Bug#883198: marked as done (bs1770gain: use after free while running bs1770gain with "poc output" option)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 17 Jan 2019 22:35:45 +0100
with message-id <sa67ef3vufi.fsf@meta.reinholdtsen.name>
and subject line Fixed in version 0.5.0
has caused the Debian Bug report #883198,
regarding bs1770gain: use after free while running bs1770gain with "poc output" option
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
883198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883198
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bs1770gain: use after free while running bs1770gain with "poc output" option
• From: Joonun Jang <joonun.jang@gmail.com>
• Date: Fri, 01 Dec 2017 01:17:04 +0900
• Message-id: <151205862427.12576.3992322485376234320.reportbug@yuweol>

Package: bs1770gain
Version: 0.4.12-2+b1
Severity: important
Tags: security

use after free while running bs1770gain with "poc output" option

Running 'bs1770gain poc output' with the attached file raises use after free
which may allow a remote attack to cause a denial-of-service attack or other unspecified
impace with a crafted file
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june@yuweol:~/workspace/bugre/poc/bs1770gain/1$ ~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc output
analyzing ...
  [1/1] "poc": Error finding decoder: ffsox_frame_reader_create(), "ffsox_frame_reader.c" (41).
Error creating frame reader: ffsox_frame_reader_new(), "ffsox_frame_reader.c" (92).
Error creating frame reader: ffsox_analyze(), "ffsox_analyze.c" (68).
=================================================================
==10074==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000640 at pc 0x555555582800 bp 0x7fffffffda60 sp 0x7fffffffda58
READ of size 8 at 0x610000000640 thread T0
    #0 0x5555555827ff in ffsox_packet_consumer_list_free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff)
    #1 0x55555559b91a in pbu_list_free_full (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x4791a)
    #2 0x5555555773fe in ffsox_source_link_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x233fe)
    #3 0x5555555762b5 in source_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x222b5)
    #4 0x555555570a2f in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1ca2f)
    #5 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
    #6 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
    #7 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x5555555614e9 in _start (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9)

0x610000000640 is located 0 bytes inside of 184-byte region [0x610000000640,0x6100000006f8)
freed by thread T0 here:
    #0 0x7ffff6eff8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x55555557393b in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f93b)
    #2 0x55555556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7)
    #3 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
    #4 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
    #5 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
    #0 0x7ffff6effc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x555555573841 in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f841)
    #2 0x55555556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7)
    #3 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
    #4 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
    #5 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff) in ffsox_packet_consumer_list_free
Shadow bytes around the buggy address:
  0x0c207fff8070: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
    0x0c207fff8080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c207fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff80b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c207fff80c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c207fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10074==ABORTING

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bs1770gain depends on:
ii  libavcodec57    7:3.4-3
ii  libavformat57   7:3.4-3
ii  libavutil55     7:3.4-3
ii  libc6           2.24-17
ii  libsox3         14.4.2-2
ii  libswresample2  7:3.4-3

bs1770gain recommends no packages.

bs1770gain suggests no packages.

-- no debconf information

Attachment: poc
Description: Binary data

--- End Message ---

--- Begin Message ---

• To: 883198-done@bugs.debian.org
• Subject: Fixed in version 0.5.0
• From: Petter Reinholdtsen <pere@hungry.com>
• Date: Thu, 17 Jan 2019 22:35:45 +0100
• Message-id: <sa67ef3vufi.fsf@meta.reinholdtsen.name>

Version: 0.5.1-1

I believe this problem was fixed in version 0.5.0.  Please reopen if
this proves to be wrong.

-- 
Happy hacking
Petter Reinholdtsen

--- End Message ---