[Secure-testing-team] Bug#881121: sox: null pointer dereference while running sox

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 02:05:12 UTC 2017 

Package: sox
Version: 14.4.1-5+b2
Severity: normal
Tags: security

null pointer dereference while running sox with "poc.aiff output.aiff speed 1.027" option

Running 'sox poc.aiff output.aiff speed 1.027' with the attached file raises null pointer dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/poc/sox/crash1$ sox ./poc.aiff output.aiff speed 1.027
Segmentation fault

-------------------------------------------

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ba7ff8 in ?? () from /usr/lib/x86_64-linux-gnu/libsox.so.2
(gdb) bt
#0  0x00007ffff7ba7ff8 in ?? () from /usr/lib/x86_64-linux-gnu/libsox.so.2
#1  0x00007ffff7b5cb17 in sox_read () from /usr/lib/x86_64-linux-gnu/libsox.so.2
#2  0x000055555555fc74 in ?? ()
#3  0x00007ffff7b6cb4e in sox_flow_effects () from /usr/lib/x86_64-linux-gnu/libsox.so.2
#4  0x0000555555558e21 in ?? ()
#5  0x00007ffff70772e1 in __libc_start_main (main=0x555555557980, argc=5, argv=0x7fffffffe268,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe258)
    at ../csu/libc-start.c:291
#6  0x000055555555a45a in ?? ()
(gdb) x/i $rip
=> 0x7ffff7ba7ff8:  movzbl (%r11,%rsi,1),%edi
(gdb) i r r11 rsi
r11            0x0  0
rsi            0x0  0

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sox depends on:
ii  libc6             2.24-17
ii  libgomp1          7.2.0-12
ii  libsox-fmt-alsa   14.4.1-5+b2
ii  libsox-fmt-ao     14.4.1-5+b2
ii  libsox-fmt-base   14.4.1-5+b2
ii  libsox-fmt-oss    14.4.1-5+b2
ii  libsox-fmt-pulse  14.4.1-5+b2
ii  libsox2           14.4.1-5+b2

sox recommends no packages.

Versions of packages sox suggests:
ii  libsox-fmt-all  14.4.1-5+b2

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc.aiff
Type: application/octet-stream
Size: 37 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171108/c6856f6a/attachment-0001.obj>

More information about the Secure-testing-team mailing list