oss-sec mailing list archives
libmirage: NULL pointer dereference in mirage_stream_get_filename (stream.c)
From: Agostino Sarubbo <ago () gentoo org>
Date: Mon, 21 Aug 2017 15:37:42 +0200
There is a NULL pointer dereference in libmirage when handling .dmg/.isz file. The bug was found via mirage2iso (https://github.com/mgorny/mirage2iso) which uses limirage to convert various CD/DVD image formats into .iso The bug was initially spotted by Michał Górny so the credit goes to him. I hitted the bug too and I'm pointing out the security implication. The complete asan output of the issue: # mirage2iso $FILE out.iso ==22879==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9c67f5dde9 bp 0x7f9c5e533e26 sp 0x7ffeb47ffe20 T0) ==22879==The signal is caused by a READ memory access. ==22879==Hint: address points to the zero page. #0 0x7f9c67f5dde8 in mirage_stream_get_filename /var/tmp/portage/dev- libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/stream.c:61 #1 0x7f9c5e5306c8 in mirage_filter_stream_dmg_open_streams /var/tmp/portage/dev-libs/libmirage-3.0.4/work/libmirage-3.0.4/filters/filter- dmg/filter-stream.c:603 #2 0x7f9c5e5306c8 in mirage_filter_stream_dmg_open /var/tmp/portage/dev- libs/libmirage-3.0.4/work/libmirage-3.0.4/filters/filter-dmg/filter- stream.c:719 #3 0x7f9c67f5726c in mirage_filter_stream_open /var/tmp/portage/dev- libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/filter-stream.c:209 #4 0x7f9c67f53aa5 in mirage_context_create_input_stream /var/tmp/portage/dev- libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/context.c:471 #5 0x7f9c67f53bea in mirage_context_load_image /var/tmp/portage/dev- libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/context.c:359 #6 0x50d6ca in miragewrap_open /var/tmp/portage/app- cdr/mirage2iso-0.4.2/work/mirage2iso-0.4.2/src/mirage-wrapper.c:87:9 #7 0x50a3cb in main /var/tmp/portage/app- cdr/mirage2iso-0.4.2/work/mirage2iso-0.4.2/src/mirage2iso.c:281:7 #8 0x7f9c66e38680 in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289 #9 0x41ab98 in _start (/usr/bin/mirage2iso+0x41ab98) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/dev- libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/stream.c:61 in mirage_stream_get_filename ==22879==ABORTING Testcase: https://github.com/mgorny/mirage2iso/blob/master/tests/21_hdiutil_ulfo.dmg Upstream bug report: https://sourceforge.net/p/cdemu/bugs/105/ Upstream commit: https://sourceforge.net/p/cdemu/code/ci/d874b3b1bc86b94b1f323d7df9e665279fb966cb/ A CVE request was not requested. -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- libmirage: NULL pointer dereference in mirage_stream_get_filename (stream.c) Agostino Sarubbo (Aug 21)