Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 05 Nov 2015 17:30:14 +0100
From: gauri@....by
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Cc: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: Re: CVE request: libsndfile 1.0.25 heap overflow

Hello list.

03.11.2015, 21:02, "cve-assign@...re.org" <cve-assign@...re.org>:
>>  Unrelated, but I recently reported an out of bounds triggered by the
>>  test suite of libsndfile and got no reply:
>>  http://permalink.gmane.org/gmane.comp.audio.libsndfile.devel/681
>
>>  Out of bounds reads in psf_strlcpy_crlf when running test suite
>
>>  AddressSanitizer: global-buffer-overflow ... READ of size 1
>
> Use CVE-2015-8075.

I have followed up on this to spot the root cause of what has been assigned CVE-2015-8075; as recommended by Hanno, I am sharing my results with the wider audience.

The `test_psf_strlcpy_crlf()` routine, as it is presented [1] in version 1.0.25, is incorrect in that it supplies an invalid argument value to the function `psf_strlcpy_crlf()` being tested: the last argument `srcmax` receives `sizeof(src)`, which is the size of the pointer `src`, and not the source string length it points to, as might have been anticipated by the author. Since the reporter tested a 64-bit build, `srcmax` gets passed 8, but the string is 7 bytes long. This triggers OOB access detected by address sanitizer, just like in the original report.

At this point, it seems CVE-2015-8075 has to be rejected as there is no vulnerability, only a poorly written test case which doesn't see any action except when running `make check`.

Note: Apparently, the vendor has attempted to fix the test [2], but it seems like `srcmax` is getting `sizeof(char)` instead of `sizeof(char *)` now. The test remains invalid, although due to a different reason.

Cheers,
Z.

References:
[1] https://github.com/erikd/libsndfile/blob/f66e21e0b1f1b52b544dabb5ba4fa89fa6f62a30/src/test_strncpy_crlf.c
[2] https://github.com/erikd/libsndfile/blob/495c2877e1c841fbb420383551547d2ca60533c6/src/test_strncpy_crlf.c

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.