Bug#886776: genisoimage: Buffer Overflow found in isoinfo executable

Julian Jackson Tue, 09 Jan 2018 12:13:00 -0800

Package: genisoimage
Version: 9:1.1.11-3+b2
Severity: normal
Tags: security


Dear Maintainer,

Fuzzing the isoinfo binary from genisoimage using afl-fuzz identified a
vulnerable function, parse_dir which contains a  buffer overflow
vulnerability.
This seems to be related to the length of idr->name passed to the parse_dir
function on line 1230.

Steps to reproduce:
$ isoinfo -i crash.iso
*** stack smashing detected ***: isoinfo terminated
Aborted (core dumped)

Crash Information:
$ gdb isoinfo
(gdb) set args -i crash/crash.iso
(gdb) r
Starting program: /usr/bin/isoinfo -i crash/crash.iso
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
*** stack smashing detected ***: /usr/bin/isoinfo terminated

Program received signal SIGABRT, Aborted.
(gdb)


>From cwtriage:

Command: isoinfo -i crash/crash.iso
Faulting Frame:
   parse_dir @ 0x00000000004081ac: in /usr/bin/isoinfo
Disassembly:
Stack Head (23 entries):
   __GI_raise                @ 0x00007ffff7825428: in /lib/x86_64-linux-gnu/
libc-2.23.so (BL)
   __GI_abort                @ 0x00007ffff782702a: in /lib/x86_64-linux-gnu/
libc-2.23.so (BL)
   __libc_message            @ 0x00007ffff78677ea: in /lib/x86_64-linux-gnu/
libc-2.23.so (BL)
   __GI___fortify_fail       @ 0x00007ffff790911c: in /lib/x86_64-linux-gnu/
libc-2.23.so (BL)
   __stack_chk_fail          @ 0x00007ffff79090c0: in /lib/x86_64-linux-gnu/
libc-2.23.so (BL)
   parse_dir                 @ 0x00000000004081ac: in /usr/bin/isoinfo
   None                      @ 0xd2d2d2d2d2d2d2d2: in ?
   None                      @ 0xd2d2d2d2d2d2d2d2: in ?
   None                      @ 0xd2d2d2d2d2d2d2d2: in ?
   None                      @ 0xd2d2d2d2d2d2d2d2: in ?
   None                      @ 0xd2d2d2d2d2d2d2d2: in ?
   None                      @ 0xd2d2d2d2d2d2d2d2: in ?
   None                      @ 0x00000000d2d2d2d2: in ?
   None                      @ 0x0001313030444301: in ?
   None                      @ 0x20202058554e494c: in ?
   None                      @ 0x2020202020202020: in ?
Registers:
rax=0x0000000000000000 rbx=0x000000000000003d rcx=0x00007ffff7825428
rdx=0x0000000000000006
rsi=0x0000000000004b55 rdi=0x0000000000004b55 rbp=0x00007fffffffb990
rsp=0x00007fffffffb678
 r8=0x6f666e696f73692f  r9=0x0000000000000000 r10=0x0000000000000008
r11=0x0000000000000206
r12=0x000000000000003d r13=0x00007fffffffb808 r14=0x00007fffffffb808
r15=0x0000000000000001
rip=0x00007ffff7825428 efl=0x0000000000000206  cs=0x0000000000000033
ss=0x000000000000002b
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000
gs=0x000000000000000

A sample crashing test case is attached. More can be provided if necessary.

-Julian

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.10.0-42-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C
(charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages genisoimage depends on:
ii  libbz2-1.0  1.0.6-8.1
ii  libc6       2.24-11+deb9u1
ii  libmagic1   1:5.30-1+deb9u1
ii  zlib1g      1:1.2.8.dfsg-5

genisoimage recommends no packages.

Versions of packages genisoimage suggests:
pn  cdrkit-doc  <none>
pn  wodim       <none>

-- no debconf information

crash.iso
Description: application/cd-image

Bug#886776: genisoimage: Buffer Overflow found in isoinfo executable

Reply via email to