Home Original page

buffer-overflow in /ext/fileinfo/libmagic/readcdf.c caught by AddressSanitizer

Sec Bug #68224 buffer-overflow in /ext/fileinfo/libmagic/readcdf.c caught by AddressSanitizer
Submitted: 2014-10-14 07:46 UTC Modified: 2014-10-22 13:29 UTC
From: david dot kurz at majorsecurity dot com Assigned: remi (profile)
Status: Closed Package: Filesystem function related
PHP Version: 5.6.1 OS: Ubuntu 14.04
Private report: No CVE-ID: None

 [2014-10-14 07:46 UTC] david dot kurz at majorsecurity dot com

Description:
------------
While running the tests of php 5.6.1 on Ubuntu AddressSanitizer caught a buffer-overflow in /ext/fileinfo/libmagic/readcdf.c while testing /ext/fileinfo/tests/finfo_file_002.phpt.

Dump:
================================================================================
/data/home/secalert/research/php-5.6.1/ext/fileinfo/tests/finfo_file_002.phpt
================================================================================
=================================================================
==11107== ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000016f1008 at pc 0x74eb9e bp 0x7fff06445fe0 sp 0x7fff06445fd8
READ of size 8 at 0x0000016f1008 thread T0
    #0 0x74eb9d (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x74eb9d)
    #1 0x74b3f8 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x74b3f8)
    #2 0x74c9c9 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x74c9c9)
    #3 0x728dc1 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x728dc1)
    #4 0xe0bee4 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xe0bee4)
    #5 0xc84fdf (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xc84fdf)
    #6 0xbc5bbe (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xbc5bbe)
    #7 0xa948de (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xa948de)
    #8 0xe108af (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xe108af)
    #9 0x4383b0 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x4383b0)
    #10 0x2aeb63c71ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #11 0x438956 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x438956)
0x0000016f1008 is located 24 bytes to the left of global variable 'name2desc (/data/home/secalert/research/php-5.6.1/ext/fileinfo/libmagic/readcdf.c)' (0x16f1020) of size 64
0x0000016f1008 is located 16 bytes to the right of global variable 'clsid2mime (/data/home/secalert/research/php-5.6.1/ext/fileinfo/libmagic/readcdf.c)' (0x16f0fe0) of size 24
Shadow bytes around the buggy address:
  0x0000802d61b0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000802d61c0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000802d61d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802d61e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802d61f0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9
=>0x0000802d6200: f9[f9]f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0000802d6210: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000802d6220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802d6230: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0000802d6240: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0000802d6250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==11107== ABORTING


================================================================================
BUILD ENVIRONMENT
================================================================================
OS:
Linux - Linux isdeblnwl141 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64
...
Compiler:
Using built-in specs.
COLLECT_GCC=cc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.2-19ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) 
...
Configure Command =>  './configure'  'CFLAGS=-fsanitize=address '-O2' '-ggdb'' 'LDFLAGS=-fsanitize=address'
...




Test script:
---------------
/php-5.6.1/ext/fileinfo/tests/finfo_file_002.phpt

Expected result:
----------------
The test should run successfull.

Actual result:
--------------
a buffer-overflow occurs.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2014-10-14 08:49 UTC] stas@php.net

Shouldn't this be reported upstream to fileinfo maintainers? 

Also, a backtrace from a binary compiled with debug information (line numbers, filenames, etc.) would be helpful.

 [2014-10-14 21:53 UTC] david dot kurz at majorsecurity dot com

Steps to reproduce:

1) get php 5.6.1 from:
http://de1.php.net/get/php-5.6.1.tar.gz/from/this/mirror

2) tar -xzvf php-5.6.1.tar.gz

3) cd php-5.6.1

4) ./configure 'CFLAGS=-fsanitize=address '-O2' '-ggdb'' 'LDFLAGS=-fsanitize=address'

5) make

6) make test

7) make install

8) gdb /data/home/secalert/research/php-5.6.1/sapi/cli/php

9) (gdb) run /data/home/secalert/research/php-5.6.1/ext/fileinfo/tests/finfo_file_002.phpt
Starting program: /data/home/secalert/research/php-5.6.1/sapi/cli/php /data/home/secalert/research/php-5.6.1/ext/fileinfo/tests/finfo_file_002.phpt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
--TEST--
finfo_file(): Testing mime types
--SKIPIF--
--FILE--
=================================================================
==7805== ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000016c5008 at pc 0x74eb9e bp 0x7fffffff8df0 sp 0x7fffffff8de8
READ of size 8 at 0x0000016c5008 thread T0
    #0 0x74eb9d (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x74eb9d)
    #1 0x74b3f8 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x74b3f8)
    #2 0x74c9c9 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x74c9c9)
    #3 0x728dc1 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x728dc1)
    #4 0xe0bee4 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xe0bee4)
    #5 0xc84fdf (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xc84fdf)
    #6 0xbc5bbe (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xbc5bbe)
    #7 0xa948de (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xa948de)
    #8 0xe108af (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0xe108af)
    #9 0x4383b0 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x4383b0)
    #10 0x7ffff401bec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #11 0x438956 (/data/home/secalert/research/php-5.6.1/sapi/cli/php+0x438956)
0x0000016c5008 is located 24 bytes to the left of global variable 'name2desc (/data/home/secalert/research/php-5.6.1/ext/fileinfo/libmagic/readcdf.c)' (0x16c5020) of size 64
0x0000016c5008 is located 16 bytes to the right of global variable 'clsid2mime (/data/home/secalert/research/php-5.6.1/ext/fileinfo/libmagic/readcdf.c)' (0x16c4fe0) of size 24
Shadow bytes around the buggy address:
  0x0000802d09b0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000802d09c0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000802d09d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802d09e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802d09f0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9
=>0x0000802d0a00: f9[f9]f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0000802d0a10: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000802d0a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802d0a30: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0000802d0a40: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0000802d0a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==7805== ABORTING
[Inferior 1 (process 7805) exited with code 01]
(gdb) bt
No stack.

 [2014-10-15 10:50 UTC] david dot kurz at majorsecurity dot com

-Package: Testing related +Package: Filesystem function related

 [2014-10-15 10:50 UTC] david dot kurz at majorsecurity dot com

cite:  [2014-10-14 08:49 UTC] stas@php.net
Shouldn't this be reported upstream to fileinfo maintainers? 

answer: I hope this is the correct package now.

 [2014-10-15 11:15 UTC] tyrael@php.net

I think that Stas was referring to the authors of libmagic/file by upstream, they are the original authors of the readcdf.c file which seem to have the issue.
as we distribute this file we also have to fix it, but would be nice if upstream is also notified.

 [2014-10-15 15:00 UTC] david dot kurz at majorsecurity dot com

I got it. I have reported this issue to the file/libmagic maintainers also. It's bug 0000389 on their bugtracker. http://bugs.gw.com

 [2014-10-16 06:27 UTC] pajoye@php.net

As we bundle and patch it, having such issue reported in both projects is good tho' Thanks for your efforts :)

 [2014-10-22 12:11 UTC] david dot kurz at majorsecurity dot com

I got feedback from the file maintainer in http://bugs.gw.com/view.php?id=389. 

Christos Zoulas	(manager) 
2014-10-22 03:03

This has been fixed in readcdf-1.43. The current version in file-5.20 is readcdf-1.48. The problem is that the arrays clsid2mime and clsid2desc are not NULL terminated.

 [2014-10-22 12:57 UTC] remi@php.net

@David: thanks
This confirm the linked commit in mu previous comment

This bug only affects 5.6+

 [2014-10-22 13:29 UTC] remi@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: remi