17F: run_unwind_frame (in /bin/bash)
==6954==    by 0x80D0CA6: parse_and_execute (in /bin/bash)
==6954==    by 0x809E710: command_substitute (in /bin/bash)
==6954==    by 0x80A5BEC: ??? (in /bin/bash)
==6954==    by 0x80A72CC: ??? (in /bin/bash)
==6954==    by 0x80A7477: expand_string_assignment (in /bin/bash)
==6954==    by 0x809F3ED: ??? (in /bin/bash)
==6954==    by 0x809F9AC: ??? (in /bin/bash)
==6954==    by 0x80A97BC: ??? (in /bin/bash)
==6954==  Address 0x819e948 is in the brk data segment 0x8187000-0x81a7fff
==6954== 
==6954== 
==6954== HEAP SUMMARY:
==6954==     in use at exit: 0 bytes in 0 blocks
==6954==   total heap usage: 46 allocs, 47 frees, 4,178 bytes allocated
==6954== 
==6954== All heap blocks were freed -- no leaks are possible
==6954== 
==6954== For counts of detected and suppressed errors, rerun with: -v
==6954== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Vanilla crash output with -V -V flags:

/home/eva/Testing/sox-14.4.2/src/.libs/sox:      SoX v14.4.2
time:     Aug 16 2017 00:50:59
uname:    Linux melchior 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
compiler: gcc 6.3.0 20170516
arch:     1248 48 44 L OMP
/home/eva/Testing/sox-14.4.2/src/.libs/sox INFO formats: detected file format type `aiff'
/home/eva/Testing/sox-14.4.2/src/.libs/sox DBUG aiff: Comment:     ""
/home/eva/Testing/sox-14.4.2/src/.libs/sox DBUG aiff: Comment:     "�"
/home/eva/Testing/sox-14.4.2/src/.libs/sox DBUG aiff: Comment:     ""
*** Error in `/home/eva/Testing/sox-14.4.2/src/.libs/sox': double free or corruption (fasttop): 0x80260440 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb751f37a]
/lib/i386-linux-gnu/libc.so.6(+0x6dfb7)[0xb7525fb7]
/lib/i386-linux-gnu/libc.so.6(+0x6e7f6)[0xb75267f6]
/home/eva/Testing/sox-14.4.2/src/.libs/libsox.so.3(+0x7657)[0xb772d657]
/home/eva/Testing/sox-14.4.2/src/.libs/libsox.so.3(+0xddc1)[0xb7733dc1]
/home/eva/Testing/sox-14.4.2/src/.libs/sox(main+0x382)[0x8006d5b2]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb74d0276]
/home/eva/Testing/sox-14.4.2/src/.libs/sox(+0x561d)[0x8007061d]
======= Memory map: ========
8006b000-8007b000 r-xp 00000000 fe:01 525719     /home/eva/Testing/sox-14.4.2/src/.libs/sox
8007b000-8007c000 r--p 0000f000 fe:01 525719     /home/eva/Testing/sox-14.4.2/src/.libs/sox
8007c000-8007d000 rw-p 00010000 fe:01 525719     /home/eva/Testing/sox-14.4.2/src/.libs/sox
8025e000-8027f000 rw-p 00000000 00:00 0          [heap]
b7300000-b7321000 rw-p 00000000 00:00 0 
b7321000-b7400000 ---p 00000000 00:00 0 
b747e000-b749a000 r-xp 00000000 fe:01 392452     /lib/i386-linux-gnu/libgcc_s.so.1
b749a000-b749b000 r--p 0001b000 fe:01 392452     /lib/i386-linux-gnu/libgcc_s.so.1
b749b000-b749c000 rw-p 0001c000 fe:01 392452     /lib/i386-linux-gnu/libgcc_s.so.1
b74b1000-b74b3000 rw-p 00000000 00:00 0 
b74b3000-b74b6000 r-xp 00000000 fe:01 396488     /lib/i386-linux-gnu/libdl-2.24.so
b74b6000-b74b7000 r--p 00002000 fe:01 396488     /lib/i386-linux-gnu/libdl-2.24.so
b74b7000-b74b8000 rw-p 00003000 fe:01 396488     /lib/i386-linux-gnu/libdl-2.24.so
b74b8000-b7669000 r-xp 00000000 fe:01 396485     /lib/i386-linux-gnu/libc-2.24.so
b7669000-b766a000 ---p 001b1000 fe:01 396485     /lib/i386-linux-gnu/libc-2.24.so
b766a000-b766c000 r--p 001b1000 fe:01 396485     /lib/i386-linux-gnu/libc-2.24.so
b766c000-b766d000 rw-p 001b3000 fe:01 396485     /lib/i386-linux-gnu/libc-2.24.so
b766d000-b7670000 rw-p 00000000 00:00 0 
b7670000-b7689000 r-xp 00000000 fe:01 396499     /lib/i386-linux-gnu/libpthread-2.24.so
b7689000-b768a000 r--p 00018000 fe:01 396499     /lib/i386-linux-gnu/libpthread-2.24.so
b768a000-b768b000 rw-p 00019000 fe:01 396499     /lib/i386-linux-gnu/libpthread-2.24.so
b768b000-b768d000 rw-p 00000000 00:00 0 
b768d000-b76ba000 r-xp 00000000 fe:01 797763     /usr/lib/i386-linux-gnu/libgomp.so.1.0.0
b76ba000-b76bb000 r--p 0002c000 fe:01 797763     /usr/lib/i386-linux-gnu/libgomp.so.1.0.0
b76bb000-b76bc000 rw-p 0002d000 fe:01 797763     /usr/lib/i386-linux-gnu/libgomp.so.1.0.0
b76bc000-b770f000 r-xp 00000000 fe:01 396489     /lib/i386-linux-gnu/libm-2.24.so
b770f000-b7710000 r--p 00052000 fe:01 396489     /lib/i386-linux-gnu/libm-2.24.so
b7710000-b7711000 rw-p 00053000 fe:01 396489     /lib/i386-linux-gnu/libm-2.24.so
b7725000-b7726000 rw-p 00000000 00:00 0 
b7726000-b77b1000 r-xp 00000000 fe:01 525687     /home/eva/Testing/sox-14.4.2/src/.libs/libsox.so.3.0.0
b77b1000-b77b3000 r--p 0008a000 fe:01 525687     /home/eva/Testing/sox-14.4.2/src/.libs/libsox.so.3.0.0
b77b3000-b77b5000 rw-p 0008c000 fe:01 525687     /home/eva/Testing/sox-14.4.2/src/.libs/libsox.so.3.0.0
b77b5000-b77b9000 rw-p 00000000 00:00 0 
b77b9000-b77bb000 r--p 00000000 00:00 0          [vvar]
b77bb000-b77bd000 r-xp 00000000 00:00 0          [vdso]
b77bd000-b77e0000 r-xp 00000000 fe:01 396481     /lib/i386-linux-gnu/ld-2.24.so
b77e0000-b77e1000 r--p 00022000 fe:01 396481     /lib/i386-linux-gnu/ld-2.24.so
b77e1000-b77e2000 rw-p 00023000 fe:01 396481     /lib/i386-linux-gnu/ld-2.24.so
bfb8b000-bfbac000 rw-p 00000000 00:00 0          [stack]
Aborted
1 Attachments
poc

Discussion

  • Steven Patterson

    Also, the crash occurs when attempting to convert the AIFF "poc" to "poc.wav" using the following command:

    ./sox poc poc.wav
    
     
  • Mans Rullgard

    Mans Rullgard - 2018-04-26
    • status: open --> pending-fixed
    • assigned_to: Mans Rullgard
     
    • Steven Patterson

      Thanks for updating the status of this! Would it be possible to change the ticket visibility to "Public" instead of "Private"?

       
  • Mans Rullgard

    Mans Rullgard - 2018-04-26
    • private: Yes --> No
     
  • Mans Rullgard

    Mans Rullgard - 2018-04-29
    • status: pending-fixed --> closed-fixed
     

Log in to post a comment.