CVE-2016-9297: read outside of buffer in libtiff

I was assigned CVE-2016-9297 today for a read outside of buffer flaw that I found in libtiff. This provides support for the Tag Image File Format (TIFF), a widely used format for storing image data, and is found in web browsers and mobile devices used around the world.

ASAN:SIGSEGV
=================================================================
==6884==ERROR: AddressSanitizer: SEGV on unknown address 0x7faf9b2d2000 (pc
0x7faf999ecd10 sp 0x7ffe26e325b8 bp 0x7faf9b2d1fff T0)
#0 0x7faf999ecd0f in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x81d0f)
#1 0x7faf999d52ee in _IO_fputs (/lib/x86_64-linux-gnu/libc.so.6+0x6a2ee)
#2 0x490376 in _TIFFPrintField /root/libtiff/libtiff/tif_print.c:127
#3 0x490376 in TIFFPrintDirectory /root/libtiff/libtiff/tif_print.c:647
#4 0x405545 in tiffinfo /root/libtiff/tools/tiffinfo.c:463
#5 0x405545 in main /root/libtiff/tools/tiffinfo.c:152
#6 0x7faf9998cb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#7 0x40648c (/root/libtiff/tools/tiffinfo+0x40648c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 strlen
==6884==ABORTING

It was found with the assistance of my favorite tool, American Fuzzy Lop, which you can find here. If you appreciate the work I'm doing, please support continued fuzzing on Patreon.

Geeknik Labs

Also on this blog

SHARE:  Email · Facebook · Google · Twitter · Tumblr · Kindle
SUBSCRIBE:  Receive an email on new posts from Geeknik Labs

Comments

Nice!
I have a few question on how you approach fuzzing in general. I would greatly appreciate your input!
- Do you run AFL on 64b binaries? I've read that ASAN and 64 bits do not work well together, but based on your PoCs it seems you are doing it successfully.
- I've used ASAN for a few targets and haven't come across the usual output that includes AddressSanitizer metadata, even though it did cause some heap overflows... am I doing something wrong? If I understand correctly you just need to supply the env var at compile time, and then all ASAN findings would be added as a regular AFL crash. Is that right?
Thanks for your time and continued fuzzing efforts :)
2017-01-05, mx

I always compile 64-bit. There are some caveats with using ASAN with 64-bit binaries, but I haven't run into any issues that I couldn't overcome.
I use AFL_USE_ASAN=1 when compiling, but sometimes it is necessary to add CFLAGS="-fsanitize=address" and/or LDFLAGS="-fsanitize=address".
2017-01-05, geeknik


  • Notify me upon new comments

☺ Got it