Buffer Over-read in hpjansson/chafa

Valid

Reported on

Apr 29th 2022

Description

Buffer Over-read in hpjansson/chafa at xwd-loader.c:185

Build

export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"

./autogen.sh
./configure --disable-shared

make

POC

./tools/chafa/chafa ./poc.png

poc.png

Asan

=================================================================
==599666==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffd284 at pc 0x0000004ec1cf bp 0x7fffffffd1f0 sp 0x7fffffffd1e8
READ of size 4 at 0x7fffffffd284 thread T0
    #0 0x4ec1ce in load_header /home/fuzz/fuzz/chafa/tools/chafa/xwd-loader.c:185:19
    #1 0x4eac61 in xwd_loader_new_from_mapping /home/fuzz/fuzz/chafa/tools/chafa/xwd-loader.c:250:10
    #2 0x4e835b in media_loader_new /home/fuzz/fuzz/chafa/tools/chafa/media-loader.c:213:30
    #3 0x4d956a in run_generic /home/fuzz/fuzz/chafa/tools/chafa/chafa.c:1632:20
    #4 0x4d8e1c in run /home/fuzz/fuzz/chafa/tools/chafa/chafa.c:1790:12
    #5 0x4cf5ba in run_all /home/fuzz/fuzz/chafa/tools/chafa/chafa.c:1847:25
    #6 0x4cc8ef in main /home/fuzz/fuzz/chafa/tools/chafa/chafa.c:1891:11
    #7 0x7ffff67ab0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x42036d in _start (/home/fuzz/fuzz/chafa/tools/chafa/chafa+0x42036d)

Address 0x7fffffffd284 is located in stack of thread T0 at offset 132 in frame
    #0 0x4eb11f in load_header /home/fuzz/fuzz/chafa/tools/chafa/xwd-loader.c:171

  This frame has 1 object(s):
    [32, 132) 'in' (line 173) <== Memory access at offset 132 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/fuzz/chafa/tools/chafa/xwd-loader.c:185:19 in load_header
Shadow bytes around the buggy address:
  0x10007fff7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a40: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7a50:[04]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==599666==ABORTING

Impact

This vulnerability is capable of causing a denial of service (crash).

We are processing your report and will contact the hpjansson/chafa team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the hpjansson/chafa team and are waiting to hear back 2 years ago
Hans
2 years ago

Maintainer

Good find, thanks. Despite GLib's convention of macro identifiers being uppercase, g_ntohl() is actually a macro. It has multiple implementations, of which one is selected based on the compilation environment: If OPTIMIZE is defined and the target is i386 or x86_64, an optimized version is used that evaluates its argument only once. Otherwise a generic implementation is used that evaluates the argument several times, causing the pointer to be incremented repeatedly.

This bug will manifest in unoptimized builds and on non-x86 platforms.

I'll have a fix shortly.

Hans
2 years ago

Maintainer

Should be __OPTIMIZE__ above.

We have sent a follow up to the hpjansson/chafa team. We will try again in 7 days. 2 years ago
Hans Petter Jansson validated this vulnerability 2 years ago
Uinitech has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hans Petter Jansson marked this as fixed in 1.10.3 with commit 56fabf 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
xwd-loader.c#L185 has been validated
Uinitech
a year ago

Researcher

@admin can we get a CVE for this? This project is distributed as packages in major linux distros - Debian and such.

Jamie Slome
a year ago

Admin

We sure can - I just require the permission of the maintainer to assign and publish a CVE.

@hpjansson - are you happy for me to assign and publish a CVE for this report?

Hans
a year ago

Maintainer

Be my guest :-)

Jamie Slome
a year ago

Admin

Sorted :)

to join this conversation