Package: bs1770gain Version: 0.4.12-2 Severity: important Tags: security stack buffer overflow while running bs1770gain with "poc -o output" option
Running 'bs1770gain poc -o output' with the attached file raises stack buffer
overflow
which may allow a remote attack to cause a denial-of-service attack or ????
I expected the program to terminate without segfault, but the program crashes
as follow
-------------------------------------------
june@yuweol:~/poc/bs1770gain/crash2$ bs1770gain poc -o output
analyzing ...
[1/1] "poc": Segmentation fault
-------------------------------------------
june@yuweol:~/poc/bs1770gain/crash2$
~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc -o output
analyzing ...
[1/1] "poc": =================================================================
==5034==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffded69470 at pc 0x55e89c1c8419 bp 0x7fffded693b0 sp 0x7fffded693a8
WRITE of size 8 at 0x7fffded69470 thread T0
#0 0x55e89c1c8418 in convert_fltp
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418)
#1 0x55e89c1c99af in ffsox_frame_convert_sox
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2c9af)
#2 0x55e89c1c1f29 in sox_reader_run
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x24f29)
#3 0x55e89c1bd686 in ffsox_machine_run
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x20686)
#4 0x55e89c1c19d3 in ffsox_sox_reader_read
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x249d3)
#5 0x55e89c1c2577 in drain
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x25577)
#6 0x7f2434b9db4d in sox_flow_effects
(/usr/lib/x86_64-linux-gnu/libsox.so.2+0x28b4d)
#7 0x55e89c1b98f2 in ffsox_analyze
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1c8f2)
#8 0x55e89c1b19fd in bs1770gain_tree_analyze
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#9 0x55e89c1ae14e in main
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#10 0x7f24347f82e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#11 0x55e89c1aa4e9 in _start
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9)
Address 0x7fffded69470 is located in stack of thread T0 at offset 96 in frame
#0 0x55e89c1c81df in convert_fltp
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b1df)
This frame has 1 object(s):
[32, 96) 'rp' <== Memory access at offset 96 overflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418)
in convert_fltp
Shadow bytes around the buggy address:
0x10007bda5230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007bda5240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007bda5250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007bda5260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007bda5270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007bda5280: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00[f3]f3
0x10007bda5290: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x10007bda52a0: f1 f1 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00
0x10007bda52b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007bda52c0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f3 f3
0x10007bda52d0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5034==ABORTING
-------------------------------------------
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bs1770gain depends on:
ii libavcodec57 7:3.3.4-2+b2
ii libavformat57 7:3.3.4-2+b2
ii libavutil55 7:3.3.4-2+b2
ii libc6 2.24-17
ii libsox2 14.4.1-5+b2
ii libswresample2 7:3.3.4-2+b2
bs1770gain recommends no packages.
bs1770gain suggests no packages.
-- no debconf information
poc
Description: audio/hx-aac-adts
