View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000465 | file | General | public | 2023-07-06 12:09 | 2023-07-17 15:55 |
| Reporter | psrok1 | Assigned To | christos | ||
| Priority | normal | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | Alpine Linux (in Docker) | OS | Alpine Linux | OS Version | v3.18 |
| Product Version | 5.44 | ||||
| Fixed in Version | 5.45 | ||||
| Summary | 0000465: SIGSEGV crash in cdf_ctime when musl is used (malicious Office document) | ||||
| Description | Hi! We found that libmagic crashes when certain Office documents are provided. When we use libmagic compiled with glibc, we get the following result: ``` bad-file-5c695a37c4eb17703e1d4b95b8c2366bcead07171d3ccb22c091a77bee9c9c81: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, Code page: 1252, Title: WinCC-Graphics-Document, Comments: Saved with Version: K6.0.2.0Saved with Version: K6.0.2.8Saved with Version: K6.0.3.0Saved with Version: K6.0.4.0Saved with Version: V6.2 incl. SP2Saved with Version: V6.2 incl. SP3 incl. HF12Saved with Version: V7.0 incl. SP3, Revision Number: 619, Total Editing Time: *Bad* 0x000000bb2bb31ea9, Last Saved Time/Date: Wed Jun 21 08:30:38 2023, Create Time/Date: Fri Feb 8 10:14:53 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Grafexe, 0x80000002: 0 ``` As you may notice, Total Editing Time is malformed and is shown as `*Bad* 0x000000bb2bb31ea9`. Unfortunately, when we use musl, we get segfault in asctime_r function called by cdf_ctime. After checking the root cause in gdb, we found that asctime_r (used by ctime_r) expects that result will fit in buffer having 26 bytes. When it exceeds the limit: glibc returns NULL and sets errno to EOVERFLOW (https://github.com/lattera/glibc/blob/master/time/asctime.c#L53), which is then handled by cdf_ctime code. Unfortunately, musl is more cautious and calls `a_crash()` which results in `HLT` trap causing SIGSEGV crash (https://git.musl-libc.org/cgit/musl/tree/src/time/asctime_r.c#n23). It looks like libmagic must validate time_t structure whether fields are in correct ranges before applying it to ctime_r. Bug also occurs in earlier versions of file (git blame shows that affected code wasn't changed for several years). | ||||
| Steps To Reproduce | We used the following Dockerfile: ``` FROM python:3.8-alpine AS build RUN apk add --no-cache build-base autoconf automake libtool gdb COPY file /app/file WORKDIR /app/file RUN autoreconf -i RUN ./configure RUN make COPY bad-file-5c695a37c4eb17703e1d4b95b8c2366bcead07171d3ccb22c091a77bee9c9c81 /app/ WORKDIR /app ``` | ||||
| Additional Information | Test file: 5c695a37c4eb17703e1d4b95b8c2366bcead07171d3ccb22c091a77bee9c9c81 (MALICIOUS DOCUMENT, attached zip with password 'infected'.) Related issue: https://github.com/CERT-Polska/mwdb-core/issues/842 | ||||
| Tags | bug, cdf | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-07-06 12:09 | psrok1 | New Issue | |
| 2023-07-06 12:09 | psrok1 | Tag Attached: bug | |
| 2023-07-06 12:09 | psrok1 | Tag Attached: cdf | |
| 2023-07-06 12:09 | psrok1 | File Added: bad-file-5c695a37c4eb17703e1d4b95b8c2366bcead07171d3ccb22c091a77bee9c9c81.zip | |
| 2023-07-17 15:54 | christos | Assigned To | => christos |
| 2023-07-17 15:54 | christos | Status | new => assigned |
| 2023-07-17 15:55 | christos | Status | assigned => resolved |
| 2023-07-17 15:55 | christos | Resolution | open => fixed |
| 2023-07-17 15:55 | christos | Fixed in Version | => 5.45 |
| 2023-07-17 15:55 | christos | Note Added: 0003957 |
