Null pointer dereference in function calculate_beam() – abcm2ps – 1.8.2
Loginsoft-2020-1001
5 february, 2020
CVE Number
CWE
CWE – 476 : NULL Pointer Dereference
Product Details
abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format.
URL: https://github.com/leesavide/abcm2ps
Vulnerable Versions
1.8.2
Vulnerability Details
As per our research, We discovered Null pointer dereference in draw_bar() at draw.c. s2->abc_type is not being validated. which can lead to a denial of service attack
SYNOPSIS
In Progress
vulnerable Source code
for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev) ; putxy(s2->x, yb + 12); a2b("mrep\n");
Analysis
DEBUG:
GDB :
Gdb: [ Legend: Modified register | Code | Heap | Stack | String ] ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── $rax : 0x200 $rbx : 0x0 $rcx : 0x200 $rdx : 0x000055555593b208 → 0x0000555555970168 → 0x0000000000000000 $rsp : 0x00007fffffffd180 → 0x0000000000000000 $rbp : 0x000055555593b220 → 0x001800003f800000 $rsi : 0x0 $rdi : 0x0000555555943300 → 0x0000000000000031 ("1"?) $rip : 0x00005555556092c4 → cmp BYTE PTR [rsi+0x38], 0x5 $r8 : 0x1 $r9 : 0x00007fffffffd0a0 → 0x0000003000000008 $r10 : 0x00007fffffffd0c0 → 0x0000000000000000 $r11 : 0x0 $r12 : 0x000055555598b078 → 0x000055555598b2d0 → 0x000055555598b520 → 0x000055555598b770 → 0x000055555598b9c0 → 0x000055555598bc10 → 0x000055555598be60 → 0x000055555598c0b0 $r13 : 0x1 $r14 : 0x1 $r15 : 0x000055555593ade0 → 0x000055555598e2a8 → 0x0000000000000000 $eflags: [zero CARRY parity ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification] $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ──── 0x00007fffffffd180│+0x0000: 0x0000000000000000 ← $rsp 0x00007fffffffd188│+0x0008: 0xc0478000bf800000 0x00007fffffffd190│+0x0010: 0x00007fff43a060a1 0x00007fffffffd198│+0x0018: 0x00007ffff6816209 → mov ebx, eax 0x00007fffffffd1a0│+0x0020: 0x00007fffc2ea0000 0x00007fffffffd1a8│+0x0028: 0x430c0000ffffd3b0 0x00007fffffffd1b0│+0x0030: 0x00000001428c0000 0x00007fffffffd1b8│+0x0038: 0x00007fffc2ea0000 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── 0x5555556092b4 mov rdx, QWORD PTR [rsp] 0x5555556092b8 lea rsp, [rsp+0x98] 0x5555556092c0 mov rsi, QWORD PTR [rsi+0x18] → 0x5555556092c4 cmp BYTE PTR [rsi+0x38], 0x5 0x5555556092c8 jne 0x5555556092c0 0x5555556092ca xchg ax, ax 0x5555556092cc lea rsp, [rsp-0x98] 0x5555556092d4 mov QWORD PTR [rsp], rdx 0x5555556092d8 mov QWORD PTR [rsp+0x8], rcx ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:draw.c+1211 ──── 1206 if (s->u.bar.len != 0) { 1207 struct SYMBOL *s2; 1208 1209 set_scale(s); 1210 if (s->u.bar.len == 1) { → 1211 for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev) 1212 ; 1213 putxy(s2->x, yb + 12); 1214 a2b("mrep\n"); 1215 } else { 1216 putxy(x, yb + 12); ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── [#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0x5555556092c4 → draw_bar(h=70, bot=-117, s=0x55555598b078) [#1] 0x5555556092c4 → draw_systems(indent=0) [#2] 0x55555567d76b → delayed_output(indent=0) [#3] 0x55555567d76b → output_music() [#4] 0x55555569c1a1 → generate() [#5] 0x5555556bead1 → gen_ly(eob=0x0) [#6] 0x5555556bead1 → do_tune() [#7] 0x555555579865 → abc_parse(p=0x55555597b5f0 "", fname=0x5555559511d0 " NPD2", ln=0x26) [#8] 0x555555633893 → txt_add_eos(linenum=0x26, fname=) [#9] 0x555555633893 → frontend(s=, ftype=, fname=, linenum=) ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x00005555556092c4 in draw_bar (h=70, bot=-117, s=0x55555598b078) at draw.c:1211 1211 for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev) gef➤ p s2 $3 = (struct SYMBOL *) 0x0 gef➤ p s2->abc_type Cannot access memory at address 0x38 gef➤ x s2->abc_type Cannot access memory at address 0x38 gef➤ i r rax 0x200 0x200 rbx 0x0 0x0 rcx 0x200 0x200 rdx 0x55555593b208 0x55555593b208 rsi 0x0 0x0 rdi 0x555555943300 0x555555943300 rbp 0x55555593b220 0x55555593b220 rsp 0x7fffffffd180 0x7fffffffd180 r8 0x1 0x1 r9 0x7fffffffd0a0 0x7fffffffd0a0 r10 0x7fffffffd0c0 0x7fffffffd0c0 r11 0x0 0x0 r12 0x55555598b078 0x55555598b078 r13 0x1 0x1 r14 0x1 0x1 r15 0x55555593ade0 0x55555593ade0 rip 0x5555556092c4 0x5555556092c4 eflags 0x10293 [ CF AF SF IF RF ] cs 0x33 0x33 ss 0x2b 0x2b ds 0x0 0x0 es 0x0 0x0 fs 0x0 0x0 gs 0x0 0x0
Valgrind: abcm2ps-8.14.6 (2019-11-05) File NPD2 NPD2:20:36: error: Not a note 20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,#][B,,F,]- [B,,4F,4]| ^ NPD2:32:24: error: Not a note 32 !fp![E,4G,4C4]- [E,3/G,3 program 53 ^ NPD2:32:32: error: Not a note 32 !fp![E,4G,4C4]- [E,3/G,3 program 53 ^ NPD2:32:17: error: Chord not closed 32 !fp![E,4G,4C4]- [E,3/G,3 program 53 ^ NPD2:34:23: error: Not a note 34 !fp!!3![=B,4D4F4]- [B,3?D3/F3/][B,/D/F/][U,3/D3/G3/][B,/D/A/] ([B,4D4A4]!... ^ NPD2:34:42: error: Not a note 34 !fp!!3![=B,4D4F4]- [B,3?D3/F3/][B,/D/F/][U,3/D3/G3/][B,/D/A/] ([B,4D4A4]!... ^ NPD2:36:21: error: Non standard measure repeat syntax 36 [C,,4E,,4G,,4C,4]- [3/]!2!E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z _A,,|\ ^ NPD2:32:16: error: Bad character 'm' NPD2:32:16: error: Bad character 'r' NPD2:32:16: error: Bad character 'o' NPD2:32:16: error: Bad character 'r' NPD2:32:16: error: Bad character 'p' NPD2:34:40: error: Bad character 'U' NPD2:34:84: error: Decoration !3Trompette! not defined NPD2:36:19: warning: Line underfull (270pt of 682pt) NPD2:32:4: error: Bad tie ==15190== Invalid read of size 1 ==15190== at 0x128E32: draw_bar (draw.c:1211) ==15190== by 0x128E32: draw_systems (draw.c:4593) ==15190== by 0x1382AE: delayed_output (music.c:5063) ==15190== by 0x1382AE: output_music (music.c:5114) ==15190== by 0x13D9C0: generate (parse.c:1041) ==15190== by 0x13DF27: gen_ly (parse.c:1062) ==15190== by 0x143F07: do_tune (parse.c:3635) ==15190== by 0x115B61: abc_parse (abcparse.c:179) ==15190== by 0x12DEE3: txt_add_eos (front.c:379) ==15190== by 0x12E373: frontend (front.c:891) ==15190== by 0x110F1C: treat_file (abcm2ps.c:240) ==15190== by 0x11013B: main (abcm2ps.c:1041) ==15190== Address 0x38 is not stack'd, malloc'd or (recently) free'd Segmentation fault
Proof of Concept
./abcm2ps $POC
Vendor Disclosure: 2020-2-04
Public Disclosure: 2020-2-05
Credit
Discovered by ACE Team – Loginsoft