Opened 6 years ago
Closed 6 years ago
#7249 closed defect (fixed)
Multi heap-buffer-overflow in memBitRead() of gdal-2.2.3
| Reported by: | leonzhao7 | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | high | Milestone: | 2.3.0 |
| Component: | default | Version: | 2.2.3 |
| Severity: | critical | Keywords: | overflow |
| Cc: |
Description
Overview
The memBitRead() function at frmts/grib/degrib18/degrib/memendian.c: in gdal 2.2.3 may result multi heap-buffer-overflow via a crafted file.
Tested Version
gdal 2.2.3
Steps to Reproduce
./gdalinfo $POC
Additional info
Ubuntu 16.04, x64
Crash Information
One of gdalinfo's output with address sanitizer enabled
/opt/asan/gdal/bin/gdalinfo gdal-memendian-memBitRead-262-overflow
Un-handled possible ensemble section center 0 subcenter 21
Warning: Inside GRIB2Inventory, Message # 2
ERROR: Ran out of file reading SECT0
There were 491 trailing bytes in the file.
Un-handled possible ensemble section center 0 subcenter 21
numPts * (numBits in a Group) + # of unused bits 820905615 != # of available bits -88
=================================================================
==61740==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000707c at pc 0x00000060d8ed bp 0x7ffd57349760 sp 0x7ffd57349750
READ of size 1 at 0x61100000707c thread T0
#0 0x60d8ec in memBitRead degrib18/degrib/memendian.c:262
#1 0xe2716e in ReadGrib1Sect4 degrib18/degrib/degrib1.cpp:1601
#2 0xe2871b in ReadGrib1Record(DataSource&, signed char, double**, unsigned int*, grib_MetaData*, IS_dataType*, int*, unsigned int, double, double) degrib18/degrib/degrib1.cpp:1831
#3 0xe2c717 in ReadGrib2Record degrib18/degrib/degrib2.cpp:887
#4 0x4a49f6 in GRIBRasterBand::ReadGribData(DataSource&, int, int, double**, grib_MetaData**) /root/gdal-2.2.3/frmts/grib/gribdataset.cpp:398
#5 0x4a5ca8 in GRIBDataset::Open(GDALOpenInfo*) /root/gdal-2.2.3/frmts/grib/gribdataset.cpp:628
#6 0x8aa7c4 in GDALOpenEx /root/gdal-2.2.3/gcore/gdaldataset.cpp:2817
#7 0x40ed0d in main /root/gdal-2.2.3/apps/gdalinfo_bin.cpp:131
#8 0x7fabd24a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x40e7a8 in _start (/opt/asan/gdal/bin/gdalinfo+0x40e7a8)
0x61100000707c is located 0 bytes to the right of 252-byte region [0x611000006f80,0x61100000707c)
allocated by thread T0 here:
#0 0x7fabd451b961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0xe277b3 in ReadGrib1Record(DataSource&, signed char, double**, unsigned int*, grib_MetaData*, IS_dataType*, int*, unsigned int, double, double) degrib18/degrib/degrib1.cpp:1713
#2 0xe2c717 in ReadGrib2Record degrib18/degrib/degrib2.cpp:887
#3 0x4a49f6 in GRIBRasterBand::ReadGribData(DataSource&, int, int, double**, grib_MetaData**) /root/gdal-2.2.3/frmts/grib/gribdataset.cpp:398
#4 0x4a5ca8 in GRIBDataset::Open(GDALOpenInfo*) /root/gdal-2.2.3/frmts/grib/gribdataset.cpp:628
#5 0x8aa7c4 in GDALOpenEx /root/gdal-2.2.3/gcore/gdaldataset.cpp:2817
#6 0x40ed0d in main /root/gdal-2.2.3/apps/gdalinfo_bin.cpp:131
#7 0x7fabd24a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow degrib18/degrib/memendian.c:262 memBitRead
Shadow bytes around the buggy address:
0x0c227fff8db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
0x0c227fff8e10: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8e30: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff8e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==61740==ABORTING
Attachments (3)
Change History (4)
by , 6 years ago
| Attachment: | gdal-memendian-memBitRead-245-overflow added |
|---|
by , 6 years ago
| Attachment: | gdal-memendian-memBitRead-262-overflow added |
|---|
POC file that crashing gdal-2.2.3 in memendian.c memBitRead()
by , 6 years ago
| Attachment: | gdal-memendian-memBitRead-288-overflow added |
|---|
POC file that crashing gdal-2.2.3 in memendian.c memBitRead()
comment:1 by , 6 years ago
| Milestone: | → 2.3.0 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
I've verified that the issues are reproducible with GDAL 2.2, but no longer with GDAL trunk. Hundreds of security related fixes have been done in trunk since GDAL 2.2, so I'd suggest you to test against trunk
Note:
See TracTickets
for help on using tickets.
POC file that crashing gdal-2.2.3 in memendian.c memBitRead()