Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wavpack crashes -- many Heap buffer overwrites #30

Closed
thuanpv opened this issue Apr 22, 2018 · 0 comments
Closed

wavpack crashes -- many Heap buffer overwrites #30

thuanpv opened this issue Apr 22, 2018 · 0 comments
Assignees
@dbry

Comments

@thuanpv
Copy link

thuanpv commented Apr 22, 2018

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This has many heap buffer overwrites could lead to denial of service and potentially code execution.

This bug was found on Ubuntu 16.04 64-bit & WavPack revision 0a7295 (HEAD)

To reproduce:
Download & extract the attached file - wavpack_crash1.wav
wavpack -y wavpack_crash1.wav

Error message:

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

creating wavpack_crash1.wv,*** Error in `../WavPack/cli/wavpack': free(): invalid size: 0x0000000001dc4740 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f25b9a987e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f25b9aa137a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f25b9aa553c]
../WavPack/cli/wavpack[0x49080c]
../WavPack/cli/wavpack[0x4a0051]
../WavPack/cli/wavpack[0x4acd7e]
../WavPack/cli/wavpack[0x43565d]
../WavPack/cli/wavpack[0x407443]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f25b9a41830]
../WavPack/cli/wavpack[0x416bf9]
======= Memory map: ========
00400000-00536000 r-xp 00000000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
00736000-00737000 r--p 00136000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
00737000-00738000 rw-p 00137000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
01cb9000-01ded000 rw-p 00000000 00:00 0                                  [heap]
7f25b4000000-7f25b4021000 rw-p 00000000 00:00 0 
7f25b4021000-7f25b8000000 ---p 00000000 00:00 0 
7f25b980a000-7f25b9820000 r-xp 00000000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f25b9820000-7f25b9a1f000 ---p 00016000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f25b9a1f000-7f25b9a20000 r--p 00015000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f25b9a20000-7f25b9a21000 rw-p 00016000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f25b9a21000-7f25b9be1000 r-xp 00000000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f25b9be1000-7f25b9de1000 ---p 001c0000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f25b9de1000-7f25b9de5000 r--p 001c0000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f25b9de5000-7f25b9de7000 rw-p 001c4000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f25b9de7000-7f25b9deb000 rw-p 00000000 00:00 0 
7f25b9deb000-7f25b9ef3000 r-xp 00000000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f25b9ef3000-7f25ba0f2000 ---p 00108000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f25ba0f2000-7f25ba0f3000 r--p 00107000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f25ba0f3000-7f25ba0f4000 rw-p 00108000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f25ba0f4000-7f25ba11a000 r-xp 00000000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f25ba177000-7f25ba30d000 rw-p 00000000 00:00 0 
7f25ba318000-7f25ba319000 rw-p 00000000 00:00 0 
7f25ba319000-7f25ba31a000 r--p 00025000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f25ba31a000-7f25ba31b000 rw-p 00026000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f25ba31b000-7f25ba31c000 rw-p 00000000 00:00 0 
7ffe8087d000-7ffe8089e000 rw-p 00000000 00:00 0                          [stack]
7ffe809c1000-7ffe809c3000 r--p 00000000 00:00 0                          [vvar]
7ffe809c3000-7ffe809c5000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Valgrind says:

==165383== Memcheck, a memory error detector
==165383== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==165383== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==165383== Command: ../WavPack/cli/wavpack -y wavpack_crash1.wav
==165383== 

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

creating wavpack_crash1.wv,==165383== Invalid write of size 2
==165383==    at 0x4C868F: flush_word (write_words.c:502)
==165383==    by 0x4C868F: send_words_lossless (write_words.c:405)
==165383==    by 0x4854CB: pack_samples (pack.c:1159)
==165383==    by 0x48F5F7: pack_block (pack.c:638)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383==  Address 0x57aae76 is 18,166 bytes inside a block of size 18,167 alloc'd
==165383==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==165383==    by 0x49FF3D: pack_streams (pack_utils.c:928)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383== 
==165383== Invalid write of size 2
==165383==    at 0x4C2203: flush_word (write_words.c:502)
==165383==    by 0x4C87CB: send_words_lossless (write_words.c:438)
==165383==    by 0x4854CB: pack_samples (pack.c:1159)
==165383==    by 0x48F5F7: pack_block (pack.c:638)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383==  Address 0x57aae7a is 3 bytes after a block of size 18,167 alloc'd
==165383==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==165383==    by 0x49FF3D: pack_streams (pack_utils.c:928)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383== Invalid write of size 2
==165383==    at 0x4CA406: flush_word (write_words.c:486)
==165383==    by 0x4CA406: send_words_lossless (write_words.c:405)
==165383==    by 0x4854CB: pack_samples (pack.c:1159)
==165383==    by 0x48F5F7: pack_block (pack.c:638)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383==  Address 0x57aae82 is 11 bytes after a block of size 18,167 alloc'd
==165383==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==165383==    by 0x49FF3D: pack_streams (pack_utils.c:928)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383== 
==165383== Invalid write of size 2
==165383==    at 0x4CA712: flush_word (write_words.c:497)
==165383==    by 0x4CA712: send_words_lossless (write_words.c:405)
==165383==    by 0x4854CB: pack_samples (pack.c:1159)
==165383==    by 0x48F5F7: pack_block (pack.c:638)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383==  Address 0x57aae98 is 24 bytes after a block of size 18,176 in arena "client"
==165383== 
==165383== Invalid write of size 1
==165383==    at 0x49085C: pack_block (pack.c:684)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383==  Address 0x57ac282 is 5,058 bytes inside a block of size 34,144 free'd
==165383==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==165383==    by 0x49080B: pack_block (pack.c:680)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383==  Block was alloc'd at
==165383==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==165383==    by 0x490C9E: pack_block (pack.c:572)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
...
==165383== Invalid write of size 1
==165383==    at 0x4908AC: pack_block (pack.c:691)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383==  Address 0x57ac289 is 5,065 bytes inside a block of size 34,144 free'd
==165383==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==165383==    by 0x49080B: pack_block (pack.c:680)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383==  Block was alloc'd at
==165383==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==165383==    by 0x490C9E: pack_block (pack.c:572)
==165383==    by 0x4A0050: pack_streams (pack_utils.c:951)
==165383==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==165383==    by 0x43565C: pack_audio (wavpack.c:2356)
==165383==    by 0x43565C: pack_file (wavpack.c:1891)
==165383==    by 0x407442: main (wavpack.c:1272)
==165383== 
output buffer overflowed!

ASAN says:

creating wavpack_crash1.wv,pack_utils.c:344:36: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
write_words.c:502:9: runtime error: left shift of 32939638 by 13 places cannot be represented in type 'int'
=================================================================
==165894==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000098f6 at pc 0x000000495f60 bp 0x7ffd5c6be3d0 sp 0x7ffd5c6be3c0
WRITE of size 2 at 0x6290000098f6 thread T0
    #0 0x495f5f in flush_word /home/thuan/subjects/WavPack-asan/src/write_words.c:502
    #1 0x49169f in send_words_lossless /home/thuan/subjects/WavPack-asan/src/write_words.c:405
    #2 0x45a842 in pack_samples /home/thuan/subjects/WavPack-asan/src/pack.c:1136
    #3 0x4541ba in pack_block /home/thuan/subjects/WavPack-asan/src/pack.c:638
    #4 0x47919f in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:951
    #5 0x4770b9 in WavpackPackSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:677
    #6 0x40ff19 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2356
    #7 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
    #8 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
    #9 0x7f30f112182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x402528 in _start (/home/thuan/subjects/WavPack-asan/cli/wavpack+0x402528)

0x6290000098f7 is located 0 bytes to the right of 18167-byte region [0x629000005200,0x6290000098f7)
allocated by thread T0 here:
    #0 0x7f30f25b9f70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
    #1 0x478bb3 in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:928
    #2 0x4770b9 in WavpackPackSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:677
    #3 0x40ff19 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2356
    #4 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
    #5 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
    #6 0x7f30f112182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/subjects/WavPack-asan/src/write_words.c:502 in flush_word
Shadow bytes around the buggy address:
  0x0c527fff92c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff92e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff92f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff9310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]fa
  0x0c527fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Regards,

Thuan
wavpack_crash1.wav.tar.gz
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dbry dbry

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thuanpv @dbry