These vulnerabilities are triggered simply by inputting a poc file to stdin as shown below. $ midicsv poc0
** Summary changed: - Multiple heap-buffer overflow in trackcsv + Multiple heap-buffer overflow in midicsv.c:123 ** Summary changed: - Multiple heap-buffer overflow in midicsv.c:123 + heap-buffer overflow in midicsv.c:123 ** Description changed: environment $ uname -a Linux 6176901723ae 5.15.0-122-generic #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux build setting $ git clone https://git.launchpad.net/ubuntu/+source/midicsv ( also possible https://www.fourmilab.ch/webtools/midicsv/#Download ) $ head Makefile CC = clang CFLAGS = -g -Wall -fsanitize=address INSTALL_DEST = /usr/local # You shouldn't need to change anything after this line VERSION = 1.1 PROGRAMS = midicsv csvmidi ( edit Makefile for address sanitizer ) - When I run the attached poc file, a heap buffer overflow error occurs as follows. - - Also, when I run the other poc's I attached, they all crash with heap buffer overflow. - The sink points of these crash files are all different. - But I think they all cause heap buffer overflows because they mismanage the `trk` variable and try to overwrite it outside the allocated range. - The following is the ASAN crash log that occurred when I ran the poc. Filename: poc0 Sink : if (*trk & 0x80) { //midicsv.c:123:6 ASAN crash log ================================================================= ==17==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002721 at pc 0x0000004ef7cb bp 0x7ffc7c4be3f0 sp 0x7ffc7c4be3e8 READ of size 1 at 0x621000002721 thread T0 - #0 0x4ef7ca in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:123:6 - #1 0x4ef7ca in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 + #0 0x4ef7ca in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:123:6 + #1 0x4ef7ca in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 error: failed to decompress '.debug_aranges', zlib is not available error: failed to decompress '.debug_info', zlib is not available error: failed to decompress '.debug_abbrev', zlib is not available error: failed to decompress '.debug_line', zlib is not available error: failed to decompress '.debug_str', zlib is not available error: failed to decompress '.debug_loc', zlib is not available error: failed to decompress '.debug_ranges', zlib is not available - #2 0x7f89f9f1d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #3 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) + #2 0x7f89f9f1d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) + #3 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) 0x621000002721 is located 0 bytes to the right of 4641-byte region [0x621000001500,0x621000002721) allocated by thread T0 here: - #0 0x4bb16d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 - #1 0x4eba26 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:493:17 - #2 0x7f89f9f1d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) + #0 0x4bb16d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 + #1 0x4eba26 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:493:17 + #2 0x7f89f9f1d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) SUMMARY: AddressSanitizer: heap-buffer-overflow /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:123:6 in trackcsv Shadow bytes around the buggy address: ... ==17==ABORTING - - Filename: poc1 - Sink : if (*trk & 0x80) { //midicsv.c:159:9 - ASAN crash log - ================================================================= - ==19==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002721 at pc 0x0000004ef651 bp 0x7fff36b17ab0 sp 0x7fff36b17aa8 - READ of size 1 at 0x621000002721 thread T0 - #0 0x4ef650 in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:159:9 - #1 0x4ef650 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 - error: failed to decompress '.debug_aranges', zlib is not available - error: failed to decompress '.debug_info', zlib is not available - error: failed to decompress '.debug_abbrev', zlib is not available - error: failed to decompress '.debug_line', zlib is not available - error: failed to decompress '.debug_str', zlib is not available - error: failed to decompress '.debug_loc', zlib is not available - error: failed to decompress '.debug_ranges', zlib is not available - #2 0x7f984f821082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #3 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) - - - Filename: poc34 - Sink : if ((value = *cp++) & 0x80) { //midicsv.c:44:18 - ASAN crash log - ================================================================= - ==21==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0000016e0 at pc 0x0000004efbb7 bp 0x7ffd8402dc00 sp 0x7ffd8402dbf8 - READ of size 1 at 0x61e0000016e0 thread T0 - #0 0x4efbb6 in vlength /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:44:18 - #1 0x4ebe46 in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:115:17 - #2 0x4ebe46 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 - error: failed to decompress '.debug_aranges', zlib is not available - error: failed to decompress '.debug_info', zlib is not available - error: failed to decompress '.debug_abbrev', zlib is not available - error: failed to decompress '.debug_line', zlib is not available - error: failed to decompress '.debug_str', zlib is not available - error: failed to decompress '.debug_loc', zlib is not available - error: failed to decompress '.debug_ranges', zlib is not available - #3 0x7f637db72082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #4 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) - - - Filename: poc4 - Sink: fprintf(fo, ", %d", titem[i]); //midicsv.c:352:53 - ASAN crash log - ============= - ==25==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000003b09 at pc 0x0000004ef698 bp 0x7ffd6e549cd0 sp 0x7ffd6e549cc8 - READ of size 1 at 0x621000003b09 thread T0 - #0 0x4ef697 in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:352:53 - #1 0x4ef697 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 - error: failed to decompress '.debug_aranges', zlib is not available - error: failed to decompress '.debug_info', zlib is not available - error: failed to decompress '.debug_abbrev', zlib is not available - error: failed to decompress '.debug_line', zlib is not available - error: failed to decompress '.debug_str', zlib is not available - error: failed to decompress '.debug_loc', zlib is not available - error: failed to decompress '.debug_ranges', zlib is not available - #2 0x7f4edf2ae082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #3 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) - - - Filename: poc10 - Sink: fprintf(fo, ", %d", titem[i]); //midicsv.c:368:53 - ASAN crash log - ,================================================================= - ==37==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002721 at pc 0x0000004ef73c bp 0x7ffc858a3d70 sp 0x7ffc858a3d68 - READ of size 1 at 0x621000002721 thread T0 - #0 0x4ef73b in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:368:53 - #1 0x4ef73b in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 - error: failed to decompress '.debug_aranges', zlib is not available - error: failed to decompress '.debug_info', zlib is not available - error: failed to decompress '.debug_abbrev', zlib is not available - error: failed to decompress '.debug_line', zlib is not available - error: failed to decompress '.debug_str', zlib is not available - error: failed to decompress '.debug_loc', zlib is not available - error: failed to decompress '.debug_ranges', zlib is not available - #2 0x7f0eccd60082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #3 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) - - - Filename: poc22 - Sink: c = *t++; //midicsv.c:78:10 - ASAN crash log - ================================================================= - ==2764304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000029 at pc 0x0000004efc95 bp 0x7ffebf375ee0 sp 0x7ffebf375ed8 - READ of size 1 at 0x603000000029 thread T0 - #0 0x4efc94 in textcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:78:10 - #1 0x4edfe0 in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c - #2 0x4edfe0 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 - error: failed to decompress '.debug_aranges', zlib is not available - error: failed to decompress '.debug_info', zlib is not available - error: failed to decompress '.debug_abbrev', zlib is not available - error: failed to decompress '.debug_line', zlib is not available - error: failed to decompress '.debug_str', zlib is not available - error: failed to decompress '.debug_loc', zlib is not available - error: failed to decompress '.debug_ranges', zlib is not available - #3 0x7f5d06110082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #4 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) - #4 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) - - - Filename: poc14 - Sink: value = (value << 7) | ((ch = *cp++) & 0x7F); //midicsv.c:47:36 - ASAN crash log - ================================================================= - ==47==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000003b09 at pc 0x0000004efba2 bp 0x7ffeee042300 sp 0x7ffeee0422f8 - READ of size 1 at 0x621000003b09 thread T0 - #0 0x4efba1 in vlength /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:47:36 - #1 0x4ebe46 in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:115:17 - #2 0x4ebe46 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 - error: failed to decompress '.debug_aranges', zlib is not available - error: failed to decompress '.debug_info', zlib is not available - error: failed to decompress '.debug_abbrev', zlib is not available - error: failed to decompress '.debug_line', zlib is not available - error: failed to decompress '.debug_str', zlib is not available - error: failed to decompress '.debug_loc', zlib is not available - error: failed to decompress '.debug_ranges', zlib is not available - #3 0x7fcc48fbd082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #4 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) - - - Filename: poc19 - Sink: value = value | ((*trk++) << 7); //midicsv.c:221:21 - ASAN crash log - ================================================================= - ==62==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000029 at pc 0x0000004ef505 bp 0x7ffc97f1d930 sp 0x7ffc97f1d928 - READ of size 1 at 0x603000000029 thread T0 - #0 0x4ef504 in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:221:21 - #1 0x4ef504 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 - error: failed to decompress '.debug_aranges', zlib is not available - error: failed to decompress '.debug_info', zlib is not available - error: failed to decompress '.debug_abbrev', zlib is not available - error: failed to decompress '.debug_line', zlib is not available - error: failed to decompress '.debug_str', zlib is not available - error: failed to decompress '.debug_loc', zlib is not available - error: failed to decompress '.debug_ranges', zlib is not available - #2 0x7f4981a2b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #3 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) - - Filename: poc27 - Sink: value = *trk++; //midicsv.c:193:11 - ASAN crash log - ================================================================= - ==78==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002721 at pc 0x0000004ef59a bp 0x7fffb09bd270 sp 0x7fffb09bd268 - READ of size 1 at 0x621000002721 thread T0 - #0 0x4ef599 in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:193:11 - #1 0x4ef599 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 - error: failed to decompress '.debug_aranges', zlib is not available - error: failed to decompress '.debug_info', zlib is not available - error: failed to decompress '.debug_abbrev', zlib is not available - error: failed to decompress '.debug_line', zlib is not available - error: failed to decompress '.debug_str', zlib is not available - error: failed to decompress '.debug_loc', zlib is not available - error: failed to decompress '.debug_ranges', zlib is not available - #2 0x7fafb88ce082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) - #3 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) ** Attachment removed: "poc.tar.gz" https://bugs.launchpad.net/ubuntu/+source/midicsv/+bug/2087775/+attachment/5836111/+files/poc.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2087775 Title: heap-buffer overflow in midicsv.c:123 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/midicsv/+bug/2087775/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
