Bug#881130: vorbis-tools: use uninitialized local value as a pointer running oggenc

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 05:27:57 UTC 2017 

Package: vorbis-tools
Version: 1.4.0-10+b1
Severity: important
Tags: security

bad free while running oggenc with "poc -o output" option

Running 'oggenc poc -o output' with the attached file raises
bad free(use uninitalized local value as a pointer)
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/poc/oggenc/crash1$ oggenc poc -o output
Opening with flac module: FLAC file reader
Encoding "poc" to
         "output"
at quality 3.00
*** Error in `oggenc': free(): invalid pointer: 0x00007fff9a8ae710 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f77a7e69bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f77a7e6ffc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f77a7e7080e]
/usr/lib/x86_64-linux-gnu/libogg.so.0(oggpack_writeclear+0x12)[0x7f77a819ba32]
/usr/lib/x86_64-linux-gnu/libvorbis.so.0(vorbis_analysis_headerout+0x467)[0x7f77a892a807]
oggenc(+0x7aa7)[0x55cc5a9afaa7]
oggenc(+0x3cf6)[0x55cc5a9abcf6]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f77a7e192e1]
oggenc(+0x485a)[0x55cc5a9ac85a]
======= Memory map: ========
55cc5a9a8000-55cc5a9b9000 r-xp 00000000 08:01 2135134                    /usr/bin/oggenc
55cc5abb8000-55cc5abb9000 r--p 00010000 08:01 2135134                    /usr/bin/oggenc
55cc5abb9000-55cc5abba000 rw-p 00011000 08:01 2135134                    /usr/bin/oggenc
55cc5c25a000-55cc5c29c000 rw-p 00000000 00:00 0                          [heap]
7f77a0000000-7f77a0021000 rw-p 00000000 00:00 0
7f77a0021000-7f77a4000000 ---p 00000000 00:00 0
7f77a7be2000-7f77a7bf8000 r-xp 00000000 08:01 2235139                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7bf8000-7f77a7df7000 ---p 00016000 08:01 2235139                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df7000-7f77a7df8000 r--p 00015000 08:01 2235139                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df8000-7f77a7df9000 rw-p 00016000 08:01 2235139                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df9000-7f77a7f8c000 r-xp 00000000 08:01 2235485                    /lib/x86_64-linux-gnu/libc-2.24.so
7f77a7f8c000-7f77a818c000 ---p 00193000 08:01 2235485                    /lib/x86_64-linux-gnu/libc-2.24.so
7f77a818c000-7f77a8190000 r--p 00193000 08:01 2235485                    /lib/x86_64-linux-gnu/libc-2.24.so
7f77a8190000-7f77a8192000 rw-p 00197000 08:01 2235485                    /lib/x86_64-linux-gnu/libc-2.24.so
7f77a84a2000-7f77a86a1000 ---p 00103000 08:01 2235490                    /lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a1000-7f77a86a2000 r--p 00102000 08:01 2235490                    /lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a2000-7f77a86a3000 rw-p 00103000 08:01 2235490                    /lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a3000-7f77a8718000 r-xp 00000000 08:01 2106746                    /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8718000-7f77a8918000 ---p 00075000 08:01 2106746                    /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8918000-7f77a8919000 r--p 00075000 08:01 2106746                    /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8919000-7f77a891a000 rw-p 00076000 08:01 2106746                    /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a891a000-7f77a8945000 r-xp 00000000 08:01 2106748                    /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8945000-7f77a8b44000 ---p 0002b000 08:01 2106748                    /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b44000-7f77a8b45000 r--p 0002a000 08:01 2106748                    /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b45000-7f77a8b46000 rw-p 0002b000 08:01 2106748                    /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b46000-7f77a8bd3000 r-xp 00000000 08:01 2106751                    /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8bd3000-7f77a8dd2000 ---p 0008d000 08:01 2106751                    /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8dd2000-7f77a8dee000 r--p 0008c000 08:01 2106751                    /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8dee000-7f77a8def000 rw-p 000a8000 08:01 2106751                    /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8def000-7f77a8e12000 r-xp 00000000 08:01 2230784                    /lib/x86_64-linux-gnu/ld-2.24.so
7f77a8e50000-7f77a8feb000 r--p 00000000 08:01 2116104                    /usr/lib/locale/locale-archive
7f77a8feb000-7f77a8fef000 rw-p 00000000 00:00 0
7f77a900e000-7f77a9012000 rw-p 00000000 00:00 0
7f77a9012000-7f77a9013000 r--p 00023000 08:01 2230784                    /lib/x86_64-linux-gnu/ld-2.24.so
7f77a9013000-7f77a9014000 rw-p 00024000 08:01 2230784                    /lib/x86_64-linux-gnu/ld-2.24.so
7f77a9014000-7f77a9015000 rw-p 00000000 00:00 0
7fff9a890000-7fff9a8b1000 rw-p 00000000 00:00 0                          [stack]
7fff9a934000-7fff9a936000 r--p 00000000 00:00 0                          [vvar]
7fff9a936000-7fff9a938000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

-------------------------------------------

june at yuweol:~/poc/oggenc/crash1$ ~/project/analyze/bins/vorbis-tools-1.4.0/oggenc/oggenc poc -o output
Opening with flac module: FLAC file reader
Encoding "poc" to
         "output"
at quality 3.00
=================================================================
==4965==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x0fffe062dc8c in thread T0
    #0 0x7f58229ef8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x7f5821cc2a31 in oggpack_writeclear (/usr/lib/x86_64-linux-gnu/libogg.so.0+0x5a31)
    #2 0x7f5822451806 in vorbis_analysis_headerout (/usr/lib/x86_64-linux-gnu/libvorbis.so.0+0x10806)
    #3 0x559c0c0989f0 in oe_encode (/home/june/project/analyze/bins/vorbis-tools-1.4.0/oggenc/oggenc+0x159f0)
    #4 0x559c0c08ebb6 in main (/home/june/project/analyze/bins/vorbis-tools-1.4.0/oggenc/oggenc+0xbbb6)
    #5 0x7f58219402e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #6 0x559c0c090db9 in _start (/home/june/project/analyze/bins/vorbis-tools-1.4.0/oggenc/oggenc+0xddb9)

Address 0x0fffe062dc8c is located in the high shadow area.
SUMMARY: AddressSanitizer: bad-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) in __interceptor_free
==4965==ABORTING

*********************************************************
576 int vorbis_analysis_headerout(vorbis_dsp_state *v,
577                               vorbis_comment *vc,
578                               ogg_packet *op,
579                               ogg_packet *op_comm,
580                               ogg_packet *op_code){
581   int ret=OV_EIMPL;
582   vorbis_info *vi=v->vi;
583   oggpack_buffer opb;
584   private_state *b=v->backend_state;
585
586   if(!b||vi->channels<=0){
587     ret=OV_EFAULT;
588     goto err_out;
589   }
*********************************************************

this logic can reach 588 line with uninitalized value of opb

*********************************************************
639  err_out:
640   memset(op,0,sizeof(*op));
641   memset(op_comm,0,sizeof(*op_comm));
642   memset(op_code,0,sizeof(*op_code));
643
644   if(b){
645     oggpack_writeclear(&opb);
*********************************************************

and also can reach 645 line

*********************************************************
void oggpack_writeclear(oggpack_buffer *b){
  if(b->buffer)_ogg_free(b->buffer);
  memset(b,0,sizeof(*b));
}
*********************************************************

and finally this uninitlized local value reach the free function
which causes this bad-free error

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages vorbis-tools depends on:
ii  libao4           1.2.2-1
ii  libc6            2.24-17
ii  libcurl3-gnutls  7.56.1-1
ii  libflac8         1.3.2-1
ii  libogg0          1.3.2-1+b1
ii  libspeex1        1.2~rc1.2-1+b2
ii  libvorbis0a      1.3.5-4
ii  libvorbisenc2    1.3.5-4
ii  libvorbisfile3   1.3.5-4

vorbis-tools recommends no packages.

vorbis-tools suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: audio/x-flac
Size: 72 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xiph-maint/attachments/20171108/ddf8e8aa/attachment.bin>

More information about the pkg-xiph-maint mailing list