game-music-emu: CVE-2017-17446: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Debian Bug report logs - #883691
game-music-emu: CVE-2017-17446: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 04 Dec 2017 20:13:38 +0100

[Message part 1 (text/plain, inline)]

Package: src:libextractor
Version: 1:1.6-1
Severity: important
Tags: security

Hi,

while I was working on the security update for Wheezy I discovered
that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
and CVE-2017-15602. I could reproduce two segmentation faults with the
provided POCs. They are attached to the upstream bug report:

http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html

Just run "extract -i $POC"

I'm attaching my gdb log files to this bug report.

Regards,

Markus


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

[CVE-2017-15600_gdb.txt (text/plain, attachment)]

[CVE-2017-15602_gdb.txt (text/plain, attachment)]

Message #10 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>, 883528@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 20:27:13 +0100

Hi Markus,

On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote:
> Package: src:libextractor
> Version: 1:1.6-1
> Severity: important
> Tags: security
> 
> Hi,
> 
> while I was working on the security update for Wheezy I discovered
> that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
> and CVE-2017-15602. I could reproduce two segmentation faults with the
> provided POCs. They are attached to the upstream bug report:
> 
> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
> 
> Just run "extract -i $POC"
> 
> I'm attaching my gdb log files to this bug report.

Since the issues happen in different places from the original reports,
can you request two new CVEs for those issues?

So for tracking purposes these are two new raised issues, different
from CVE-2017-15600 and CVE-2017-15602 and would possibly require two
new ones. Can you as well report it to upstream in case Bertrand
cannot cime in?

In case not let me know, and I can take care of it tomorrow.

Regards,
Salvatore

Message #15 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 883528@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 20:53:01 +0100

Hi

On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote:
> Hi Markus,
> 
> On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote:
> > Package: src:libextractor
> > Version: 1:1.6-1
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > while I was working on the security update for Wheezy I discovered
> > that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
> > and CVE-2017-15602. I could reproduce two segmentation faults with the
> > provided POCs. They are attached to the upstream bug report:
> > 
> > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
> > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
> > 
> > Just run "extract -i $POC"
> > 
> > I'm attaching my gdb log files to this bug report.
> 
> Since the issues happen in different places from the original reports,
> can you request two new CVEs for those issues?
> 
> So for tracking purposes these are two new raised issues, different
> from CVE-2017-15600 and CVE-2017-15602 and would possibly require two
> new ones. Can you as well report it to upstream in case Bertrand
> cannot cime in?
> 
> In case not let me know, and I can take care of it tomorrow.

Interestignly the issues you describe does not seem triggerable with a
fresh build of 1.6 in sid (with --enable-shared=no,
--enable-static=yes with -O0).

sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044
Keywords for file /root/1338044:
sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin
Keywords for file /root/bin_6iRW3tXve.bin:
sid:~/libextractor-1.6#

and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129).

It is though with the Debian package (re)build. What is different?

Regards,
Salvatore

Message #20 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 883528@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 21:05:46 +0100

And additionally the results from an ASAN build:

For the one related to the CVE-2017-15000 reproducer:

root@sid:~# extract -i extract-nsf_extract_method-nsf_extractor-164.crash
Keywords for file extract-nsf_extract_method-nsf_extractor-164.crash:
xm_extractor.c:80:7: runtime error: null pointer passed as argument 1, which is declared to never be null
ASAN:DEADLYSIGNAL
=================================================================
==22442==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f916bdf6d06 bp 0x7ffd356d46c0 sp 0x7ffd356d4520 T0)
==22442==The signal is caused by a READ memory access.
==22442==Hint: address points to the zero page.
    #0 0x7f916bdf6d05 in EXTRACTOR_xm_extract_method (/usr/lib/x86_64-linux-gnu/libextractor/libextractor_xm.so+0x1d05)
    #1 0x7f917a6d709c  (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x3209c)
    #2 0x7f917a6d85d3 in EXTRACTOR_extract (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x335d3)
    #3 0x403892  (/usr/bin/extract+0x403892)
    #4 0x7f91793fa560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #5 0x404ce9  (/usr/bin/extract+0x404ce9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libextractor/libextractor_xm.so+0x1d05) in EXTRACTOR_xm_extract_method
==22442==ABORTING
root@sid:~#

for the one related to the CVE-2017-15602 reproducer:

root@sid:~# extract -i bin_6iRW3tXve.bin 
Keywords for file bin_6iRW3tXve.bin:
=================================================================
==22470==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7fb94e64279b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
    #1 0x7fb93ba7be6c  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8e6c)
    #2 0x7fb93ba7bc89  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8c89)
    #3 0x7fb93ba9f231  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c231)
    #4 0x7fb93ba9f5f2  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c5f2)
    #5 0x7fb93ba7f94d  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xc94d)
    #6 0x7fb93ba7eb7b in gme_load_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbb7b)
    #7 0x7fb93ba7ec33 in gme_open_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbc33)
    #8 0x7fb93f2be581  (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0xbc581)
    #9 0x7fb93f3ad16f in avformat_open_input (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0x1ab16f)
    #10 0x7fb93f8ece71 in EXTRACTOR_previewopus_extract_method (/usr/lib/x86_64-linux-gnu/libextractor/libextractor_previewopus.so+0x4e71)
    #11 0x7fb94e39b09c  (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x3209c)
    #12 0x7fb94e39c5d3 in EXTRACTOR_extract (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x335d3)
    #13 0x403892  (/usr/bin/extract+0x403892)
    #14 0x7fb94d0be560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #15 0x404ce9  (/usr/bin/extract+0x404ce9)

0x61600000789e is located 30 bytes inside of 482-byte region [0x616000007880,0x616000007a62)
allocated by thread T0 here:
    #0 0x7fb94e6a6758 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
    #1 0x7fb93f68c782 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31782)

SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b) 
==22470==ABORTING
root@sid:~#

Regards,
Salvatore

Message #25 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 883528@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 21:56:27 +0100

[Message part 1 (text/plain, inline)]

Am 04.12.2017 um 20:53 schrieb Salvatore Bonaccorso:
> Hi
> 
> On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote:
>> Hi Markus,
>>
>> On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote:
>>> Package: src:libextractor
>>> Version: 1:1.6-1
>>> Severity: important
>>> Tags: security
>>>
>>> Hi,
>>>
>>> while I was working on the security update for Wheezy I discovered
>>> that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
>>> and CVE-2017-15602. I could reproduce two segmentation faults with the
>>> provided POCs. They are attached to the upstream bug report:
>>>
>>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
>>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
>>>
>>> Just run "extract -i $POC"
>>>
>>> I'm attaching my gdb log files to this bug report.
>>
>> Since the issues happen in different places from the original reports,
>> can you request two new CVEs for those issues?
>>
>> So for tracking purposes these are two new raised issues, different
>> from CVE-2017-15600 and CVE-2017-15602 and would possibly require two
>> new ones. Can you as well report it to upstream in case Bertrand
>> cannot cime in?
>>
>> In case not let me know, and I can take care of it tomorrow.
> 
> Interestignly the issues you describe does not seem triggerable with a
> fresh build of 1.6 in sid (with --enable-shared=no,
> --enable-static=yes with -O0).
> 
> sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044
> Keywords for file /root/1338044:
> sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin
> Keywords for file /root/bin_6iRW3tXve.bin:
> sid:~/libextractor-1.6#
> 
> and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129).
> 
> It is though with the Debian package (re)build. What is different?

I can still reproduce it when I rebuild the package. If you disable
optimization with -O0 some compiler behaviors will change. I don't know
the details but what is undefined behavior with -O2 is somehow OK with
-O0. I just wanted to forward this upstream but if you say that it is
not reproducible with upstream HEAD, it's probably pointless.

Maybe we should wait for the next release which will also fix
CVE-2017-15922 or Bertrand could package the latest Git snapshot? Shall
I remove the fixed versions for both CVE in the security tracker?

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>, 883528@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 22:17:09 +0100

Hi Markus,

On Mon, Dec 04, 2017 at 09:56:27PM +0100, Markus Koschany wrote:
> Am 04.12.2017 um 20:53 schrieb Salvatore Bonaccorso:
> > Hi
> > 
> > On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote:
> >> Hi Markus,
> >>
> >> On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote:
> >>> Package: src:libextractor
> >>> Version: 1:1.6-1
> >>> Severity: important
> >>> Tags: security
> >>>
> >>> Hi,
> >>>
> >>> while I was working on the security update for Wheezy I discovered
> >>> that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
> >>> and CVE-2017-15602. I could reproduce two segmentation faults with the
> >>> provided POCs. They are attached to the upstream bug report:
> >>>
> >>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
> >>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
> >>>
> >>> Just run "extract -i $POC"
> >>>
> >>> I'm attaching my gdb log files to this bug report.
> >>
> >> Since the issues happen in different places from the original reports,
> >> can you request two new CVEs for those issues?
> >>
> >> So for tracking purposes these are two new raised issues, different
> >> from CVE-2017-15600 and CVE-2017-15602 and would possibly require two
> >> new ones. Can you as well report it to upstream in case Bertrand
> >> cannot cime in?
> >>
> >> In case not let me know, and I can take care of it tomorrow.
> > 
> > Interestignly the issues you describe does not seem triggerable with a
> > fresh build of 1.6 in sid (with --enable-shared=no,
> > --enable-static=yes with -O0).
> > 
> > sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044
> > Keywords for file /root/1338044:
> > sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin
> > Keywords for file /root/bin_6iRW3tXve.bin:
> > sid:~/libextractor-1.6#
> > 
> > and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129).
> > 
> > It is though with the Debian package (re)build. What is different?
> 
> I can still reproduce it when I rebuild the package. If you disable
> optimization with -O0 some compiler behaviors will change. I don't know
> the details but what is undefined behavior with -O2 is somehow OK with
> -O0. I just wanted to forward this upstream but if you say that it is
> not reproducible with upstream HEAD, it's probably pointless.

Well, need to further properly investigate that. It was just a quick
ASAN build of the current head. From my reply in
https://bugs.debian.org/883528#20 it might actually be that the second
issue is not an upstream one but. Please note that I misstyped the
CVEs.

> Maybe we should wait for the next release which will also fix
> CVE-2017-15922 or Bertrand could package the latest Git snapshot?

Yes, for CVE-2017-15922 either works, cherry-pick the commit, wait for
the new upstream release or package the latest git snapshot.

> Shall
> I remove the fixed versions for both CVE in the security tracker?

Please not. The first issue is actually a different one (happening
with same reproducer for CVE-2017-15600, but in a different place,
unless I'm completely mistaken. So CVE-2017-15600 should be kept
associated with the 38e8933539ee9d044057b18a971c2eae3c21aba7 commit
and track your finding as separate issue.

For the issue reproduced with the CVE-2017-15602-reproducing file,
after beeing fixed with ffab889c1710c7646af9ed360c796a2a0a619efc
triggers a new issue, which is possibly in libgm or
libavformat.so/ffmpeg. So still not sure if the uncovered issue is in
src:libextractor.

See the ASAN traces from https://bugs.debian.org/883528#20

Thanks for your work on the libextractor update and triaging.

Salvatore

Message #35 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 883528@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Wed, 6 Dec 2017 15:52:57 +0100

[Message part 1 (text/plain, inline)]

Control: clone -1 -2
Control: retitle -1 libextractor: various null pointer dereferences in GIF, IT, NSFE, S3M, SID and XM plugins
Control: tags -1 + upstream fixed-upstream
Control: retitle -2 libextractor: extractor segfault (AddressSanitizer: negative-size-param: (size=-8)), issue in game-music-emu?

Hello Markus

So here are the results

The first issue is fixed in HEAD already, different from
CVE-2017-15600 and the fixing commit is

https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e

The issue this time lies in EXTRACTOR_xm_extract_method with the reproducer
file, but the commit fixes several similar issues in other plugins.

# ./src/main/extract -i ~/poc-1.crash
Keywords for file /root/poc-1.crash:
ASAN:DEADLYSIGNAL
=================================================================
==31921==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f91b5d1c761 bp 0x7ffca14b9fb0 sp 0x7ffca14b9708 T0)
==31921==The signal is caused by a READ memory access.
==31921==Hint: address points to the zero page.
    #0 0x7f91b5d1c760  (/lib/x86_64-linux-gnu/libc.so.6+0x14b760)
    #1 0x7f91b645865b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xab65b)
    #2 0x7f91a8da2d80 in EXTRACTOR_xm_extract_method /root/libextractor/src/plugins/xm_extractor.c:80
    #3 0x7f91b61983e7 in do_extract /root/libextractor/src/main/extractor.c:583
    #4 0x7f91b6198824 in EXTRACTOR_extract /root/libextractor/src/main/extractor.c:662
    #5 0x55edee351d69 in main /root/libextractor/src/main/extract.c:983
    #6 0x7f91b5bf1560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #7 0x55edee34ebe9 in _start (/root/libextractor/src/main/.libs/extract+0x3be9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x14b760)
==31921==ABORTING

here is the bisect log:

# broken: [bc2a59d25b35b0e88dab8895cf70b4d18d2844fc] release v1.6
git bisect broken bc2a59d25b35b0e88dab8895cf70b4d18d2844fc
# fixed: [6c70420641fc1d081bcecf323671ca169b13a129] fix misc NULL pointer exceptions
git bisect fixed 6c70420641fc1d081bcecf323671ca169b13a129
# broken: [d4d488b0e5ab13dda241d688d87a07816368f117] detect integer overflow in DVI extractor
git bisect broken d4d488b0e5ab13dda241d688d87a07816368f117
# fixed: [7cc63b001ceaf81143795321379c835486d0c92e] fix misc NULL pointer exceptions
git bisect fixed 7cc63b001ceaf81143795321379c835486d0c92e
# first fixed commit: [7cc63b001ceaf81143795321379c835486d0c92e] fix misc NULL pointer exceptions

The commit fixes several NULL pointer issues in plugins, one of those
is the XM plugin causing the issue. MITRE might want to assing here
individual CVEs or only one for the whole commit. I will ask.

But there are basically the reported ones in

https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00004.html
https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00002.html
https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00001.html
https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00000.html

and as well reported as fixed in

https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00005.html

The second issue is still present in master
(6c70420641fc1d081bcecf323671ca169b13a129) but I'm again not sure this is
actually an issue in libextractor. This might need to be clarified with
upstream which have more insigts. Issue in game-music-emu? The ASAN trace:

# ./src/main/extract -i ~/poc-2.crash
Keywords for file /root/poc-2.crash:
=================================================================
==10520==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7f658a1e879b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
    #1 0x7f6578af2e6c  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8e6c)
    #2 0x7f6578af2c89  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8c89)
    #3 0x7f6578b16231  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c231)
    #4 0x7f6578b165f2  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c5f2)
    #5 0x7f6578af694d  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xc94d)
    #6 0x7f6578af5b7b in gme_load_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbb7b)
    #7 0x7f6578af5c33 in gme_open_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbc33)
    #8 0x7f657c335581  (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0xbc581)
    #9 0x7f657c42416f in avformat_open_input (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0x1ab16f)
    #10 0x7f657c963420 in extract_audio /root/libextractor/src/plugins/previewopus_extractor.c:893
    #11 0x7f657c964441 in EXTRACTOR_previewopus_extract_method /root/libextractor/src/plugins/previewopus_extractor.c:1159
    #12 0x7f6589f5d3e7 in do_extract /root/libextractor/src/main/extractor.c:583
    #13 0x7f6589f5d824 in EXTRACTOR_extract /root/libextractor/src/main/extractor.c:662
    #14 0x55c628ff7d69 in main /root/libextractor/src/main/extract.c:983
    #15 0x7f65899b6560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #16 0x55c628ff4be9 in _start (/root/libextractor/src/main/.libs/extract+0x3be9)

0x616000007b9e is located 30 bytes inside of 482-byte region [0x616000007b80,0x616000007d62)
allocated by thread T0 here:
    #0 0x7f658a24c758 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
    #1 0x7f657c703782 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31782)

SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
==10520==ABORTING

When building you need to specify --with-plugindirname, if not installed,
otherwise the plugins cannot be loaded when running the test.

Attaching the two reproducing files.

Regards,
Salvatore

[poc-1.crash (application/octet-stream, attachment)]

[poc-2.crash (application/octet-stream, attachment)]

Message #44 received at 883691@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 883691@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>, game-music-emu@packages.debian.org, Sebastian Dröge <slomo@debian.org>

Subject: Bug#883691: game-music-emu: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Date: Wed, 6 Dec 2017 17:50:46 +0100

Control: reassign 883691 src:game-music-emu 0.6.1-1
Control: retitle 883691 game-music-emu: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Hi

More details:

[...]
Keywords for file /root/poc-2.crash:
[New Thread 0x7ffff09aa700 (LWP 14879)]
[Thread 0x7ffff09aa700 (LWP 14879) exited]
=================================================================
==14875==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7ffff6e9d79b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
    #1 0x7fffe532c60f  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x26960f)
    #2 0x7fffe5328ed3  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x265ed3)
    #3 0x7fffe547c6d1  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x3b96d1)
    #4 0x7fffe547fcc9  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x3bccc9)
    #5 0x7fffe534ec3d  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x28bc3d)
    #6 0x7fffe5346aa7 in gme_load_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x283aa7)
    #7 0x7fffe5346fd6 in gme_open_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x283fd6)
    #8 0x7fffe8fea581  (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0xbc581)
    #9 0x7fffe90d916f in avformat_open_input (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0x1ab16f)
    #10 0x7fffe9618420 in extract_audio /root/libextractor/src/plugins/previewopus_extractor.c:893
    #11 0x7fffe9619441 in EXTRACTOR_previewopus_extract_method /root/libextractor/src/plugins/previewopus_extractor.c:1159
    #12 0x7ffff6c123e7 in do_extract /root/libextractor/src/main/extractor.c:583
    #13 0x7ffff6c12824 in EXTRACTOR_extract /root/libextractor/src/main/extractor.c:662
    #14 0x55555555ad69 in main /root/libextractor/src/main/extract.c:983
    #15 0x7ffff666b560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #16 0x555555557be9 in _start (/root/libextractor/src/main/.libs/extract+0x3be9)

0x616000007b9e is located 30 bytes inside of 482-byte region [0x616000007b80,0x616000007d62)
allocated by thread T0 here:
    #0 0x7ffff6f01758 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
    #1 0x7fffe93b8782 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31782)

SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
==14875==ABORTING

Thread 1 "extract" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff667ea70 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff668019a in __GI_abort () at abort.c:89
#2  0x00007ffff6f2065b in  () at /usr/lib/x86_64-linux-gnu/libasan.so.4
#3  0x00007ffff6f27df8 in  () at /usr/lib/x86_64-linux-gnu/libasan.so.4
#4  0x00007ffff6f09f71 in  () at /usr/lib/x86_64-linux-gnu/libasan.so.4
#5  0x00007ffff6e9d7da in  () at /usr/lib/x86_64-linux-gnu/libasan.so.4
#6  0x00007fffe532c610 in Mem_File_Reader::read_avail(void*, long) (this=0x7fffffffa070, p=0x6290000311b8, s=-8) at ./gme/Data_Reader.cpp:146
#7  0x00007fffe5328ed4 in Data_Reader::read(void*, long) (this=0x7fffffffa070, p=0x6290000311b8, s=-8) at ./gme/Data_Reader.cpp:27
#8  0x00007fffe547c6d2 in Nsfe_Info::load(Data_Reader&, Nsf_Emu*) (this=this@entry=0x629000031148, in=..., nsf_emu=nsf_emu@entry=0x62900002d200) at ./gme/Nsfe_Emu.cpp:167
#9  0x00007fffe547fcca in Nsfe_Emu::load_(Data_Reader&) (this=0x62900002d200, in=...)
    at ./gme/Nsfe_Emu.cpp:311
#10 0x00007fffe534ec3e in Gme_File::load(Data_Reader&) (this=0x62900002d200, in=...)
    at ./gme/Gme_File.cpp:96
#11 0x00007fffe5346aa8 in gme_load_data(Music_Emu*, void const*, long) (me=me@entry=0x62900002d200, data=data@entry=0x616000007b80, size=size@entry=482) at ./gme/gme.cpp:228
#12 0x00007fffe5346fd7 in gme_open_data(void const*, long, Music_Emu**, int) (data=0x616000007b80, size=size@entry=482, out=out@entry=0x607000002d28, sample_rate=<optimized out>)
    at ./gme/gme.cpp:143
#13 0x00007fffe8fea582 in read_header_gme (s=0x61b000000e80) at src/libavformat/libgme.c:109
#14 0x00007fffe90d9170 in avformat_open_input (ps=0x7fffffffa330, filename=0x7fffe9619880 "<no file>", fmt=<optimized out>, options=0x7fffffffa3b0) at src/libavformat/utils.c:595
#15 0x00007fffe9618421 in extract_audio (ec=0x7fffffffa6d0) at previewopus_extractor.c:893
#16 0x00007fffe9619442 in EXTRACTOR_previewopus_extract_method (ec=0x7fffffffa6d0)
    at previewopus_extractor.c:1159
#17 0x00007ffff6c123e8 in do_extract (plugins=0x6080000010a0, shm=0x0, ds=0x6030000003a0, proc=0x555555558a19 <print_selected_keywords>, proc_cls=0x0) at extractor.c:583
#18 0x00007ffff6c12825 in EXTRACTOR_extract (plugins=0x6080000010a0, filename=0x60800000016d "/root/poc-2.crash", data=0x0, size=0, proc=0x555555558a19 <print_selected_keywords>, proc_cls=0x0)
    at extractor.c:662
#19 0x000055555555ad6a in main (argc=3, argv=0x7fffffffeb38) at extract.c:983
(gdb)

So the issue seem located in game-music-emu, Sebastian can you have a look?

Regards,
Salvatore

Message #57 received at 883691@bugs.debian.org (full text, mbox, reply):

From: Sebastian Dröge <slomo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 883691@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>, game-music-emu@packages.debian.org

Subject: Re: Bug#883691: game-music-emu: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Date: Wed, 06 Dec 2017 19:07:23 +0200

[Message part 1 (text/plain, inline)]

forwarded 883691 https://bitbucket.org/mpyne/game-music-emu/issues/14/addresssanitizer-negative-size-param-size
thanks


Hi Salvatore,

On Wed, 2017-12-06 at 17:50 +0100, Salvatore Bonaccorso wrote:
> [...]
> 
> So the issue seem located in game-music-emu, Sebastian can you have a
> look?

I've forwarded this upstream now, thanks for reporting!

See: https://bitbucket.org/mpyne/game-music-emu/issues/14/addresssanitizer-negative-size-param-size

The crash can also be reproduced by running "ffplay" on the file.

[signature.asc (application/pgp-signature, inline)]

Message #64 received at 883691@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Sebastian Dröge <slomo@debian.org>, 883691@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>, game-music-emu@packages.debian.org

Subject: Re: Bug#883691: game-music-emu: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Date: Wed, 6 Dec 2017 20:32:58 +0100

Control: retitle 883691 game-music-emu: CVE-2017-17446: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Hello Sebastian,

> I've forwarded this upstream now, thanks for reporting!
> 
> See: https://bitbucket.org/mpyne/game-music-emu/issues/14/addresssanitizer-negative-size-param-size
> 
> The crash can also be reproduced by running "ffplay" on the file.

Thank you. 

MITRE has assigned CVE-2017-17446 for this issue.

I do not think we need a DSA for this issue, but could be fixed via a
point release.

Regards,
Salvatore

Message #73 received at 883691@bugs.debian.org (full text, mbox, reply):

From: Sebastian Dröge <slomo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 883691@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>, game-music-emu@packages.debian.org

Subject: Re: Bug#883691: game-music-emu: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Date: Thu, 07 Dec 2017 10:16:44 +0200

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On Wed, 2017-12-06 at 20:32 +0100, Salvatore Bonaccorso wrote:
> 
> Thank you. 
> 
> MITRE has assigned CVE-2017-17446 for this issue.
> 
> I do not think we need a DSA for this issue, but could be fixed via a
> point release.

Upstream did a new release with a fix for this very crash, and also
added some more checks for preventing similar bugs to the code. I'm
uploading that to unstable now.

This release only really contains the fix, nothing else, and if that's
all fine with you it could also go into the next stable point release.

[signature.asc (application/pgp-signature, inline)]

Message #78 received at 883691-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Dröge <slomo@debian.org>

To: 883691-close@bugs.debian.org

Subject: Bug#883691: fixed in game-music-emu 0.6.2-1

Date: Thu, 07 Dec 2017 08:50:12 +0000

Source: game-music-emu
Source-Version: 0.6.2-1

We believe that the bug you reported is fixed in the latest version of
game-music-emu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883691@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated game-music-emu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 Dec 2017 10:03:19 +0200
Source: game-music-emu
Binary: libgme0 libgme-dev
Architecture: source amd64
Version: 0.6.2-1
Distribution: unstable
Urgency: high
Maintainer: Sebastian Dröge <slomo@debian.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description:
 libgme-dev - Playback library for video game music files - development files
 libgme0    - Playback library for video game music files - shared library
Closes: 883691
Changes:
 game-music-emu (0.6.2-1) unstable; urgency=high
 .
   * New upstream bugfix release
     + Fixes usage of negative size parameter passed to memcpy() on
       specially crafted files (Closes: #883691, CVE-2017-17446).
Checksums-Sha1:
 3906fa8bb3f4ab5a1ff2e5db02bce0afe8dbaedc 2006 game-music-emu_0.6.2-1.dsc
 9047b774bd5623adae6f5412d02d70cf72070d8f 163052 game-music-emu_0.6.2.orig.tar.xz
 64895464ccd872ceb9404f2c041942f04a403afd 4412 game-music-emu_0.6.2-1.debian.tar.xz
 4196a540b5081d6a60756174c70164e2be6dac6c 7034 game-music-emu_0.6.2-1_amd64.buildinfo
 64b182e774e6a7fe744b73ba0ce91dc13f523aee 7200 libgme-dev_0.6.2-1_amd64.deb
 16f0749861d91fa43756de8ec2fae61b5d928d03 523196 libgme0-dbgsym_0.6.2-1_amd64.deb
 e971f8c600f760b51f71419b4df186ec52162181 121372 libgme0_0.6.2-1_amd64.deb
Checksums-Sha256:
 8359c17b8c7d7887b3d44a5ac4958e5456afbf816ba29e6713c1e4212dbe63eb 2006 game-music-emu_0.6.2-1.dsc
 5046cb471d422dbe948b5f5dd4e5552aaef52a0899c4b2688e5a68a556af7342 163052 game-music-emu_0.6.2.orig.tar.xz
 8ea69035bd72261ec85e5f0486707d448f7491733ae055040a9995cebb0ea820 4412 game-music-emu_0.6.2-1.debian.tar.xz
 7e4c06927bbfd0eb821f99a4a3e81ec8515c5c43cd660354d4eb93e1997c1976 7034 game-music-emu_0.6.2-1_amd64.buildinfo
 553722380afd04ce31062ad1716425cff64ca4ad243a6eb826e8cf3cecb8014c 7200 libgme-dev_0.6.2-1_amd64.deb
 c75eb4f6db08e7cdee0fecfd058e5539f72dd2b229fb0bc0d51b582ef0c3577f 523196 libgme0-dbgsym_0.6.2-1_amd64.deb
 5ca59f1b731b73c06aa9e232ca297e384f2712f691534dd7a539e91788dc3ac0 121372 libgme0_0.6.2-1_amd64.deb
Files:
 f2d3efdea7a915c6a686ca8fbe89f78c 2006 sound optional game-music-emu_0.6.2-1.dsc
 057ddaff2af5f8b4a7c8d11c45e1ea00 163052 sound optional game-music-emu_0.6.2.orig.tar.xz
 b47341322047701f4927cc29a477f1ac 4412 sound optional game-music-emu_0.6.2-1.debian.tar.xz
 fe67ac0197a9f2be5a67b9ea4b3f7f21 7034 sound optional game-music-emu_0.6.2-1_amd64.buildinfo
 2ea435a14c2f68ec355fcc678a598559 7200 libdevel optional libgme-dev_0.6.2-1_amd64.deb
 d8efdefac8a49dd526a690625bb49151 523196 debug optional libgme0-dbgsym_0.6.2-1_amd64.deb
 abc8c91ef0d22d01c64a9bf4eaf23e83 121372 libs optional libgme0_0.6.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEEf0vHzDygb5cza7/rBmjMFIbC17UFAloo+N9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDdG
NEJDN0NDM0NBMDZGOTczMzZCQkZFQjA2NjhDQzE0ODZDMkQ3QjUSHHNsb21vQGNv
YXhpb24ubmV0AAoJEAZozBSGwte1MB4P/AgmkPdKiCR8F2SOYBQduLoubaXtXGRn
xVuv8EJFTduKSgqtH43PubYRJE3y22UDTDOUrtp9NgeB+P5ctnD6Fh5/odLAagoZ
TIcEsw3qdlNqwvqgo6oyFLwsBVbECJTeLGhnv/kAuZW3FPbyDjOhpwvSm27hWAjE
tnPTJp/iBFuaJ3fGsX51El5FksOEsQtMDFuDORETCu1XU9BE+R7DoDD/sj5YO28Q
3pMQUT2ujUSfpnsTAClPQ5ykJwinUxS3iugWO+OY39CZ7aIYc0WS+Xuu4JKRCO09
SLjl4D9Z9D89xanp/wEfXMZ3MweGBYqapaBvWrmIMwcdmK1cXbYrgLVZiN+yS9+5
bwZ+OB+WUBGxV7xTlwD3lTEB6tUroM7bQy/se6cS3WEPqzKBDs2MDXZYERSwJ2g0
Ve/v4UezDjKnMTeKNr6jHvwCyhaoDUPNKQ0F4x/oeMaVDxaspXUY+RjxdpLxovdF
6PBK7+m4GDpTTyi9M2BwNfNAa651aWxN3blNW0Hz1olqd7rpi0VxohQwjFW6TO5W
xBtUDy5x23t9AUzcHaRCktPWfhJzxK2yPEhsRqwXiYj7D0uQrcfYY6HUEAPh6S5/
GotbDEbZLwjNtUbtDDIytoCKC7dfipbjz+ORyAWA9STtq4Sv6zsMcPzoKIbbsl+K
xWENEThY9Ue6
=5zJf
-----END PGP SIGNATURE-----

Message #83 received at 883691@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Sebastian Dröge <slomo@debian.org>, 883691@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883691: game-music-emu: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Date: Thu, 7 Dec 2017 11:00:35 +0100

Hi Sebastian,

On Thu, Dec 07, 2017 at 10:16:44AM +0200, Sebastian Dröge wrote:
> Hi Salvatore,
> 
> On Wed, 2017-12-06 at 20:32 +0100, Salvatore Bonaccorso wrote:
> > 
> > Thank you. 
> > 
> > MITRE has assigned CVE-2017-17446 for this issue.
> > 
> > I do not think we need a DSA for this issue, but could be fixed via a
> > point release.
> 
> Upstream did a new release with a fix for this very crash, and also
> added some more checks for preventing similar bugs to the code. I'm
> uploading that to unstable now.
> 
> This release only really contains the fix, nothing else, and if that's
> all fine with you it could also go into the next stable point release.

Thanks for the fix in unstable. For the point releases, yes it would
look ok to me to include as well the additional hardening commit, but
the final decision is obviously to be done by SRM when revieweing your
proposal. I defintively would suggest to SRM to have both commits i.e.

https://bitbucket.org/mpyne/game-music-emu/commits/205290614cdc057541b26adeea05a9d45993f860

and

https://bitbucket.org/mpyne/game-music-emu/commits/4a441e94cba14268bc4e983d4dfd6ed112084d00

regards,
Salvatore

Send a report that this bug log contains spam.