Null pointer dereference in function calculate_beam() – abcm2ps – 1.8.2
Loginsoft-2020-1001
5 february, 2020
CVE Number
CWE
CWE – 476 : NULL Pointer Dereference
Product Details
abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format.
URL: https://github.com/leesavide/abcm2ps
Vulnerable Versions
1.8.2
Vulnerability Details
As per our research, We discovered Null pointer dereference in draw_bar() at draw.c. s2->abc_type is not being validated. which can lead to a denial of service attack
SYNOPSIS
In Progress
vulnerable Source code
for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev)
;
putxy(s2->x, yb + 12);
a2b("mrep\n");
Analysis
DEBUG:
GDB :
Gdb:
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x200
$rbx : 0x0
$rcx : 0x200
$rdx : 0x000055555593b208 → 0x0000555555970168 → 0x0000000000000000
$rsp : 0x00007fffffffd180 → 0x0000000000000000
$rbp : 0x000055555593b220 → 0x001800003f800000
$rsi : 0x0
$rdi : 0x0000555555943300 → 0x0000000000000031 ("1"?)
$rip : 0x00005555556092c4 → cmp BYTE PTR [rsi+0x38], 0x5
$r8 : 0x1
$r9 : 0x00007fffffffd0a0 → 0x0000003000000008
$r10 : 0x00007fffffffd0c0 → 0x0000000000000000
$r11 : 0x0
$r12 : 0x000055555598b078 → 0x000055555598b2d0 → 0x000055555598b520 → 0x000055555598b770 → 0x000055555598b9c0 → 0x000055555598bc10 → 0x000055555598be60 → 0x000055555598c0b0
$r13 : 0x1
$r14 : 0x1
$r15 : 0x000055555593ade0 → 0x000055555598e2a8 → 0x0000000000000000
$eflags: [zero CARRY parity ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd180│+0x0000: 0x0000000000000000 ← $rsp
0x00007fffffffd188│+0x0008: 0xc0478000bf800000
0x00007fffffffd190│+0x0010: 0x00007fff43a060a1
0x00007fffffffd198│+0x0018: 0x00007ffff6816209 → mov ebx, eax
0x00007fffffffd1a0│+0x0020: 0x00007fffc2ea0000
0x00007fffffffd1a8│+0x0028: 0x430c0000ffffd3b0
0x00007fffffffd1b0│+0x0030: 0x00000001428c0000
0x00007fffffffd1b8│+0x0038: 0x00007fffc2ea0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x5555556092b4 mov rdx, QWORD PTR [rsp]
0x5555556092b8 lea rsp, [rsp+0x98]
0x5555556092c0 mov rsi, QWORD PTR [rsi+0x18]
→ 0x5555556092c4 cmp BYTE PTR [rsi+0x38], 0x5
0x5555556092c8 jne 0x5555556092c0
0x5555556092ca xchg ax, ax
0x5555556092cc lea rsp, [rsp-0x98]
0x5555556092d4 mov QWORD PTR [rsp], rdx
0x5555556092d8 mov QWORD PTR [rsp+0x8], rcx
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:draw.c+1211 ────
1206 if (s->u.bar.len != 0) {
1207 struct SYMBOL *s2;
1208
1209 set_scale(s);
1210 if (s->u.bar.len == 1) {
→ 1211 for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev)
1212 ;
1213 putxy(s2->x, yb + 12);
1214 a2b("mrep\n");
1215 } else {
1216 putxy(x, yb + 12);
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555556092c4 → draw_bar(h=70, bot=-117, s=0x55555598b078)
[#1] 0x5555556092c4 → draw_systems(indent=0)
[#2] 0x55555567d76b → delayed_output(indent=0)
[#3] 0x55555567d76b → output_music()
[#4] 0x55555569c1a1 → generate()
[#5] 0x5555556bead1 → gen_ly(eob=0x0)
[#6] 0x5555556bead1 → do_tune()
[#7] 0x555555579865 → abc_parse(p=0x55555597b5f0 "", fname=0x5555559511d0 " NPD2", ln=0x26)
[#8] 0x555555633893 → txt_add_eos(linenum=0x26, fname=)
[#9] 0x555555633893 → frontend(s=, ftype=, fname=, linenum=)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555556092c4 in draw_bar (h=70, bot=-117, s=0x55555598b078) at draw.c:1211
1211 for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev)
gef➤ p s2
$3 = (struct SYMBOL *) 0x0
gef➤ p s2->abc_type
Cannot access memory at address 0x38
gef➤ x s2->abc_type
Cannot access memory at address 0x38
gef➤ i r
rax 0x200 0x200
rbx 0x0 0x0
rcx 0x200 0x200
rdx 0x55555593b208 0x55555593b208
rsi 0x0 0x0
rdi 0x555555943300 0x555555943300
rbp 0x55555593b220 0x55555593b220
rsp 0x7fffffffd180 0x7fffffffd180
r8 0x1 0x1
r9 0x7fffffffd0a0 0x7fffffffd0a0
r10 0x7fffffffd0c0 0x7fffffffd0c0
r11 0x0 0x0
r12 0x55555598b078 0x55555598b078
r13 0x1 0x1
r14 0x1 0x1
r15 0x55555593ade0 0x55555593ade0
rip 0x5555556092c4 0x5555556092c4
eflags 0x10293 [ CF AF SF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Valgrind:
abcm2ps-8.14.6 (2019-11-05)
File NPD2
NPD2:20:36: error: Not a note
20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,#][B,,F,]- [B,,4F,4]|
^
NPD2:32:24: error: Not a note
32 !fp![E,4G,4C4]- [E,3/G,3 program 53
^
NPD2:32:32: error: Not a note
32 !fp![E,4G,4C4]- [E,3/G,3 program 53
^
NPD2:32:17: error: Chord not closed
32 !fp![E,4G,4C4]- [E,3/G,3 program 53
^
NPD2:34:23: error: Not a note
34 !fp!!3![=B,4D4F4]- [B,3?D3/F3/][B,/D/F/][U,3/D3/G3/][B,/D/A/] ([B,4D4A4]!...
^
NPD2:34:42: error: Not a note
34 !fp!!3![=B,4D4F4]- [B,3?D3/F3/][B,/D/F/][U,3/D3/G3/][B,/D/A/] ([B,4D4A4]!...
^
NPD2:36:21: error: Non standard measure repeat syntax
36 [C,,4E,,4G,,4C,4]- [3/]!2!E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z _A,,|\
^
NPD2:32:16: error: Bad character 'm'
NPD2:32:16: error: Bad character 'r'
NPD2:32:16: error: Bad character 'o'
NPD2:32:16: error: Bad character 'r'
NPD2:32:16: error: Bad character 'p'
NPD2:34:40: error: Bad character 'U'
NPD2:34:84: error: Decoration !3Trompette! not defined
NPD2:36:19: warning: Line underfull (270pt of 682pt)
NPD2:32:4: error: Bad tie
==15190== Invalid read of size 1
==15190== at 0x128E32: draw_bar (draw.c:1211)
==15190== by 0x128E32: draw_systems (draw.c:4593)
==15190== by 0x1382AE: delayed_output (music.c:5063)
==15190== by 0x1382AE: output_music (music.c:5114)
==15190== by 0x13D9C0: generate (parse.c:1041)
==15190== by 0x13DF27: gen_ly (parse.c:1062)
==15190== by 0x143F07: do_tune (parse.c:3635)
==15190== by 0x115B61: abc_parse (abcparse.c:179)
==15190== by 0x12DEE3: txt_add_eos (front.c:379)
==15190== by 0x12E373: frontend (front.c:891)
==15190== by 0x110F1C: treat_file (abcm2ps.c:240)
==15190== by 0x11013B: main (abcm2ps.c:1041)
==15190== Address 0x38 is not stack'd, malloc'd or (recently) free'd
Segmentation fault
Proof of Concept
./abcm2ps $POC
Vendor Disclosure: 2020-2-04
Public Disclosure: 2020-2-05
Credit
Discovered by ACE Team – Loginsoft