Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Dec 2016 14:38:19 +0000
From: Agustin Mista <mista.agustin@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-9584: heap use-after-free on libical

We found a heap use-after-free in a recent revision of libical (
f3688b444f820cecf51b1539b0856a392c0fdb0f),
using a specially crafted ics file. This bugs looks particularly dangerous
since it allows to read a big chunk of the heap memory.

The address sanitizer report is as follows:

==14573==ERROR: AddressSanitizer: heap-use-after-free on address
0x60700001e394 at pc 0x00000044478e bp 0x7fffffffc4a0 sp 0x7fffffffbc28
READ of size 62 at 0x60700001e394 thread T0
#0 0x44478d (/home/agustin/Code/libical/build/src/test/parser+0x44478d)
#1 0x444eb3 (/home/agustin/Code/libical/build/src/test/parser+0x444eb3)
#2 0x4461f0 (/home/agustin/Code/libical/build/src/test/parser+0x4461f0)
#3 0x7ffff7b519e8 (/home/agustin/Code/libical/build/lib/libical.so.2+
0x19a9e8)
#4 0x7ffff7b5a40f (/home/agustin/Code/libical/build/lib/libical.so.2+
0x1a340f)
#5 0x7ffff7add113 (/home/agustin/Code/libical/build/lib/libical.so.2+
0x126113)
#6 0x7ffff7a978ec (/home/agustin/Code/libical/build/lib/libical.so.2+
0xe08ec)
#7 0x7ffff7a97b4a (/home/agustin/Code/libical/build/lib/libical.so.2+
0xe0b4a)
#8 0x7ffff7a96f11 (/home/agustin/Code/libical/build/lib/libical.so.2+
0xdff11)
#9 0x4b8db7 (/home/agustin/Code/libical/build/src/test/parser+0x4b8db7)
#10 0x7ffff61baf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x4b829c (/home/agustin/Code/libical/build/src/test/parser+0x4b829c)

0x60700001e394 is located 4 bytes inside of 66-byte region [0x60700001e390,
0x60700001e3d2)
freed by thread T0 here:
#0 0x49a99b (/home/agustin/Code/libical/build/src/test/parser+0x49a99b)
#1 0x7ffff7abab48 (/home/agustin/Code/libical/build/lib/libical.so.2+
0x103b48)
#2 0x7ffff7ad0da1 (/home/agustin/Code/libical/build/lib/libical.so.2+
0x119da1)
#3 0x4b8cde (/home/agustin/Code/libical/build/src/test/parser+0x4b8cde)
#4 0x7ffff61baf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

previously allocated by thread T0 here:
#0 0x49ac1b (/home/agustin/Code/libical/build/src/test/parser+0x49ac1b)
#1 0x7ffff7aba55a (/home/agustin/Code/libical/build/lib/libical.so.2+
0x10355a)
#2 0x7ffff7ad7777 (/home/agustin/Code/libical/build/lib/libical.so.2+
0x120777)
#3 0x7ffff7ad808a (/home/agustin/Code/libical/build/lib/libical.so.2+
0x12108a)
#4 0x7ffff7ad0220 (/home/agustin/Code/libical/build/lib/libical.so.2+
0x119220)
#5 0x4b8cde (/home/agustin/Code/libical/build/src/test/parser+0x4b8cde)
#6 0x7ffff61baf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c0e7fffbc20: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0e7fffbc30: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fffbc40: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fffbc50: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c0e7fffbc60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
=>0x0c0e7fffbc70: fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fffbc80: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
0x0c0e7fffbc90: 00 00 00 00 00 00 03 fa fa fa fa fa fd fd fd fd
0x0c0e7fffbca0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fffbcb0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fffbcc0: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd


And the backtrace is available here:

#0 0x00007ffff61cfc37 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff61d3028 in __GI_abort () at abort.c:89
#2 0x00000000004b1356 in __sanitizer::Abort() ()
#3 0x00000000004a2037 in __asan::AsanDie() ()
#4 0x00000000004a8a6f in __sanitizer::Die() ()
#5 0x00000000004a06cb in __asan::ScopedInErrorReport::~ScopedInErrorReport()
()
#6 0x00000000004a0211 in __asan_report_error ()
#7 0x00000000004447a9 in printf_common(void*, char const*, __va_list_tag*)
()
#8 0x0000000000444eb4 in vsnprintf ()
#9 0x00000000004461f1 in snprintf ()
#10 0x00007ffff7b519e9 in icalreqstattype_as_string_r (stat=...)
at /home/agustin/Code/libical/src/libical/icaltypes.c:171
#11 0x00007ffff7b5a410 in icalvalue_as_ical_string_r (value=0x60e0000280c0)
at /home/agustin/Code/libical/src/libical/icalvalue.c:1208
#12 0x00007ffff7add114 in icalproperty_as_ical_string_r
(prop=0x6060000010a0)
at /home/agustin/Code/libical/src/libical/icalproperty.c:442
#13 0x00007ffff7a978ed in icalcomponent_as_ical_string_r
(impl=0x60700001e7f0)
at /home/agustin/Code/libical/src/libical/icalcomponent.c:291
#14 0x00007ffff7a97b4b in icalcomponent_as_ical_string_r
(impl=0x60700000ded0)
at /home/agustin/Code/libical/src/libical/icalcomponent.c:300
#15 0x00007ffff7a96f12 in icalcomponent_as_ical_string (impl=0x60700000ded0)
at /home/agustin/Code/libical/src/libical/icalcomponent.c:247
#16 0x00000000004b8db8 in main (argc=2, argv=0x7fffffffdf08)
at /home/agustin/Code/libical/src/test/icaltestparser.c:109

It is worth to mention there is a very similar bug found (CVE-2016-5824) on
the libical version used by
Thunderbird but we think is *not* the same as this one. In fact, we've
tested it on Thunderbird and it does *not* crash.

The reproducer is available upon request.

Unfortunately, there is no fix yet, but upstream is working on it.

Regards.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ