Bug#1089543: libout123: UAF due to use strtok both inside jack and in libout123

Yuriy M. Kaminskiy Sun, 08 Dec 2024 09:27:16 -0800

Package: mpg123
Version: 1.31.2-1+deb12u1
Severity: normal
Tags: patch
X-Debbugs-Cc: yumkam+deb...@gmail.com


Dear Maintainer,

While trying to catch another sigsegv, noticed in valgrind report:

==107307== Invalid read of size 1
==107307==    at 0x4AE712C: strtok_r (strtok_r.c:47)
==107307==    by 0x4933B23: out123_open (libout123.c:462)
==107307==    by 0x127DB7: main (mpg123.c:1280)
==107307==  Address 0x4c0d458 is 104 bytes inside a block of size 105 free'd
==107307==    at 0x4887B40: free (vg_replace_malloc.c:872)
==107307==    by 0x5B96C97: jack_get_tmpdir (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B985D3: jack_client_open_aux (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B98AEF: jack_client_open (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B61CBB: open_jack (jack.c:427)
==107307==    by 0x4933CA3: aoopen (libout123.c:114)
==107307==    by 0x4933CA3: check_output_module (libout123.c:1156)
==107307==    by 0x4933CA3: out123_open (libout123.c:463)
==107307==    by 0x127DB7: main (mpg123.c:1280)
==107307==  Block was alloc'd at
==107307==    at 0x48850C8: malloc (vg_replace_malloc.c:381)
==107307==    by 0x4AE575F: strdup (strdup.c:42)
==107307==    by 0x5B96C1F: jack_get_tmpdir (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B985D3: jack_client_open_aux (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B98AEF: jack_client_open (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B61CBB: open_jack (jack.c:427)
==107307==    by 0x4933CA3: aoopen (libout123.c:114)
==107307==    by 0x4933CA3: check_output_module (libout123.c:1156)
==107307==    by 0x4933CA3: out123_open (libout123.c:463)
==107307==    by 0x127DB7: main (mpg123.c:1280)


Apparently, jack uses strtok and this clashes with strtok use in
libout123 (with end result UAF/UB).
Patch attached.

-- System Information:
Debian Release: 12.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable'), (100, 'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 6.1.0-18-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mpg123 depends on:
ii  libasound2                        1.2.8-1+b1
ii  libaudio2                         1.9.4-7
ii  libc6                             2.36-9+deb12u9
ii  libjack-jackd2-0 [libjack-0.125]  1.9.21~dfsg-3
ii  libmpg123-0                       1.31.2-1+deb12u1
ii  libopenal1                        1:1.19.1-2
ii  libout123-0                       1.31.2-1+deb12u1
ii  libportaudio2                     19.6.0-1.2
ii  libpulse0                         16.1+dfsg1-2+b1
ii  libsyn123-0                       1.31.2-1+deb12u1

mpg123 recommends no packages.

Versions of packages mpg123 suggests:
ii  alsa-utils  1.2.8-1
pn  jackd       <none>
pn  nas         <none>
pn  oss-compat  <none>
pn  oss4-base   <none>
pn  pulseaudio  <none>

-- no debconf information

From: Yuriy Kaminskiy <yumkam+deb...@gmail.com>

Apparently, libjack uses strtok, and subsequent calls result in UAF

==107307== Invalid read of size 1
==107307==    at 0x4AE712C: strtok_r (strtok_r.c:47)
==107307==    by 0x4933B23: out123_open (libout123.c:462)
==107307==    by 0x127DB7: main (mpg123.c:1280)
==107307==  Address 0x4c0d458 is 104 bytes inside a block of size 105 free'd
==107307==    at 0x4887B40: free (vg_replace_malloc.c:872)
==107307==    by 0x5B96C97: jack_get_tmpdir (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B985D3: jack_client_open_aux (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B98AEF: jack_client_open (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B61CBB: open_jack (jack.c:427)
==107307==    by 0x4933CA3: aoopen (libout123.c:114)
==107307==    by 0x4933CA3: check_output_module (libout123.c:1156)
==107307==    by 0x4933CA3: out123_open (libout123.c:463)
==107307==    by 0x127DB7: main (mpg123.c:1280)
==107307==  Block was alloc'd at
==107307==    at 0x48850C8: malloc (vg_replace_malloc.c:381)
==107307==    by 0x4AE575F: strdup (strdup.c:42)
==107307==    by 0x5B96C1F: jack_get_tmpdir (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B985D3: jack_client_open_aux (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B98AEF: jack_client_open (in 
/usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B61CBB: open_jack (jack.c:427)
==107307==    by 0x4933CA3: aoopen (libout123.c:114)
==107307==    by 0x4933CA3: check_output_module (libout123.c:1156)
==107307==    by 0x4933CA3: out123_open (libout123.c:463)
==107307==    by 0x127DB7: main (mpg123.c:1280)

Index: mpg123-1.32.9/src/libout123/libout123.c
===================================================================
--- mpg123-1.32.9.orig/src/libout123/libout123.c
+++ mpg123-1.32.9/src/libout123/libout123.c
@@ -455,11 +455,12 @@ out123_open(out123_handle *ao, const cha
                }
 
                /* Now loop over the list of possible modules to find one that 
works. */
-               nextname = strtok(modnames, ",");
+               char *r;
+               nextname = strtok_r(modnames, ",", &r);
                while(!ao->open && nextname)
                {
                        char *curname = nextname;
-                       nextname = strtok(NULL, ",");
+                       nextname = strtok_r(NULL, ",", &r);
                        check_output_module(ao, curname, device, !nextname);
                        if(ao->open)
                        {

Bug#1089543: libout123: UAF due to use strtok both inside jack and in libout123

Reply via email to