[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] lame: global-buffer-overflow in II_step_one (layer2.c)
From: "Agostino Sarubbo" <ago () gentoo ! org>
Date: 2017-06-28 12:04:54
Message-ID: 250758.429381193-sendEmail () localhost
[Download RAW message or body]
------MIME delimiter for sendEmail-314149.051978351
Content-Type: text/plain;
charset="UTF-8"
Content-Transfer-Encoding: 7bit
Description:
lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL.
Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub \
Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is \
not active and people do not post on the upstream bugzilla is easy discover duplicates, so I \
downloaded all available testcases, and noone of the bug you will see on my blog is a duplicate \
of an existing issue. Upstream seems a bit dead, latest release was into 2011, so this blog \
post will probably forwarded on the upstream bugtracker just for the record.
The complete ASan output of the issue:
# lame -f -V 9 $FILE out.wav
==27479==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f598d317f20 at pc \
0x7f598d2b246b bp 0x7ffe780cf310 sp 0x7ffe780cf308 READ of size 2 at 0x7f598d317f20 thread T0
#0 0x7f598d2b246a in II_step_one \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:144:36 #1 \
0x7f598d2b246a in decode_layer2_frame \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:375 #2 \
0x7f598d29b377 in decodeMP3_clipchoice \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:611:13 #3 \
0x7f598d298c13 in decodeMP3 \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:696:12 #4 \
0x7f598d259092 in decode1_headersB_clipchoice \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:149:11
#5 0x7f598d25e94a in hip_decode1_headersB \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:436:16
#6 0x7f598d25e94a in hip_decode1_headers \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:379 \
#7 0x51e984 in lame_decode_fromfile \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:2089:11 #8 \
0x51e984 in read_samples_mp3 \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:877 #9 \
0x51e984 in get_audio_common \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:785 #10 \
0x51e4fa in get_audio \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:688:16 #11 \
0x50f776 in lame_encoder_loop \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:456:17 #12 \
0x50f776 in lame_encoder \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:531 #13 \
0x50c43f in lame_main \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:707:15 #14 \
0x510793 in c_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:470:15
#15 0x510793 in main \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:438 #16 \
0x7f598be51680 in __libc_start_main \
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #17 0x41c998 \
in _init (/usr/bin/lame+0x41c998)
0x7f598d317f20 is located 0 bytes to the right of global variable 'alloc_2' defined in
'/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/l2tables.h:118:24' \
(0x7f598d317de0) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:144:36 in \
II_step_one Shadow bytes around the buggy address:
0x0febb1a5af90: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0febb1a5afa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0febb1a5afb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0febb1a5afc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0febb1a5afd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0febb1a5afe0: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0febb1a5aff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0febb1a5b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0febb1a5b010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0febb1a5b020: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0febb1a5b030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27479==ABORTING
Affected version:
3.99.5
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-9869
Reproducer:
https://github.com/asarubbo/poc/blob/master/00290-lame-globaloverflow-II_step_one
Timeline:
2017-06-01: bug discovered
2017-06-17: blog post about the issue
2017-06-25: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/
--
Agostino Sarubbo
Gentoo Linux Developer
------MIME delimiter for sendEmail-314149.051978351--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic