Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 21 Aug 2017 15:37:42 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: libmirage: NULL pointer dereference in mirage_stream_get_filename (stream.c)

There is a NULL pointer dereference in libmirage when handling .dmg/.isz file.
The bug was found via mirage2iso (https://github.com/mgorny/mirage2iso) which 
uses limirage to convert various CD/DVD image formats into .iso
The bug was initially spotted by Michał Górny so the credit goes to him.

I hitted the bug too and I'm pointing out the security implication. The 
complete asan output of the issue:

# mirage2iso $FILE out.iso
==22879==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x7f9c67f5dde9 bp 0x7f9c5e533e26 sp 0x7ffeb47ffe20 T0)
==22879==The signal is caused by a READ memory access.
==22879==Hint: address points to the zero page.
    #0 0x7f9c67f5dde8 in mirage_stream_get_filename /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/stream.c:61
    #1 0x7f9c5e5306c8 in mirage_filter_stream_dmg_open_streams 
/var/tmp/portage/dev-libs/libmirage-3.0.4/work/libmirage-3.0.4/filters/filter-
dmg/filter-stream.c:603
    #2 0x7f9c5e5306c8 in mirage_filter_stream_dmg_open /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/filters/filter-dmg/filter-
stream.c:719
    #3 0x7f9c67f5726c in mirage_filter_stream_open /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/filter-stream.c:209
    #4 0x7f9c67f53aa5 in mirage_context_create_input_stream 
/var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/context.c:471
    #5 0x7f9c67f53bea in mirage_context_load_image /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/context.c:359
    #6 0x50d6ca in miragewrap_open /var/tmp/portage/app-
cdr/mirage2iso-0.4.2/work/mirage2iso-0.4.2/src/mirage-wrapper.c:87:9
    #7 0x50a3cb in main /var/tmp/portage/app-
cdr/mirage2iso-0.4.2/work/mirage2iso-0.4.2/src/mirage2iso.c:281:7
    #8 0x7f9c66e38680 in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x41ab98 in _start (/usr/bin/mirage2iso+0x41ab98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/stream.c:61 in 
mirage_stream_get_filename
==22879==ABORTING

Testcase:
https://github.com/mgorny/mirage2iso/blob/master/tests/21_hdiutil_ulfo.dmg

Upstream bug report:
https://sourceforge.net/p/cdemu/bugs/105/

Upstream commit:
https://sourceforge.net/p/cdemu/code/ci/d874b3b1bc86b94b1f323d7df9e665279fb966cb/

A CVE request was not requested.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ