Bug#774152: libisofs6: null pointer dereference

Mon, 29 Dec 2014 07:03:47 -0800 

Package: libisofs6
Version: 1.3.2-1.1
Usertags: afl

xorriso crashes trying to read the attached ISO 9660 image:

$ xorriso -signal_handling off -dev crash.iso -ls
xorriso 1.3.2 : RockRidge filesystem manipulator, libburnia project.

libisoburn: WARNING : ISO image size 311s larger than readable size 308s
xorriso : NOTE : Loading ISO image tree from LBA 0
Segmentation fault
The crash can be reproduced using the libisofs demo, so I assume the bug lies in the library itself. GDB says it's a null pointer dereference: 

Program received signal SIGSEGV, Segmentation fault.
0xf7e61a3e in iso_file_source_lstat (src=0x8261b00, info=0xffffd490) at 
libisofs/fsource.c:67
67          return src->class->lstat(src, info);
(gdb) print src->class
$1 = (const IsoFileSourceIface *) 0x0
(gdb) bt
#0  0xf7e61a3e in iso_file_source_lstat (src=0x8261b00, info=0xffffd490) at 
libisofs/fsource.c:67
#1  0xf7e68042 in iso_image_import (image=0x804c070, src=0x804c600, 
opts=0x804c5d8, features=0xffffd548) at libisofs/fs_image.c:3578
#2  0xf7edaf0d in isoburn_read_image (d=0xf7dde300 <drive_array>, 
read_opts=0x804c4f0, image=0xffffd5ec) at libisoburn/isofs_wrap.c:301
#3  0xf7f3311e in Xorriso_aquire_drive (xorriso=0xf77a7008, adr=0x804ba30 "crash.iso", 
show_adr=0x804ba30 "crash.iso", flag=3) at xorriso/drive_mgt.c:533
#4  0xf7f17679 in Xorriso_option_dev (xorriso=0xf77a7008, in_adr=0x804ba30 
"crash.iso", flag=3) at xorriso/opts_d_h.c:116
#5  0xf7f0a80c in Xorriso_interpreter (xorriso=0xf77a7008, argc=6, 
argv=0x804b9c0, idx=0xffffd79c, flag=2) at xorriso/parse_exec.c:1185
#6  0x08048b1f in main (argc=6, argv=0x804b9c0) at xorriso/xorriso_main.c:265


This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the first crash (which took a few minutes). It's likely that extensive fuzzing would uncover more interesting crashers. I'd encourage libisofs maintainers to perform fuzzing with AFL on their own. :-) 


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libisofs6 depends on:
ii  libacl1  2.2.52-2
ii  libc6    2.19-13
ii  libjte1  1.20-1
ii  zlib1g   1:1.2.8.dfsg-2+b1

--
Jakub Wilk

Attachment: crash.iso.xz
Description: application/xz

Reply via email to