*** This bug is a security vulnerability *** Private security bug reported:
environment $ uname -a Linux 6176901723ae 5.15.0-122-generic #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux build setting $ git clone https://git.launchpad.net/ubuntu/+source/abcmidi $ autoconf $ CC="clang -fsanitize=address -g" CXX="clang++ -fsanitize=address -g" ./configure $ CC="clang -fsanitize=address -g" CXX="clang++ -fsanitize=address -g" make When I run the attached poc file, a SEGV error occurs as follows. The following is the ASAN crash log that occurred when I ran the poc. ./abc2midi ../poc/poc9 -v 4.94 August 13 2024 abc2midi scanning tune Warning in line-char 16-0 : Ignoring text: |: G>A BB cBAc|BAGF E2D2|G>A BB cBAc|BGAF :2 G2 Warning in line-char 18-0 : Ignoring text: :: d c/2B/2 AB c B/2A/2 GB|AGFG A>B A2|\ Warning in line-char 19-0 : Ignoring text: d c/2B/2 AB c B/2A/2 GB|AGGF G2 G2 :: voice mapping: 1 num 1 index 1 bars 4 gchords 0 words 0 drums 0 drone 0 tosplit -1 fromsplit -1 Error in line-char 24-35 : P: field in header should go after K: field writing MIDI file .1.mid assigning channel 0 to track 0 trackvoice = 1 track = 0 noteson temposon Doing part A number 0 of 1 scanning tune Warning in line-char 32-35 : Ignoring text: |: (3GGG G2 (3GGG G>dwB>GB>d g>dB>G|\ Warning in line-char 33-35 : Ignoring text: (3DDD D2 (3DDD D>A|F>DF>A c>AF>A| Warning in line-char 34-35 : Ignoring text: (3GGG G2 (3GG G>d|B>G B>d g2 g2|\ Warning in line-char 35-35 : Ignoring text: f>ag>f e>gf>e |1 d>^cd>e d>=cB>A :|2 d>^cd>e d2 B>=c |: Warning in line-char 36-35 : Ignoring text: (3ddd d2 (3ddd d2|e>fg>f e>dc>B|\ Warning in line-char 37-35 : Ignoring text: c>de>d c>BA>G|F>GA>G F>DE>F| Warning in line-char 38-35 : Ignoring text: (3GGG G2 (3=FFF F2|(3EEE E2 (3^DDD D2| \ Warning in line-char 39-35 : Ignoring text: =D>gf>e d>cB>A|1 G2B2G2 B>c :|2 G2B2G4 || voice mapping: 1 ... dronl droneon AddressSanitizer:DEADLYSIGNAL ================================================================= ==3096==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000418 (pc 0x00000050d95a bp 0x7fffff2b7470 sp 0x7fffff2b6e80 T0) ==3096==The signal is caused by a WRITE memory access. ==3096==Hint: address points to the zero page. #0 0x50d95a in event_midi /tmp/abcmidi/store.c:2324:19 #1 0x512e5d in event_specific /tmp/abcmidi/store.c:2396:6 #2 0x4f6b97 in parse_precomment /tmp/abcmidi/parseabc.c:2103:7 #3 0x4fdb67 in parseline /tmp/abcmidi/parseabc.c:3511:7 #4 0x4fe2d0 in parsefile /tmp/abcmidi/parseabc.c:3675:7 #5 0x52fbcc in main /tmp/abcmidi/store.c:6367:5 error: failed to decompress '.debug_aranges', zlib is not available error: failed to decompress '.debug_info', zlib is not available error: failed to decompress '.debug_abbrev', zlib is not available error: failed to decompress '.debug_line', zlib is not available error: failed to decompress '.debug_str', zlib is not available error: failed to decompress '.debug_loc', zlib is not available error: failed to decompress '.debug_ranges', zlib is not available #6 0x7fb0370bc082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #7 0x41c36d in _start (/tmp/abcmidi/abc2midi+0x41c36d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/abcmidi/store.c:2324:19 in event_midi ==3096==ABORTING The sink point of the vulnerability is: v->hasdrone = 1; It is assumed that the SEGV error occurs due to mismanagement of the v object. ** Affects: abcmidi (Ubuntu) Importance: Undecided Status: New ** Attachment added: "poc9" https://bugs.launchpad.net/bugs/2086693/+attachment/5834797/+files/poc9 ** Information type changed from Public to Private Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2086693 Title: SEGV in event_midi() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/abcmidi/+bug/2086693/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
