Package: vorbis-tools Version: 1.4.0-10+b1 Severity: important Tags: security
bad free while running oggenc with "poc -o output" option
Running 'oggenc poc -o output' with the attached file raises
bad free(use uninitalized local value as a pointer)
which may allow a remote attacker to cause unspecified impact including
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes
as follow
-------------------------------------------
june@yuweol:~/poc/oggenc/crash1$ oggenc poc -o output
Opening with flac module: FLAC file reader
Encoding "poc" to
"output"
at quality 3.00
*** Error in `oggenc': free(): invalid pointer: 0x00007fff9a8ae710 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f77a7e69bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f77a7e6ffc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f77a7e7080e]
/usr/lib/x86_64-linux-gnu/libogg.so.0(oggpack_writeclear+0x12)[0x7f77a819ba32]
/usr/lib/x86_64-linux-gnu/libvorbis.so.0(vorbis_analysis_headerout+0x467)[0x7f77a892a807]
oggenc(+0x7aa7)[0x55cc5a9afaa7]
oggenc(+0x3cf6)[0x55cc5a9abcf6]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f77a7e192e1]
oggenc(+0x485a)[0x55cc5a9ac85a]
======= Memory map: ========
55cc5a9a8000-55cc5a9b9000 r-xp 00000000 08:01 2135134
/usr/bin/oggenc
55cc5abb8000-55cc5abb9000 r--p 00010000 08:01 2135134
/usr/bin/oggenc
55cc5abb9000-55cc5abba000 rw-p 00011000 08:01 2135134
/usr/bin/oggenc
55cc5c25a000-55cc5c29c000 rw-p 00000000 00:00 0 [heap]
7f77a0000000-7f77a0021000 rw-p 00000000 00:00 0
7f77a0021000-7f77a4000000 ---p 00000000 00:00 0
7f77a7be2000-7f77a7bf8000 r-xp 00000000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7bf8000-7f77a7df7000 ---p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df7000-7f77a7df8000 r--p 00015000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df8000-7f77a7df9000 rw-p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df9000-7f77a7f8c000 r-xp 00000000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a7f8c000-7f77a818c000 ---p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a818c000-7f77a8190000 r--p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a8190000-7f77a8192000 rw-p 00197000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a84a2000-7f77a86a1000 ---p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a1000-7f77a86a2000 r--p 00102000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a2000-7f77a86a3000 rw-p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a3000-7f77a8718000 r-xp 00000000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8718000-7f77a8918000 ---p 00075000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8918000-7f77a8919000 r--p 00075000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8919000-7f77a891a000 rw-p 00076000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a891a000-7f77a8945000 r-xp 00000000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8945000-7f77a8b44000 ---p 0002b000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b44000-7f77a8b45000 r--p 0002a000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b45000-7f77a8b46000 rw-p 0002b000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b46000-7f77a8bd3000 r-xp 00000000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8bd3000-7f77a8dd2000 ---p 0008d000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8dd2000-7f77a8dee000 r--p 0008c000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8dee000-7f77a8def000 rw-p 000a8000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8def000-7f77a8e12000 r-xp 00000000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a8e50000-7f77a8feb000 r--p 00000000 08:01 2116104
/usr/lib/locale/locale-archive
7f77a8feb000-7f77a8fef000 rw-p 00000000 00:00 0
7f77a900e000-7f77a9012000 rw-p 00000000 00:00 0
7f77a9012000-7f77a9013000 r--p 00023000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a9013000-7f77a9014000 rw-p 00024000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a9014000-7f77a9015000 rw-p 00000000 00:00 0
7fff9a890000-7fff9a8b1000 rw-p 00000000 00:00 0 [stack]
7fff9a934000-7fff9a936000 r--p 00000000 00:00 0 [vvar]
7fff9a936000-7fff9a938000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted
-------------------------------------------
june@yuweol:~/poc/oggenc/crash1$
~/project/analyze/bins/vorbis-tools-1.4.0/oggenc/oggenc poc -o output
Opening with flac module: FLAC file reader
Encoding "poc" to
"output"
at quality 3.00
=================================================================
==4965==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0x0fffe062dc8c in thread T0
#0 0x7f58229ef8c8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x7f5821cc2a31 in oggpack_writeclear
(/usr/lib/x86_64-linux-gnu/libogg.so.0+0x5a31)
#2 0x7f5822451806 in vorbis_analysis_headerout
(/usr/lib/x86_64-linux-gnu/libvorbis.so.0+0x10806)
#3 0x559c0c0989f0 in oe_encode
(/home/june/project/analyze/bins/vorbis-tools-1.4.0/oggenc/oggenc+0x159f0)
#4 0x559c0c08ebb6 in main
(/home/june/project/analyze/bins/vorbis-tools-1.4.0/oggenc/oggenc+0xbbb6)
#5 0x7f58219402e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#6 0x559c0c090db9 in _start
(/home/june/project/analyze/bins/vorbis-tools-1.4.0/oggenc/oggenc+0xddb9)
Address 0x0fffe062dc8c is located in the high shadow area.
SUMMARY: AddressSanitizer: bad-free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) in __interceptor_free
==4965==ABORTING
*********************************************************
576 int vorbis_analysis_headerout(vorbis_dsp_state *v,
577 vorbis_comment *vc,
578 ogg_packet *op,
579 ogg_packet *op_comm,
580 ogg_packet *op_code){
581 int ret=OV_EIMPL;
582 vorbis_info *vi=v->vi;
583 oggpack_buffer opb;
584 private_state *b=v->backend_state;
585
586 if(!b||vi->channels<=0){
587 ret=OV_EFAULT;
588 goto err_out;
589 }
*********************************************************
this logic can reach 588 line with uninitalized value of opb
*********************************************************
639 err_out:
640 memset(op,0,sizeof(*op));
641 memset(op_comm,0,sizeof(*op_comm));
642 memset(op_code,0,sizeof(*op_code));
643
644 if(b){
645 oggpack_writeclear(&opb);
*********************************************************
and also can reach 645 line
*********************************************************
void oggpack_writeclear(oggpack_buffer *b){
if(b->buffer)_ogg_free(b->buffer);
memset(b,0,sizeof(*b));
}
*********************************************************
and finally this uninitlized local value reach the free function
which causes this bad-free error
-------------------------------------------
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages vorbis-tools depends on:
ii libao4 1.2.2-1
ii libc6 2.24-17
ii libcurl3-gnutls 7.56.1-1
ii libflac8 1.3.2-1
ii libogg0 1.3.2-1+b1
ii libspeex1 1.2~rc1.2-1+b2
ii libvorbis0a 1.3.5-4
ii libvorbisenc2 1.3.5-4
ii libvorbisfile3 1.3.5-4
vorbis-tools recommends no packages.
vorbis-tools suggests no packages.
-- no debconf information
poc
Description: audio/flac
