heap-buffer-overflow

[magicSwordsMan]

Hello OpenEXR team,
I have identified an issue affecting OpenEXR by using AFL fuzz.

root@kali:~/openexr# valgrind -v --tool=memcheck --leak-check=full exrmultiview left outputFuzz/crashes/id:000000,sig:11,src:000453,op:arith8,pos:107,val:+35 right AllHalfValues.exr 12.exr
==76955== Memcheck, a memory error detector
==76955== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==76955== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==76955== Command: exrmultiview left outputFuzz/crashes/id:000000,sig:11,src:000453,op:arith8,pos:107,val:+35 right AllHalfValues.exr 12.exr
==76955==
--76955-- Valgrind options:
--76955-- -v
--76955-- --tool=memcheck
--76955-- --leak-check=full
--76955-- Contents of /proc/version:
--76955-- Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0-25)) #1 SMP Debian 4.17.8-1kali1 (2018-07-24)
--76955--
--76955-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx-avx2-bmi
--76955-- Page sizes: currently 4096, max supported 4096
--76955-- Valgrind library directory: /usr/lib/valgrind
--76955-- Reading syms from /usr/local/bin/exrmultiview
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.27.so
--76955-- Considering /usr/lib/debug/.build-id/dc/5cb16f5e644116cac64a4c3f5da4d081b81a4f.debug ..
--76955-- .. build-id is valid
--76955-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux
--76955-- Considering /usr/lib/valgrind/memcheck-amd64-linux ..
--76955-- .. CRC mismatch (computed 7680f3df wanted 92e0f93c)
--76955-- Considering /usr/lib/debug/usr/lib/valgrind/memcheck-amd64-linux ..
--76955-- .. CRC is valid
--76955-- object doesn't have a dynamic symbol table
--76955-- Scheduler: using generic scheduler lock implementation.
--76955-- Reading suppressions file: /usr/lib/valgrind/default.supp
==76955== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-76955-by-root-on-???
==76955== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-76955-by-root-on-???
==76955== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-76955-by-root-on-???
==76955==
==76955== TO CONTROL THIS PROCESS USING vgdb (which you probably
==76955== don't want to do, unless you know exactly what you're doing,
==76955== or are doing some strange experiment):
==76955== /usr/lib/valgrind/../../bin/vgdb --pid=76955 ...command...
==76955==
==76955== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==76955== /path/to/gdb exrmultiview
==76955== and then give GDB the following command
==76955== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=76955
==76955== --pid is optional if only one valgrind process is running
==76955==
--76955-- REDIR: 0x401e290 (ld-linux-x86-64.so.2:strlen) redirected to 0x58061781 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--76955-- REDIR: 0x401e070 (ld-linux-x86-64.so.2:index) redirected to 0x5806179b (vgPlain_amd64_linux_REDIR_FOR_index)
--76955-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so
--76955-- Considering /usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--76955-- .. CRC mismatch (computed 66a2a561 wanted 3789c7eb)
--76955-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--76955-- .. CRC is valid
--76955-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
--76955-- Considering /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--76955-- .. CRC mismatch (computed 8487a070 wanted 8af30a91)
--76955-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--76955-- .. CRC is valid
==76955== WARNING: new redirection conflicts with existing -- ignoring it
--76955-- old: 0x0401e290 (strlen ) R-> (0000.0) 0x58061781 vgPlain_amd64_linux_REDIR_FOR_strlen
--76955-- new: 0x0401e290 (strlen ) R-> (2007.0) 0x04838a60 strlen
--76955-- REDIR: 0x401aab0 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4839b90 (strcmp)
--76955-- REDIR: 0x401e7d0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x483d1a0 (mempcpy)
--76955-- Reading syms from /usr/local/lib/libIlmImf-2_3.so.2.3.0
--76955-- Reading syms from /usr/local/lib/libHalf-2_3.so.2.3.0
--76955-- Reading syms from /usr/local/lib/libImath-2_3.so.2.3.0
--76955-- Reading syms from /usr/local/lib/libIlmThread-2_3.so.2.3.0
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libpthread-2.27.so
--76955-- Considering /usr/lib/debug/.build-id/c1/969b6ac0e7a64f9cd88fdce8b584ccfc16623d.debug ..
--76955-- .. build-id is valid
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
--76955-- object doesn't have a symbol table
--76955-- Reading syms from /usr/local/lib/libIex-2_3.so.2.3.0
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
--76955-- object doesn't have a symbol table
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libm-2.27.so
--76955-- Considering /usr/lib/debug/.build-id/fa/b2857727406caccd7ab22e1729b09ccf2c3eb7.debug ..
--76955-- .. build-id is valid
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
--76955-- object doesn't have a symbol table
--76955-- Reading syms from /usr/lib/x86_64-linux-gnu/libc-2.27.so
--76955-- Considering /usr/lib/debug/.build-id/dc/87cd1e2b171a4c51139cb4e1f2ec630e711de3.debug ..
--76955-- .. build-id is valid
--76955-- REDIR: 0x5361050 (libc.so.6:memmove) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360280 (libc.so.6:strncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361330 (libc.so.6:strcasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fcd0 (libc.so.6:strcat) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53602b0 (libc.so.6:rindex) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5362900 (libc.so.6:rawmemchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53611c0 (libc.so.6:mempcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360ff0 (libc.so.6:bcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360240 (libc.so.6:strncmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fd40 (libc.so.6:strcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361120 (libc.so.6:memset) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x537ab60 (libc.so.6:wcschr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53601e0 (libc.so.6:strnlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fdb0 (libc.so.6:strcspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361380 (libc.so.6:strncasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fd80 (libc.so.6:strcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53614c0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53602e0 (libc.so.6:strpbrk) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x535fd00 (libc.so.6:index) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53601b0 (libc.so.6:strlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53671b0 (libc.so.6:memrchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53613d0 (libc.so.6:strcasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360fc0 (libc.so.6:memchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x537b920 (libc.so.6:wcslen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5360590 (libc.so.6:strspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361300 (libc.so.6:stpncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x53612d0 (libc.so.6:stpcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5362930 (libc.so.6:strchrnul) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5361420 (libc.so.6:strncasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--76955-- REDIR: 0x5433700 (libc.so.6:__strrchr_avx2) redirected to 0x48383e0 (rindex)
--76955-- REDIR: 0x535c5c0 (libc.so.6:malloc) redirected to 0x4835750 (malloc)
--76955-- REDIR: 0x54338d0 (libc.so.6:__strlen_avx2) redirected to 0x48389a0 (strlen)
--76955-- REDIR: 0x542fee0 (libc.so.6:__memcmp_avx2_movbe) redirected to 0x483bab0 (bcmp)
--76955-- REDIR: 0x540f0a0 (libc.so.6:__strcmp_ssse3) redirected to 0x4839a50 (strcmp)
--76955-- REDIR: 0x535d2a0 (libc.so.6:calloc) redirected to 0x4837720 (calloc)
--76955-- REDIR: 0x5433e10 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x483c390 (memmove)
--76955-- REDIR: 0x503af90 (libstdc++.so.6:operator new(unsigned long)) redirected to 0x4835dc0 (operator new(unsigned long))
--76955-- REDIR: 0x5039220 (libstdc++.so.6:operator delete(void*)) redirected to 0x4836e80 (operator delete(void*))
--76955-- REDIR: 0x5422440 (libc.so.6:__strncpy_ssse3) redirected to 0x4838c60 (strncpy)
--76955-- REDIR: 0x5360a70 (libc.so.6:__GI_strstr) redirected to 0x483d410 (__strstr_sse2)
--76955-- REDIR: 0x503b040 (libstdc++.so.6:operator new[](unsigned long)) redirected to 0x48364e0 (operator new[](unsigned long))
--76955-- REDIR: 0x542a850 (libc.so.6:__strncmp_sse42) redirected to 0x4839220 (__strncmp_sse42)
--76955-- REDIR: 0x5434290 (libc.so.6:__memset_avx2_unaligned_erms) redirected to 0x483c280 (memset)
--76955-- REDIR: 0x535df10 (libc.so.6:posix_memalign) redirected to 0x4837c10 (posix_memalign)
--76955-- REDIR: 0x5039250 (libstdc++.so.6:operator delete) redirected to 0x4837380 (operator delete)
--76955-- REDIR: 0x535cc50 (libc.so.6:free) redirected to 0x4836980 (free)
--76955-- REDIR: 0x542f760 (libc.so.6:__memchr_avx2) redirected to 0x4839c30 (memchr)
Error reading pixel data from image file "outputFuzz/crashes/id:000000,sig:11,src:000453,op:arith8,pos:107,val:+35". Error decompressing data (input data are shorter than expected).
==76955==
==76955== HEAP SUMMARY:
==76955== in use at exit: 8 bytes in 1 blocks
==76955== total heap usage: 386 allocs, 385 frees, 93,432,818 bytes allocated
==76955==
==76955== Searching for pointers to 1 not-freed blocks
==76955== Checked 171,992 bytes
==76955==
==76955== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
==76955== at 0x4835E2F: operator new(unsigned long) (vg_replace_malloc.c:334)
==76955== by 0x4D191BD: ThreadPool (IlmThreadPool.cpp:758)
==76955== by 0x4D191BD: IlmThread_2_3::ThreadPool::globalThreadPool() (IlmThreadPool.cpp:838)
==76955== by 0x48FA88D: Imf_2_3::globalThreadCount() (ImfThreading.cpp:51)
==76955== by 0x4058B8: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:83)
==76955== by 0x409D33: main (main.cpp:251)
==76955==
==76955== LEAK SUMMARY:
==76955== definitely lost: 8 bytes in 1 blocks
==76955== indirectly lost: 0 bytes in 0 blocks
==76955== possibly lost: 0 bytes in 0 blocks
==76955== still reachable: 0 bytes in 0 blocks
==76955== suppressed: 0 bytes in 0 blocks
==76955==
==76955== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==76955== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Attached the POC

poc.zip
Version
openexr-2.3

Found by:TAN JIE

[carnil]

This issue was assigned CVE-2018-18443

[pgajdos]

Where is the heap buffer overflow? I do not see it in valgrind output.

[kbabioch]

This seems to me like a memory leak and not like a heap-buffer overflow as indicated in the title.

[kdt3rd]

This memory leak should be fixed by PR #412