Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in function calculate_beam(). #72

Open
Loginsoft-Research opened this issue Feb 4, 2020 · 3 comments
Open

Null pointer dereference in function calculate_beam(). #72

Loginsoft-Research opened this issue Feb 4, 2020 · 3 comments

Comments

@Loginsoft-Research
Copy link

What is the vulnerability?
Null pointer Dereference is discovered in abcm2ps (8.14.6-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impacts when a victim opens a specially crafted file.

Affected version-: 8.14.6-master

Command-: ./abcm2ps $POC

Reproducer file-: Reproducer

Synopsis-: We discovered Null pointer dereference in calculate_beam() at draw.c:341. s->ts_prev is not being validated. Due to lack of validation of s->ts_prev, therefore it causes Null pointer dereference.

Vulnerable code-:

while (s->ts_prev->abc_type == ABC_T_NOTE
    		    && s->ts_prev->time == s->time
    		    && s->ts_prev->x > s1->xs)
    			s = s->ts_prev;

Debug-:

GDB-:

abcm2ps-8.14.6 (2019-11-05)
File NPD3
NPD3: error: Cannot identify meter top
  22 M:2}
       ^
NPD3: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                          ^
NPD3: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                           ^
NPD3: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                            ^
NPD3: error: Bad character
  31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
                                                    ^
NPD3: error: Bad character
  31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
                                                           ^
NPD3: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                        ^
NPD3: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                         ^
NPD3: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                          ^
NPD3: error: Cannot identify meter top
  34 M:| C
       ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                           ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                            ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                             ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                              ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                               ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                                ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                                 ^
NPD3: error: Bad character
  44   C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
                                    ^
NPD3: error: Bad character
  44   C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
                                     ^
NPD3: error: Decoration !fp! not defined
NPD3: error: Decoration !fp! not defined
NPD3: error: End of line found inside a tuplet
NPD3: error: Decoration !D,3/! not defined
NPD3: error: Decoration !26E,/! not defined
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'W'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'm'
NPD3: error: Bad character 'i'

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0000555555981028  →  0x0000555555981278  →  0x00005555559815f8  →  0x0000555555981848  →  0x0000555555981a98  →  0x0000555555981ce8  →  0x0000555555981f38  →  0x0000555555982188
$rbx   : 0x000055555593ade0  →  0x0000555555969460  →  0x0000000000000000
$rcx   : 0x00005555559815f8  →  0x0000555555981848  →  0x0000555555981a98  →  0x0000555555981ce8  →  0x0000555555981f38  →  0x0000555555982188  →  0x00005555559823d8  →  0x0000555555982628
$rdx   : 0x0               
$rsp   : 0x00007fffffffdc00  →  0x0000555555657e06  →  <set_pitch+2662> mov rax, QWORD PTR [rsp+0x10]
$rbp   : 0x0               
$rsi   : 0x0               
$rdi   : 0xffffffff        
$rip   : 0x00005555555c332c  →  <calculate_beam+10412> cmp BYTE PTR [rbp+0x38], 0x4
$r8    : 0x0               
$r9    : 0x0               
$r10   : 0x00007fffffffdc90  →  0x0000000000000000
$r11   : 0x13e0            
$r12   : 0x0000555555981028  →  0x0000555555981278  →  0x00005555559815f8  →  0x0000555555981848  →  0x0000555555981a98  →  0x0000555555981ce8  →  0x0000555555981f38  →  0x0000555555982188
$r13   : 0x1               
$r14   : 0x1               
$r15   : 0x0               
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffdc00│+0x0000: 0x0000555555657e06  →  <set_pitch+2662> mov rax, QWORD PTR [rsp+0x10]	 ← $rsp
0x00007fffffffdc08│+0x0008: 0x0000000000000000
0x00007fffffffdc10│+0x0010: 0x0000000000000004
0x00007fffffffdc18│+0x0018: 0x0000000041e89d7b
0x00007fffffffdc20│+0x0020: 0x0000007955655bba
0x00007fffffffdc28│+0x0028: 0x034a2b510999999a
0x00007fffffffdc30│+0x0030: 0x0000000000000000
0x00007fffffffdc38│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x5555555c331c <calculate_beam+10396> mov    rdx, QWORD PTR [rsp]
   0x5555555c3320 <calculate_beam+10400> lea    rsp, [rsp+0x98]
   0x5555555c3328 <calculate_beam+10408> mov    rbp, QWORD PTR [rax+0x28]
 → 0x5555555c332c <calculate_beam+10412> cmp    BYTE PTR [rbp+0x38], 0x4
   0x5555555c3330 <calculate_beam+10416> je     0x5555555c3260 <calculate_beam+10208>
   0x5555555c3336 <calculate_beam+10422> xchg   ax, ax
   0x5555555c3338 <calculate_beam+10424> lea    rsp, [rsp-0x98]
   0x5555555c3340 <calculate_beam+10432> mov    QWORD PTR [rsp], rdx
   0x5555555c3344 <calculate_beam+10436> mov    QWORD PTR [rsp+0x8], rcx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:draw.c+341 ────
    336	 		b += ys;
    337	 	} else if (!(s1->flags & ABC_F_GRACE)) {	/* normal notes */
    338	 		float stem_err, beam_h;
    339	 
    340	 		beam_h = BEAM_DEPTH + BEAM_SHIFT * (nflags - 1);
 →  341	 		while (s->ts_prev->abc_type == ABC_T_NOTE
    342	 		    && s->ts_prev->time == s->time
    343	 		    && s->ts_prev->x > s1->xs)
    344	 			s = s->ts_prev;
    345	 
    346	 		for (; s && s->time <= s2->time; s = s->ts_next) {
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555555c332c → calculate_beam(bm=0x7fffffffdc90, s1=0x555555981028)
[#1] 0x5555555f261a → draw_sym_near()
[#2] 0x55555567d748 → delayed_output(indent=0)
[#3] 0x55555567d748 → output_music()
[#4] 0x55555569c1a1 → generate()
[#5] 0x5555556bead1 → gen_ly(eob=0x0)
[#6] 0x5555556bead1 → do_tune()
[#7] 0x55555556a9b1 → abc_eof()
[#8] 0x55555563285d → frontend(s=0x55555597aeba "", ftype=<optimized out>, fname=<optimized out>, linenum=0x2c)
[#9] 0x5555555614c1 → treat_file(fn=<optimized out>, ext=<optimized out>)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555555c332c in calculate_beam (bm=bm@entry=0x7fffffffdc90, s1=s1@entry=0x555555981028) at draw.c:341
341			while (s->ts_prev->abc_type == ABC_T_NOTE
gef➤  p s->ts_prev 
$9 = (struct SYMBOL *) 0x0
gef➤  p s->ts_prev->abc_type 
Cannot access memory at address 0x38
gef➤  i r
rax            0x555555981028	0x555555981028
rbx            0x55555593ade0	0x55555593ade0
rcx            0x5555559815f8	0x5555559815f8
rdx            0x0	0x0
rsi            0x0	0x0
rdi            0xffffffff	0xffffffff
rbp            0x0	0x0
rsp            0x7fffffffdc00	0x7fffffffdc00
r8             0x0	0x0
r9             0x0	0x0
r10            0x7fffffffdc90	0x7fffffffdc90
r11            0x13e0	0x13e0
r12            0x555555981028	0x555555981028
r13            0x1	0x1
r14            0x1	0x1
r15            0x0	0x0
rip            0x5555555c332c	0x5555555c332c <calculate_beam+10412>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0

Valgrind-:

abcm2ps-8.14.6 (2019-11-05)
File NPD3
NPD3:22:2: error: Cannot identify meter top
  22 M:2}
       ^
NPD3:27:69: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                          ^
NPD3:27:70: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                           ^
NPD3:27:71: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                            ^
NPD3:31:47: error: Bad character
  31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
                                                    ^
NPD3:31:54: error: Bad character
  31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
                                                           ^
NPD3:32:19: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                        ^
NPD3:32:20: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                         ^
NPD3:32:21: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                          ^
NPD3:34:2: error: Cannot identify meter top
  34 M:| C
       ^
NPD3:42:11: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                ^
NPD3:42:54: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                           ^
NPD3:42:55: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                            ^
NPD3:42:56: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                             ^
NPD3:42:57: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                              ^
NPD3:42:58: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                               ^
NPD3:42:59: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                                ^
NPD3:42:60: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                                 ^
NPD3:44:31: error: Bad character
  44   C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
                                    ^
NPD3:44:32: error: Bad character
  44   C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
                                     ^
NPD3:26:4: error: Decoration !fp! not defined
NPD3:27:7: error: Decoration !fp! not defined
NPD3:27:66: error: End of line found inside a tuplet
NPD3:31:56: error: Decoration !D,3/! not defined
NPD3:31:56: error: Decoration !26E,/! not defined
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'W'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'm'
NPD3:42:2: error: Bad character 'i'
==7849== Invalid read of size 1
==7849==    at 0x12006F: calculate_beam (draw.c:341)
==7849==    by 0x126BA7: draw_sym_near (draw.c:4120)
==7849==    by 0x13828B: delayed_output (music.c:5059)
==7849==    by 0x13828B: output_music (music.c:5114)
==7849==    by 0x13D9C0: generate (parse.c:1041)
==7849==    by 0x13DF27: gen_ly (parse.c:1062)
==7849==    by 0x143F07: do_tune (parse.c:3635)
==7849==    by 0x112548: abc_eof (abcparse.c:202)
==7849==    by 0x12E220: frontend (front.c:905)
==7849==    by 0x110F1C: treat_file (abcm2ps.c:240)
==7849==    by 0x11013B: main (abcm2ps.c:1041)
==7849==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
Segmentation fault
moinejf added a commit that referenced this issue Feb 5, 2020
@moinejf
fix: crash when %%score with no common voices and next notes with beams
61743f7 
Issue #72.
There were bad time links due to a bad fix in the version 8.13.12
(loss of measure bar when followed by %%score and voice absent).
@moinejf
Copy link
Collaborator

moinejf commented Feb 5, 2020

Fixed.
Thanks.

@timmbo9
Copy link

timmbo9 commented Feb 6, 2020 via email

moinejf added a commit that referenced this issue Feb 6, 2020
@moinejf
fix: bad parsing of the note duration again
d810329 
Regression due to wrong code in the commmit [f985cf1].
Issues #68 and #72
@moinejf
Copy link
Collaborator

moinejf commented Feb 6, 2020

Indeed, I should have done more tests! Many thanks, Timm.

@chibataiki chibataiki mentioned this issue May 10, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@moinejf @timmbo9 @Loginsoft-Research