Debian Bug report logs - #774152
libisofs6: null pointer dereference

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libisofs6: null pointer dereference

Date: Mon, 29 Dec 2014 16:01:13 +0100

[Message part 1 (text/plain, inline)]

Package: libisofs6
Version: 1.3.2-1.1
Usertags: afl

xorriso crashes trying to read the attached ISO 9660 image:

$ xorriso -signal_handling off -dev crash.iso -ls
xorriso 1.3.2 : RockRidge filesystem manipulator, libburnia project.

libisoburn: WARNING : ISO image size 311s larger than readable size 308s
xorriso : NOTE : Loading ISO image tree from LBA 0
Segmentation fault


The crash can be reproduced using the libisofs demo, so I assume the bug 
lies in the library itself. GDB says it's a null pointer dereference:

Program received signal SIGSEGV, Segmentation fault.
0xf7e61a3e in iso_file_source_lstat (src=0x8261b00, info=0xffffd490) at libisofs/fsource.c:67
67          return src->class->lstat(src, info);
(gdb) print src->class
$1 = (const IsoFileSourceIface *) 0x0
(gdb) bt
#0  0xf7e61a3e in iso_file_source_lstat (src=0x8261b00, info=0xffffd490) at libisofs/fsource.c:67
#1  0xf7e68042 in iso_image_import (image=0x804c070, src=0x804c600, opts=0x804c5d8, features=0xffffd548) at libisofs/fs_image.c:3578
#2  0xf7edaf0d in isoburn_read_image (d=0xf7dde300 <drive_array>, read_opts=0x804c4f0, image=0xffffd5ec) at libisoburn/isofs_wrap.c:301
#3  0xf7f3311e in Xorriso_aquire_drive (xorriso=0xf77a7008, adr=0x804ba30 "crash.iso", show_adr=0x804ba30 "crash.iso", flag=3) at xorriso/drive_mgt.c:533
#4  0xf7f17679 in Xorriso_option_dev (xorriso=0xf77a7008, in_adr=0x804ba30 "crash.iso", flag=3) at xorriso/opts_d_h.c:116
#5  0xf7f0a80c in Xorriso_interpreter (xorriso=0xf77a7008, argc=6, argv=0x804b9c0, idx=0xffffd79c, flag=2) at xorriso/parse_exec.c:1185
#6  0x08048b1f in main (argc=6, argv=0x804b9c0) at xorriso/xorriso_main.c:265


This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl

Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the 
first crash (which took a few minutes). It's likely that extensive 
fuzzing would uncover more interesting crashers. I'd encourage libisofs 
maintainers to perform fuzzing with AFL on their own. :-)


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libisofs6 depends on:
ii  libacl1  2.2.52-2
ii  libc6    2.19-13
ii  libjte1  1.20-1
ii  zlib1g   1:1.2.8.dfsg-2+b1

-- 
Jakub Wilk

[crash.iso.xz (application/x-xz, attachment)]

Message #8 received at 774152@bugs.debian.org (full text, mbox, reply):

From: "Thomas Schmitt" <scdbackup@gmx.net>

To: 774152@bugs.debian.org

Subject: Re: libisofs6: null pointer dereference

Date: Mon, 29 Dec 2014 18:38:41 +0100

Hi,

> xorriso crashes trying to read the attached ISO 9660 image:
> https://packages.debian.org/experimental/afl

How was the ISO image created ? It bears the marks of xorriso
but has faulty superblock data.
Did xorriso create a bad ISO ?
Did afl modify the image ?

The cause of the crash is a misleading block number in
the Primary Volume Descriptor of the image.
At 2 KB block 0x132 = 306, there should be the start of
the Directory Record list of the root directory. But there
starts an obvious file name "LIMERIC.;1" at byte offset 9.
If this was the start of a directory record list, the offset
should be 34, the file name should be the single byte 0x00.

Being mislead to a wrong address, libisofs reads a wrong
value of File Flags and sees a Multi-Extent bit. At this
point it should abort the attempt to load the meta data of
the ISO image. But it does not and continues with a half
initialized object which represents the data of the root
directory.

Upstream now avoids this particular case of sigsegv by

  http://bazaar.launchpad.net/~libburnia-team/libisofs/scdbackup/revision/1181


> crash.iso.xz  Application/X-XZ 

It is a bit cumbersome for me to uncompress .xz.
Would .bz2 be possible for future bug reports ?


> http://lcamtuf.coredump.cx/afl/
> (referenced by https://packages.debian.org/experimental/afl)

Can you tell me your setup for xorriso ?
I will have to build it from source, as i have no current
Debian at hand. Are there any known problems to avoid ?


Have a nice day :)

Thomas

Message #11 received at 774152@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Thomas Schmitt <scdbackup@gmx.net>, 774152@bugs.debian.org

Subject: Re: Bug#774152: libisofs6: null pointer dereference

Date: Tue, 30 Dec 2014 11:25:34 +0100

Hi Thomas!

[Note that Debian BTS doesn't automatically CC bug submitters, so you 
normally should CC them manually if you want them to read your mail.]

* Thomas Schmitt <scdbackup@gmx.net>, 2014-12-29, 18:38:
>How was the ISO image created ? It bears the marks of xorriso but has 
>faulty superblock data.
>Did xorriso create a bad ISO ?
>Did afl modify the image ?

The latter. I fed AFL with a correct input file (which was created, as 
you noticed, by xorriso), and then AFL mutated it.

>Upstream now avoids this particular case of sigsegv by
>
>  http://bazaar.launchpad.net/~libburnia-team/libisofs/scdbackup/revision/1181

Thanks for the quick fix. :-D

>>crash.iso.xz  Application/X-XZ
>
>It is a bit cumbersome for me to uncompress .xz.

Oops. Sorry about that.

>Would .bz2 be possible for future bug reports ?

Sure.

>>http://lcamtuf.coredump.cx/afl/
>Can you tell me your setup for xorriso ?

I'll try to write up something later today.

-- 
Jakub Wilk

Message #14 received at 774152@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Thomas Schmitt <scdbackup@gmx.net>, 774152@bugs.debian.org

Subject: Re: Bug#774152: libisofs6: null pointer dereference

Date: Wed, 31 Dec 2014 00:34:07 +0100

[Message part 1 (text/plain, inline)]

* Thomas Schmitt <scdbackup@gmx.net>, 2014-12-29, 18:38:
>Can you tell me your setup for xorriso ?

A program is worth a thousand words, so I wrote a scripts that sets 
(almost) everything up. It assumes that AFL is already installed (and 
the afl-* scripts are within $PATH), and that current working directory 
is root of the libisofs source.

I hope the script is sufficiently commented, but I recommend reading AFL 
documentation in addition to that: at least README and 
docs/status_screen.txt.

>Are there any known problems to avoid ?

Setting up AFL is a multi-step process, and there's a few ways things 
could break. Fortunately, afl-fuzz is designed to be goof-proof. :-) It 
usually warns you if something went wrong.

-- 
Jakub Wilk

[afl4libisofs (text/plain, attachment)]

Message #19 received at 774152-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Schmitt <scdbackup@gmx.net>

To: 774152-close@bugs.debian.org

Subject: Bug#774152: fixed in libisofs 1.4.0-2

Date: Wed, 09 Sep 2015 15:20:44 +0000

Source: libisofs
Source-Version: 1.4.0-2

We believe that the bug you reported is fixed in the latest version of
libisofs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774152@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Schmitt <scdbackup@gmx.net> (supplier of updated libisofs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 09 Sep 2015 15:07:45 +0200
Source: libisofs
Binary: libisofs6 libisofs-dbg libisofs-doc libisofs-dev
Architecture: source amd64 all
Version: 1.4.0-2
Distribution: unstable
Urgency: low
Maintainer: Debian Libburnia packagers <pkg-libburnia-devel@lists.alioth.debian.org>
Changed-By: Thomas Schmitt <scdbackup@gmx.net>
Description:
 libisofs-dbg - debugging symbols for libisofs
 libisofs-dev - development package for libisofs
 libisofs-doc - API documentation for libisofs library
 libisofs6  - library to create ISO9660 images
Closes: 751501 774140 774147 774152
Changes:
 libisofs (1.4.0-2) unstable; urgency=low
 .
   * New upstream release
     + Bug fix: Prevent allocation of empty hash tables. Thanks Richard Nolde.
     + Bug fix: Prevent allocation of empty directory children lists.
     + Bug fix: A SIGSEGV could happen when loading a faulty ISO filesystem.
                Thanks to Jakub Wilk. (Closes: #774152)
     + Bug fix: Fixed buffer overflow in demo/demo.c with gesture -iso_read.
                Thanks to Jakub Wilk. (Closes: #774147).
     + Bug fix: Rock Ridge Continuation Area could be produced crossing a block
                boundary. This is heavily disliked by the Linux kernel and
                spoils the representation of directories which contain many
                symbolic links.
     + Bug fix: Only 128 bytes of an emerging GPT header block were zeroized.
     + Bug fix: Fixed a typo in message of make install. (Closes: #774140)
     + Bug fix: Made declarations of make_isolinux_mbr() consistent.
                Thanks to Michael Tautschnig. (Closes: #751501)
     + Encoding HFS+ names in UTF-16 rather than UCS-2.
     + Giving sort weight 2 as default to El Torito boot images.
     + Increased default weight of El Torito boot catalog to 1 billion.
     + Improved handling of cylinder alignment if the resulting image size is
       not divisible by 2048. Old behavior was to not align. New is to pad up
       by a few blocks of 512 bytes.
     + New API calls iso_image_report_el_torito() and
       iso_image_report_system_area().
     + New API call iso_write_opts_set_appended_as_gpt() and marking of
       appended partitions in GPT if GPT emerges for other reasons.
     + New system area type 6 = DEC Alpha SRM boot sector.
       New API calls iso_image_set_alpha_boot(), iso_image_get_alpha_boot().
       Thanks to Helge Deller.
     + New API object iso_interval_reader. Enabling flag bits for older
       API calls iso_write_opts_set_prep_img(), iso_write_opts_set_efi_bootp(),
       and iso_write_opts_set_partition_img().
   * Removed dependency on doxygen
   * Corrected license of upstream to GPL-2+ (from GPL-2)
   * Migrated to debhelper 9 and applied changes proposed by cme.
   * Added myself to Uploaders after becoming co-admin of the maintainer project
Checksums-Sha1:
 460b141c6e4063eb61008cbbd0606052bfe1b9b8 2220 libisofs_1.4.0-2.dsc
 769c1def89815090acda3dd3ad0e870537eaa497 817349 libisofs_1.4.0.orig.tar.gz
 3c33a0e6af6055dad4bba106123588dba5e0acf4 6764 libisofs_1.4.0-2.debian.tar.xz
 acdac4fa2a49059ced75c65938fa5e90a62e3c4a 491774 libisofs-dbg_1.4.0-2_amd64.deb
 5ca86c0f6acecfad01f37a9a10dab3086403d629 261376 libisofs-dev_1.4.0-2_amd64.deb
 b8205dfe0d20d64b9a8bd005a4fe4d1ae4a163a6 75868 libisofs-doc_1.4.0-2_all.deb
 3e258631d7f4529115b1ec665a1415dd3d16e913 189756 libisofs6_1.4.0-2_amd64.deb
Checksums-Sha256:
 566ccbed5249f57f51427bd46c24a876ee4d91313ba33c18e0bc6f032c793381 2220 libisofs_1.4.0-2.dsc
 6e62824d879ffe85c0e4363677fd10f177a4c85af049d0861c70bf442b901fce 817349 libisofs_1.4.0.orig.tar.gz
 7c4f1a62f3a741c5b695449c30a1f1f4508ba0828b06f9563ccc8735c79a97c2 6764 libisofs_1.4.0-2.debian.tar.xz
 12f9bcf93c96df7844a441e9c98b67188e39ca23ca8dd36e63a297c804cdb0fc 491774 libisofs-dbg_1.4.0-2_amd64.deb
 3e86fbc1aff0d51bc6cf6f6c7b6e153a7ed605c9f2ff09cbde6b4c13f40d9d68 261376 libisofs-dev_1.4.0-2_amd64.deb
 d42afb9d32557292d56ecddd32c1470d1b4089d678b93fb105f95135f8b37fda 75868 libisofs-doc_1.4.0-2_all.deb
 f8e8c1b51b3f1dac6b4bf867d3301950c790b3135ca17ce245efbc3a6919086e 189756 libisofs6_1.4.0-2_amd64.deb
Files:
 211432f972b3f879795ca236be50bd21 2220 libs optional libisofs_1.4.0-2.dsc
 394f9025d40b5f9b1b884a72bfaf5bed 817349 libs optional libisofs_1.4.0.orig.tar.gz
 bd00fea1583c53c341db4cb8533fdf8c 6764 libs optional libisofs_1.4.0-2.debian.tar.xz
 7eba6b65c4381f102b49eef1fdc69c10 491774 debug extra libisofs-dbg_1.4.0-2_amd64.deb
 bda2f6a2b66209233a722024e1153fd3 261376 libdevel optional libisofs-dev_1.4.0-2_amd64.deb
 2709f29d87c55fd59f718848b73c3b10 75868 doc optional libisofs-doc_1.4.0-2_all.deb
 cf97e42f2d220fc8ed09246358942ccf 189756 libs optional libisofs6_1.4.0-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV8EZAAAoJEMMfT9lJqyts7iIP/3X7mHdMbaR6abc4GRa43YqE
RZNFcsKmKBezn3creMx7uV3Sunx1QvMMRM/m46+YF7ISdCCsuAmyRqJIiyB+2B1m
VDCTtcJtdRxMw/utLsBZmql1hLuWbvZ7CqPYrX+Bj6aXt0TIa/kjNXjq4ma3oLq1
xq1ow0KLNKm/tryqt4W9xr/8fnfxMiNSJyHzPkaP8jGqiD+yzYLCYjlxS8kMKfl6
WrhWufYR57QiZ7DQUzvLI3gm3eSXoz11hNhLf1dla7vZGj8Yct8hAC7D64A3J9nS
Pf5r3doO0cymWmE0eq0jkQlHdtgyWSwhws1wLRrQ6qsmsxihHm1sX0r4NGsJu/cn
u7UoNezHD6nr/cemlfTHYnkTObfzeowtQyKW755+GVnp+n058VLaQcqWQzgQNZNn
NUWs1n4fB7M4z/WWBECbC0lfikAgEbaTF15wl5dlZQSAEWeYgnDQYvU709kFIYDf
O+NmsjPVkB8Zg86cFXOK05RCta+4MsyDfZxiy7ujhbaW83CLWqIN+zmZXw1dERqJ
T+7QOz6FLkfmlLIF4jH9bxJNPaAaDko3aSN6B8YRsi+TZwRWLXXtKf2+kfbjBsWb
3IB7FfcLIoqTNoX8a4NmIJcHEhOAxfsgTzKqPmD+JicJkS3Xl6rrzJLOM5muYTiF
nAq423Jg4TJoaIZLijWx
=MoUM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.