*** This bug is a security vulnerability *** Private security bug reported:
environment $ uname -a Linux 6176901723ae 5.15.0-122-generic #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux build setting $ git clone https://git.launchpad.net/ubuntu/+source/abcmidi $ autoconf $ CC="clang -fsanitize=address -g" CXX="clang++ -fsanitize=address -g" ./configure $ CC="clang -fsanitize=address -g" CXX="clang++ -fsanitize=address -g" make When I run the attached poc file, a heap buffer overflow error occurs as follows. The following is the ASAN crash log that occurred when I ran the poc. ./abc2midi ../poc/poc29 -v 4.94 August 13 2024 abc2midi scanning tune Error in line-char 41-4 : Unrecognized character: Error in line-char 41-6 : Cannot apply broken rhythm. Notes not equal durations Error in line-char 41-10 : Cannot apply broken rhythm. Notes not equal durations Error in line-char 41-13 : Cannot apply broken rhythm. Notes not equal durations voice mapping: 1 ... voice mapping: 1 num 1 index 1 bars 17 gchords 0 words 1 drums 0 drone 0 tosplit -1 fromsplit -1 writing MIDI file .5.mid trackvoice = 1 track = 0 temposon Error in line-char 110-62 : %%MIDI command "Jhordvol" not recognized Error in line-char 120-32 : Part not defined Doing part B number 1 of 6 Error in line-char 125-25 : Part not defined Doing part B number 3 of 6 Error in line-char 125-25 : Part not defined Doing part B number 5 of 6 assigning channel 0 to track 1 trackvoice = 1 track = 1 noteson wordson Error in line-char 110-62 : %%MIDI command "Jhordvol" not recognized Warning in line-char 111-0 : Line of music without lyrics ================================================================= ==3099==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000000b9 at pc 0x00000054d426 bp 0x7ffcc69072f0 sp 0x7ffcc69072e8 READ of size 1 at 0x6060000000b9 thread T0 #0 0x54d425 in getword /tmp/abcmidi/genmidi.c #1 0x543ce5 in checksyllables /tmp/abcmidi/genmidi.c:1191:17 #2 0x543ce5 in writetrack /tmp/abcmidi/genmidi.c:3179:9 #3 0x54df0e in mf_write_track_chunk /tmp/abcmidi/midifile.c:805:18 #4 0x54df0e in mfwrite /tmp/abcmidi/midifile.c:713:9 #5 0x536106 in finishfile /tmp/abcmidi/store.c #6 0x52f3cc in event_blankline /tmp/abcmidi/store.c:6265:5 #7 0x4fdb88 in parseline /tmp/abcmidi/parseabc.c:3496:7 #8 0x4fe2d0 in parsefile /tmp/abcmidi/parseabc.c:3675:7 #9 0x52fbcc in main /tmp/abcmidi/store.c:6367:5 error: failed to decompress '.debug_aranges', zlib is not available error: failed to decompress '.debug_info', zlib is not available error: failed to decompress '.debug_abbrev', zlib is not available error: failed to decompress '.debug_line', zlib is not available error: failed to decompress '.debug_str', zlib is not available error: failed to decompress '.debug_loc', zlib is not available error: failed to decompress '.debug_ranges', zlib is not available #10 0x7fecfba45082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #11 0x41c36d in _start (/tmp/abcmidi/abc2midi+0x41c36d) 0x6060000000b9 is located 0 bytes to the right of 57-byte region [0x606000000080,0x6060000000b9) allocated by thread T0 here: #0 0x4bb17d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x4eab73 in checkmalloc /tmp/abcmidi/parseabc.c:148:15 #2 0x4eab73 in addstring /tmp/abcmidi/parseabc.c:164:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/abcmidi/genmidi.c in getword Shadow bytes around the buggy address: 0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa =>0x0c0c7fff8010: 00 00 00 00 00 00 00[01]fa fa fa fa 00 00 00 00 0x0c0c7fff8020: 00 00 00 03 fa fa fa fa 00 00 00 00 00 00 00 fa 0x0c0c7fff8030: fa fa fa fa 00 00 00 00 00 00 00 07 fa fa fa fa 0x0c0c7fff8040: 00 00 00 00 00 00 00 07 fa fa fa fa 00 00 00 00 0x0c0c7fff8050: 00 00 01 fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3099==ABORTING In the above case, poc29 calls the checksyllables function, and the vulnerability occurs in the getword function. In the following poc, getword is called through the write_syllable function, and the vulnerability occurs. ./abc2midi ../poc/poc46 -v 4.94 August 13 2024 abc2midi scanning tune Warning in line-char 10-0 : No / found, assuming denominator of 1 Error in line-char 14-1 : Unrecognized character: voice mapping: 1 num 1 index 1 bars 10 gchords 0 words 0 drums 0 drone 0 tosplit -1 fromsplit -1 writing MIDI file .1.mid assigning channel 0 to track 0 trackvoice = 1 track = 0 noteson temposon Warning in line-char 16-38 : Track 0 Bar 1 has 1 time units while the time signature has 4127 Warning in line-char 17-26 : Track 0 Bar 2 has 1 time units while the time signature has 4127 Warning in line-char 16-26 : Track 0 Bar 0 has 2 time units while the time signature has 4127 in repeat Warning in line-char 16-38 : Track 0 Bar 1 has 1 time units while the time signature has 4127 in repeat Warning in line-char 17-26 : Track 0 Bar 2 has 1 time units while the time signature has 4127 in repeat Warning in line-char 20-23 : Track 0 Bar 3 has 2 time units while the time signature has 4127 Warning in line-char 20-34 : Track 0 Bar 4 has 1 time units while the time signature has 4127 Warning in line-char 21-23 : Track 0 Bar 5 has 1 time units while the time signature has 4127 Warning in line-char 20-23 : Track 0 Bar 3 has 2 time units while the time signature has 4127 in repeat Warning in line-char 20-34 : Track 0 Bar 4 has 1 time units while the time signature has 4127 in repeat Warning in line-char 21-23 : Track 0 Bar 5 has 1 time units while the time signature has 4127 in repeat scanning tune Error in line-char 34-20 : Cannot apply broken rhythm. Notes not equal durations voice mapping: 1 num 1 index 1 bars 19 gchords 0 words 0 drums 0 drone 0 tosplit -1 fromsplit -1 writing MIDI file .2.mid assigning channel 0 to track 0 trackvoice = 1 track = 0 noteson temposon Warning in line-char 34-21 : Track 0 Bar 0 has 9/2 time units while the time signature has 4 in repeat scanning tune voice mapping: 1 ... Warning in line-char 127-5 : Track 1 Bar 8 has 6 time units while the time signature has 4 Doing part A number 2 of 6 Doing part B number 3 of 6 Doing part A number 4 of 6 Error in line-char 114-30 : Verse 3 mismatch; 14 syllables in music 13 in lyrics ================================================================= ==3102==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000114 at pc 0x00000054d426 bp 0x7ffd828fa730 sp 0x7ffd828fa728 READ of size 1 at 0x603000000114 thread T0 #0 0x54d425 in getword /tmp/abcmidi/genmidi.c #1 0x54b03f in write_syllable /tmp/abcmidi/genmidi.c:1148:23 #2 0x543f68 in writetrack /tmp/abcmidi/genmidi.c:3047:9 #3 0x54df0e in mf_write_track_chunk /tmp/abcmidi/midifile.c:805:18 #4 0x54df0e in mfwrite /tmp/abcmidi/midifile.c:713:9 #5 0x536106 in finishfile /tmp/abcmidi/store.c #6 0x52f3cc in event_blankline /tmp/abcmidi/store.c:6265:5 #7 0x4fdb88 in parseline /tmp/abcmidi/parseabc.c:3496:7 #8 0x4fe2d0 in parsefile /tmp/abcmidi/parseabc.c:3675:7 #9 0x52fbcc in main /tmp/abcmidi/store.c:6367:5 error: failed to decompress '.debug_aranges', zlib is not available error: failed to decompress '.debug_info', zlib is not available error: failed to decompress '.debug_abbrev', zlib is not available error: failed to decompress '.debug_line', zlib is not available error: failed to decompress '.debug_str', zlib is not available error: failed to decompress '.debug_loc', zlib is not available error: failed to decompress '.debug_ranges', zlib is not available #10 0x7f5f7c55a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #11 0x41c36d in _start (/tmp/abcmidi/abc2midi+0x41c36d) 0x603000000114 is located 0 bytes to the right of 20-byte region [0x603000000100,0x603000000114) allocated by thread T0 here: #0 0x4bb17d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x4eab73 in checkmalloc /tmp/abcmidi/parseabc.c:148:15 #2 0x4eab73 in addstring /tmp/abcmidi/parseabc.c:164:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/abcmidi/genmidi.c in getword Shadow bytes around the buggy address: 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c067fff8010: fd fa fa fa fd fd fd fa fa fa 00 00 06 fa fa fa =>0x0c067fff8020: 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3102==ABORTING ** Affects: abcmidi (Ubuntu) Importance: Undecided Status: New ** Attachment added: "poc29,46.zip" https://bugs.launchpad.net/bugs/2086695/+attachment/5834798/+files/poc29%2C46.zip ** Information type changed from Public to Private Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2086695 Title: heap buffer overflow in getword To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/abcmidi/+bug/2086695/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
