Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1679952
Summary: | Stack buffer overflow in gpsinfo.c when running jhead | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Jianzhong Liu <j.zhong0> | ||||
Component: | jhead | Assignee: | Adrian Reber <adrian> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | epel7 | CC: | adrian, j.zhong0, ludovic.rousseau | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | jhead-3.03-4.fc30 jhead-3.03-4.fc29 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-08-14 01:05:27 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Have you contacted upstream about it? That would make more sense than reporting it here. (In reply to Adrian Reber from comment #1) > Have you contacted upstream about it? That would make more sense than > reporting it here. I have sent the author an email regarding this bug, but the author has been unresponsive. The upstream author is not very responsive. Also jhead is a good example of an unsecure parser for a complex format. I would not be surprised if more bugs are found. For Debian I fixed this bug in https://salsa.debian.org/debian/jhead/commit/bf330c777cc911b9f8509ffec7458952789c81e2 (In reply to Ludovic Rousseau from comment #3) > The upstream author is not very responsive. > Also jhead is a good example of an unsecure parser for a complex format. I > would not be surprised if more bugs are found. > > For Debian I fixed this bug in > https://salsa.debian.org/debian/jhead/commit/ > bf330c777cc911b9f8509ffec7458952789c81e2 Thanks for pointing me to your patches. I will use them in the next jhead builds. FEDORA-2019-17b95fecd3 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-17b95fecd3 FEDORA-2019-441c2fb0d1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-441c2fb0d1 jhead-3.03-4.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-441c2fb0d1 jhead-3.03-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-17b95fecd3 jhead-3.03-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. jhead-3.03-4.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1537431 [details] Input triggering the bug Description of problem: Some inputs may trigger a stack buffer overflow in jhead. Version-Release number of selected component (if applicable): jhead-3.03 How reproducible: Stable Steps to Reproduce: 1. Run jhead with the attached input Actual results: Running with default settings: jhead SBO_gpsinfo.c:150:17_asan_plain_nocrash Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 11 padding bytes before section E1 Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 12 padding bytes before section E1 Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegally sized Exif subdirectory (229 entries) Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Extraneous 10 padding bytes before section E1 Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 35 for tag 0000 in Exif Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Too many components 2013278224 for tag 0000 in Exif Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 16 for tag 5132 in Exif Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal GPS directory link in Exif Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 16 for Exif gps tag 002a Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Illegal number format 69 for Exif gps tag 0004 Nonfatal Error : 'SBO_gpsinfo.c:150:17_asan_plain_nocrash' Inappropriate format (11) for Exif GPS coordinates! *** buffer overflow detected ***: jhead terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f0c7ae239e7] /lib64/libc.so.6(+0x115b62)[0x7f0c7ae21b62] /lib64/libc.so.6(+0x11506b)[0x7f0c7ae2106b] /lib64/libc.so.6(+0x506ba)[0x7f0c7ad5c6ba] /lib64/libc.so.6(_IO_vfprintf+0x4ed7)[0x7f0c7ad59357] /lib64/libc.so.6(__vsprintf_chk+0x88)[0x7f0c7ae210f8] /lib64/libc.so.6(__sprintf_chk+0x7d)[0x7f0c7ae2104d] jhead[0x408e1b] jhead[0x406fb5] jhead[0x4071e3] jhead[0x40465b] jhead[0x4047ed] jhead[0x402b5e] jhead[0x4017e4] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f0c7ad2e3d5] jhead[0x402270] ======= Memory map: ======== 00400000-00410000 r-xp 00000000 08:01 3543787 /usr/bin/jhead 00610000-00611000 r--p 00010000 08:01 3543787 /usr/bin/jhead 00611000-00612000 rw-p 00011000 08:01 3543787 /usr/bin/jhead 00612000-00617000 rw-p 00000000 00:00 0 01630000-01651000 rw-p 00000000 00:00 0 [heap] 7f0c7aaf6000-7f0c7ab0b000 r-xp 00000000 08:01 3286373 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f0c7ab0b000-7f0c7ad0a000 ---p 00015000 08:01 3286373 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f0c7ad0a000-7f0c7ad0b000 r--p 00014000 08:01 3286373 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f0c7ad0b000-7f0c7ad0c000 rw-p 00015000 08:01 3286373 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f0c7ad0c000-7f0c7aece000 r-xp 00000000 08:01 3286326 /usr/lib64/libc-2.17.so 7f0c7aece000-7f0c7b0ce000 ---p 001c2000 08:01 3286326 /usr/lib64/libc-2.17.so 7f0c7b0ce000-7f0c7b0d2000 r--p 001c2000 08:01 3286326 /usr/lib64/libc-2.17.so 7f0c7b0d2000-7f0c7b0d4000 rw-p 001c6000 08:01 3286326 /usr/lib64/libc-2.17.so 7f0c7b0d4000-7f0c7b0d9000 rw-p 00000000 00:00 0 7f0c7b0d9000-7f0c7b1da000 r-xp 00000000 08:01 3286440 /usr/lib64/libm-2.17.so 7f0c7b1da000-7f0c7b3d9000 ---p 00101000 08:01 3286440 /usr/lib64/libm-2.17.so 7f0c7b3d9000-7f0c7b3da000 r--p 00100000 08:01 3286440 /usr/lib64/libm-2.17.so 7f0c7b3da000-7f0c7b3db000 rw-p 00101000 08:01 3286440 /usr/lib64/libm-2.17.so 7f0c7b3db000-7f0c7b3fd000 r-xp 00000000 08:01 3286302 /usr/lib64/ld-2.17.so 7f0c7b5f5000-7f0c7b5f8000 rw-p 00000000 00:00 0 7f0c7b5f9000-7f0c7b5fc000 rw-p 00000000 00:00 0 7f0c7b5fc000-7f0c7b5fd000 r--p 00021000 08:01 3286302 /usr/lib64/ld-2.17.so 7f0c7b5fd000-7f0c7b5fe000 rw-p 00022000 08:01 3286302 /usr/lib64/ld-2.17.so 7f0c7b5fe000-7f0c7b5ff000 rw-p 00000000 00:00 0 7ffc6e3ac000-7ffc6e3cd000 rw-p 00000000 00:00 0 [stack] 7ffc6e3df000-7ffc6e3e2000 r--p 00000000 00:00 0 [vvar] 7ffc6e3e2000-7ffc6e3e4000 r-xp 00000000 00:00 0 [vdso] [1] 172 abort (core dumped) jhead SBO_gpsinfo.c:150:17_asan_plain_nocrash Stack backtrace according to gdb: #0 0x00007f0c7ad42207 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55 #1 0x00007f0c7ad438f8 in __GI_abort () at abort.c:90 #2 0x00007f0c7ad84d27 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f0c7ae95312 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196 #3 0x00007f0c7ae239e7 in __GI___fortify_fail (msg=msg@entry=0x7f0c7ae952b8 "buffer overflow detected") at fortify_fail.c:30 #4 0x00007f0c7ae21b62 in __GI___chk_fail () at chk_fail.c:28 #5 0x00007f0c7ae2106b in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31 #6 0x00007f0c7ad5c6ba in __GI___printf_fp_l (fp=fp@entry=0x7ffc6e3c4670, loc=<optimized out>, info=info@entry=0x7ffc6e3c41e0, args=args@entry=0x7ffc6e3c41c0) at printf_fp.c:1235 #7 0x00007f0c7ad5c799 in ___printf_fp (fp=fp@entry=0x7ffc6e3c4670, info=info@entry=0x7ffc6e3c41e0, args=args@entry=0x7ffc6e3c41c0) at printf_fp.c:1256 #8 0x00007f0c7ad59357 in _IO_vfprintf_internal (s=s@entry=0x7ffc6e3c4670, format=<optimized out>, format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", ap=ap@entry=0x7ffc6e3c47a8) at vfprintf.c:1634 #9 0x00007f0c7ae210f8 in ___vsprintf_chk ( s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d 0.00\003c\001", flags=1, slen=50, format=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", args=args@entry=0x7ffc6e3c47a8) at vsprintf_chk.c:83 #10 0x00007f0c7ae2104d in ___sprintf_chk ( s=s@entry=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d 0.00\003c\001", flags=flags@entry=1, slen=slen@entry=50, format=format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs") at sprintf_chk.c:32 #11 0x0000000000408e1b in sprintf (__fmt=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", __s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d 0.00\003c\001") at /usr/include/bits/stdio2.h:33 #12 ProcessGpsInfo (DirStart=<optimized out>, OffsetBase=OffsetBase@entry=0x1630308 "II*", ExifLength=ExifLength@entry=2135) at gpsinfo.c:151 #13 0x0000000000406fb5 in ProcessExifDir (DirStart=0x1630318 "E", OffsetBase=OffsetBase@entry=0x1630308 "II*", ExifLength=ExifLength@entry=2135, NestingLevel=NestingLevel@entry=0) at exif.c:866 #14 0x00000000004071e3 in process_EXIF (ExifSection=ExifSection@entry=0x1630300 "\b_Exif", length=length@entry=2143) at exif.c:1041 #15 0x000000000040465b in ReadJpegSections (infile=infile@entry=0x1630070, ReadMode=ReadMode@entry=READ_METADATA) at jpgfile.c:287 #16 0x00000000004047ed in ReadJpegFile ( FileName=FileName@entry=0x7ffc6e3cc8f5 "SBO_gpsinfo.c:150:17_asan_plain_nocrash", ReadMode=READ_METADATA) at jpgfile.c:375 #17 0x0000000000402b5e in ProcessFile (FileName=0x7ffc6e3cc8f5 "SBO_gpsinfo.c:150:17_asan_plain_nocrash") at jhead.c:905 #18 0x00000000004017e4 in main (argc=<optimized out>, argv=0x7ffc6e3cbd58) at jhead.c:1757 Expected results: Not applicable Additional info: