532658 – LibBPG Multiple Memory Corruption Vulnerabilities (media-libs/libbpg)

Bug 532658 - LibBPG Multiple Memory Corruption Vulnerabilities (media-libs/libbpg)

Summary: LibBPG Multiple Memory Corruption Vulnerabilities (media-libs/libbpg)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Lars Wendler (Polynomial-C) (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-12-15 19:12 UTC by j
Modified:	2022-06-29 07:01 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Four repro files (PoC.7z,711.35 KB, application/x-7z-compressed) 2014-12-15 19:12 UTC, j	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description j 2014-12-15 19:12:26 UTC

Created attachment 391784 [details]
Four repro files

As this is a newer project, I had a hard time finding a bug tracker or contacting the primary developer. If this is not the appropriate forum, I would appreciate some guidance on who else to get in contact with in order to get these bugs in LibBPG fixed. Also be aware that the debugging information provided came from testing on a Windows box, although these issues should be remain consistent across platforms, including Gentoo.

Tested LibBPG 0.9.2
http://bellard.org/bpg/bpg-0.9.2-win32.zip

Repro Files: repro1.bpg, repro2.bpg, repro3.bpg (also *repro4.bpg)

Product Description
“BPG (Better Portable Graphics) is a new image format. Its purpose is to replace the JPEG image format when quality or file size is an issue”

Vulnerability Description
LibBPG is vulnerable to multiple memory corruption issues when decoding BPG files. Further analysis is required to confirm exploitability, but a basic analysis of the crashes from parsing the repro files:

Both bugs #1 and bug #2 look as if something goes wrong during a copy operation causes memory on the stack to be corrupted. Bug #3 may be from an incorrect pointer arithmetic. For *bug #4, I’m unsure of its severity other than a crash, so I’ll leave the risk determination up to the dev/contributor.

Technical Details
Bug #1: repro1.bpg

0:000:x86> r
eax=00003e71 ebx=05360180 ecx=0000000b edx=05363ff1 esi=05228b8d edi=053e1000
eip=00425772 esp=0028fd60 ebp=052311b0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
image00000000_00400000+0x25772:
00425772 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

0:000:x86> kv
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0028fd88 775fb56a 025d2a00 ffffffff 779fce2c image00000000_00400000+0x25772
0028fda8 0041ecb2 775fb5b7 05187bf8 0028fdfc msvcrt!memmove_s+0x186
0028fe58 0042f5c2 0522ff38 051a57a8 00085858 image00000000_00400000+0x1ecb2
0028fe70 77a07eee ffffffff 02bcbed2 00085858 image00000000_00400000+0x2f5c2
00401550 909090c3 90909090 90909090 83c38953 ntdll_779c0000!RtlFreeUnicodeString+0x18
00401554 90909090 90909090 83c38953 80c618ec 0x909090c3
00401558 90909090 83c38953 80c618ec 00000205 0x90909090
0040155c 83c38953 80c618ec 00000205 0480c600 0x90909090
00401560 80c618ec 00000205 0480c600 01000002 0x83c38953
00401564 00000000 0480c600 01000002 0208808b 0x80c618ec

0:000:x86> u eip
image00000000_00400000+0x25772:
00425772 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
00425774 8b6c2414        mov     ebp,dword ptr [esp+14h]
00425778 01c5            add     ebp,eax
0042577a 8d442430        lea     eax,[esp+30h]
0042577e 890424          mov     dword ptr [esp],eax
00425781 e84e8dffff      call    image00000000_00400000+0x1e4d4 (0041e4d4)
00425786 c70424b0004300  mov     dword ptr [esp],offset image00000000_00400000+0x300b0 (004300b0)
0042578d e8fa8fffff      call    image00000000_00400000+0x1e78c (0041e78c)

0:000:x86> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x53e1000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:00425772 rep movs byte ptr es:[edi],byte ptr [esi]

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00000000_00400000+0x0000000000025772 (Hash=0x00000000.0x00000000)


Bug #2: repro2.bpg
0:000:x86> r
eax=05254850 ebx=054eadfe ecx=00000008 edx=059f04e0 esi=054eadfe edi=059f04e0
eip=0042cf85 esp=0028f95c ebp=00000000 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
image00000000_00400000+0x2cf85:
0042cf85 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

0:000:x86> u eip
image00000000_00400000+0x2cf85:
0042cf85 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
0042cf87 45              inc     ebp
0042cf88 03542444        add     edx,dword ptr [esp+44h]
0042cf8c 035c2448        add     ebx,dword ptr [esp+48h]
0042cf90 3b6c2420        cmp     ebp,dword ptr [esp+20h]
0042cf94 7ce7            jl      image00000000_00400000+0x2cf7d (0042cf7d)
0042cf96 eb98            jmp     image00000000_00400000+0x2cf30 (0042cf30)
0042cf98 8b54240c        mov     edx,dword ptr [esp+0Ch]

0:000:x86> kv
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 image00000000_00400000+0x2cf85

0:000:x86> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x54eadfe
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:0042cf85 rep movs byte ptr es:[edi],byte ptr [esi]

Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at image00000000_00400000+0x000000000002cf85 (Hash=0x00000000.0x00000000)


Bug #3: repro3.bpg
0:000:x86> r
eax=0502466c ebx=051fefde ecx=000000f8 edx=0000001f esi=05021860 edi=05021850
eip=004250e8 esp=0028fbe8 ebp=0000000a iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
image00000000_00400000+0x250e8:
004250e8 8b1413          mov     edx,dword ptr [ebx+edx] ds:002b:051feffd=????????

0:000:x86> u eip
image00000000_00400000+0x250e8:
004250e8 8b1413          mov     edx,dword ptr [ebx+edx]
004250eb 8d5908          lea     ebx,[ecx+8]
004250ee 3b5810          cmp     ebx,dword ptr [eax+10h]
004250f1 0f475810        cmova   ebx,dword ptr [eax+10h]
004250f5 83e107          and     ecx,7
004250f8 0fca            bswap   edx
004250fa d3e2            shl     edx,cl
004250fc c1ea18          shr     edx,18h

0:000:x86> kv
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0028fbec 0041fdf2 ffffff00 05021880 05021850 image00000000_00400000+0x250e8
0028fc08 004215de 0501fc30 00000030 00431c1c image00000000_00400000+0x1fdf2
0028fc18 00429128 0501fc30 00000030 00431350 image00000000_00400000+0x215de
00431c1c 676e6964 49455320 6b53000a 65707069 image00000000_00400000+0x29128
00431c20 49455320 6b53000a 65707069 52502064 0x676e6964
00431c24 6b53000a 65707069 52502064 58494645 0x49455320
[.....]


Bug #4: repro4.bpg
eax=00000030 ebx=058085c0 ecx=ffffff03 edx=0000000d esi=0530e532 edi=0000c0c0
eip=0042d18d esp=0028f8f4 ebp=00001818 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
image00000000_00400000+0x2d18d:
0042d18d 037cac18        add     edi,dword ptr [esp+ebp*4+18h] ss:002b:0029596c=????????

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-12-15 23:09:22 UTC

Reassigning to Poly-C after discussion on IRC. 

This package is not in the Gentoo tree, and as such not a matter for Security.

Comment 2 Alex Legler (RETIRED) archtester

2014-12-15 23:13:49 UTC

[security hat: technically, we'd mark this RESOLVED INVALID as it doesn't concern a package in the tree; I doubt Lars can help here either]

As far as contacting the author, try the oss-sec mailing list as it has more exposure than our bugzilla; or whois the author's domain, there seem to be a few usable addresses there. ;)

Comment 3 j 2014-12-15 23:15:44 UTC

Ok, I can dig deeper to try to get a response from the owner or other responsible parties for this package.

Excuse my ignorance working with this bug tracker, but can we make sure this bug is marked non-public for the security of package users until it's investigated / fixed?

Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2014-12-15 23:23:15 UTC

(In reply to j from comment #3)
> Ok, I can dig deeper to try to get a response from the owner or other
> responsible parties for this package.
> 
> Excuse my ignorance working with this bug tracker, but can we make sure this
> bug is marked non-public for the security of package users until it's
> investigated / fixed?

I already sent him an email where I asked him to have a look at this bug. When we make this bug now non-public he won't be able to look at it anymore.

Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2015-01-28 21:18:19 UTC

Has this all been fixed in version 0.9.5?

Comment 6 j 2015-02-02 16:52:40 UTC

repros 1, 3, 4 no longer crash.

repro2.bpg is still confirmed in 0.9.5.

Has the package author responded yet?