Hi,
I am running some experiments for AFLAPI and it has found a segmentation fault in FlacDecoderInternal::s_writeCallback when nqr::NyquistIO::Load a bad .flac file. This bug may allows attackers to cause DoS, so I report it here.
Environment: Ubuntu 20.04 + g++ 9.6.0
Test target: https://github.com/ddiakopoulos/libnyquist/blob/master/examples/src/Main.cpp
Poc:
segv1.zip
To reproduce:
- Complie the hole project with ASAN
- Complie the example with ASAN:
ubuntu@ubuntu:~/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src$ g++ -fsanitize=address -o example Main.cpp.o AudioDevice.cpp.o -llibnyquist -lrtaudio
- Run:
ASAN says:
ubuntu@ubuntu:~/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src$ ./example segv1.flac
[rtaudio] Found: 3 device(s)
Device: 0 - hw:Ensoniq AudioPCI,0
Device: 1 - hw:Ensoniq AudioPCI,1
Device: 2 - default
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1646422==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7efc7260ec30 bp 0x7ffd0d1b4a80 sp 0x7ffd0d1b41e8 T0)
==1646422==The signal is caused by a READ memory access.
==1646422==Hint: address points to the zero page.
#0 0x7efc7260ec2f (/lib/x86_64-linux-gnu/libc.so.6+0xbbc2f)
#1 0x7efc72b4a37e in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#2 0x563605538c2d in FlacDecoderInternal::s_writeCallback(FLAC__StreamDecoder const*, FLAC__Frame const*, int const* const*, void*) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:164
#3 0x5636055ac8ae in write_audio_frame_to_client_ /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:2972
#4 0x56360559e1ac in read_frame_ /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:2146
#5 0x56360558cf7b in FLAC__stream_decoder_process_until_end_of_stream /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:1101
#6 0x5636055373b3 in FlacDecoderInternal::FlacDecoderInternal(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:66
#7 0x5636055361f0 in nqr::FlacDecoder::LoadFromPath(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:247
#8 0x5636054e7e4d in nqr::NyquistIO::Load(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/Common.cpp:47
#9 0x5636054cfaed in main /home/ubuntu/test/libnyquist/examples/src/Main.cpp:34
#10 0x7efc72577082 in __libc_start_main ../csu/libc-start.c:308
#11 0x5636054cf6dd in _start (/home/ubuntu/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src/example+0x826dd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbc2f)
==1646422==ABORTING
Impact:
An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a Denial of Service attack.
Hi,
I am running some experiments for AFLAPI and it has found a segmentation fault in
FlacDecoderInternal::s_writeCallbackwhennqr::NyquistIO::Loada bad .flac file. This bug may allows attackers to cause DoS, so I report it here.Environment: Ubuntu 20.04 + g++ 9.6.0
Test target: https://github.com/ddiakopoulos/libnyquist/blob/master/examples/src/Main.cpp
Poc:
segv1.zip
To reproduce:
ubuntu@ubuntu:~/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src$ g++ -fsanitize=address -o example Main.cpp.o AudioDevice.cpp.o -llibnyquist -lrtaudioASAN says:
Impact:
An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a Denial of Service attack.