Bug#872545: libisofs6: heap-based buffer overflow in read_aaip_AL()

Fri, 18 Aug 2017 03:57:53 -0700 

Package: libisofs6
Version: 1.4.6-1

xorriso crashes on the attached ISO file:

  $ xorriso -indev overflow.iso -ls
  xorriso 1.4.6 : RockRidge filesystem manipulator, libburnia project.

  libisoburn: WARNING : ISO image size 808464432s larger than readable size 20s
  xorriso : NOTE : Loading ISO image tree from LBA 0

  UNIX-SIGNAL:  SIGSEGV  errno= 2
  xorriso : ABORT : Trying to shut down drive and library
  xorriso : ABORT : Wait the normal burning time before any kill -9
  *** Error in `xorriso': malloc(): memory corruption: 0x57a08340 ***
  ...
  Aborted

Valgrind says it's a heap-based buffer overflow:

  Invalid write of size 1
     at 0x49A9B0F: read_aaip_AL (rockridge_read.c:564)
     by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
     by 0x49865CE: read_dir (fs_image.c:647)
     by 0x49865CE: ifs_open (fs_image.c:718)
     by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
     by 0x498DE91: iso_image_import (fs_image.c:5868)
     by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
     by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
     by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
     by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
     by 0x108BA6: main (xorriso_main.c:265)
   Address 0x51117cc is 0 bytes after a block of size 4 alloc'd
     at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
     by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
     by 0x49865CE: read_dir (fs_image.c:647)
     by 0x49865CE: ifs_open (fs_image.c:718)
     by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
     by 0x498DE91: iso_image_import (fs_image.c:5868)
     by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
     by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
     by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
     by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
     by 0x108BA6: main (xorriso_main.c:265)

  Invalid write of size 4
     at 0x49A9B2B: memcpy (string3.h:53)
     by 0x49A9B2B: read_aaip_AL (rockridge_read.c:567)
     by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
     by 0x49865CE: read_dir (fs_image.c:647)
     by 0x49865CE: ifs_open (fs_image.c:718)
     by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
     by 0x498DE91: iso_image_import (fs_image.c:5868)
     by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
     by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
     by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
     by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
     by 0x108BA6: main (xorriso_main.c:265)
   Address 0x51117cd is 1 bytes after a block of size 4 alloc'd
     at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
     by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
     by 0x49865CE: read_dir (fs_image.c:647)
     by 0x49865CE: ifs_open (fs_image.c:718)
     by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
     by 0x498DE91: iso_image_import (fs_image.c:5868)
     by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
     by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
     by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
     by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
     by 0x108BA6: main (xorriso_main.c:265)

  Invalid write of size 4
     at 0x49A9B42: memcpy (string3.h:53)
     by 0x49A9B42: read_aaip_AL (rockridge_read.c:567)
     by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
     by 0x49865CE: read_dir (fs_image.c:647)
     by 0x49865CE: ifs_open (fs_image.c:718)
     by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
     by 0x498DE91: iso_image_import (fs_image.c:5868)
     by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
     by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
     by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
     by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
     by 0x108BA6: main (xorriso_main.c:265)
   Address 0x51117d0 is 4 bytes after a block of size 4 alloc'd
     at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
     by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
     by 0x49865CE: read_dir (fs_image.c:647)
     by 0x49865CE: ifs_open (fs_image.c:718)
     by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
     by 0x498DE91: iso_image_import (fs_image.c:5868)
     by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
     by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
     by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
     by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
     by 0x108BA6: main (xorriso_main.c:265)

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages libisofs6 depends on:
ii  libacl1  2.2.52-3+b1
ii  libc6    2.24-14
ii  libjte1  1.20-2+b1
ii  zlib1g   1:1.2.8.dfsg-5

--
Jakub Wilk

Attachment: overflow.iso.gz
Description: application/gzip

Reply via email to