View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000636 | file | General | public | 2025-03-26 10:48 | 2025-04-07 20:19 |
| Reporter | pvz122 | Assigned To | christos | ||
| Priority | normal | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | Linux | OS | Ubuntu | OS Version | 24.04 |
| Product Version | 5.46 | ||||
| Fixed in Version | HEAD | ||||
| Summary | 0000636: FPE (Floating Point Exception) crash when executing `file` with a custom magicfile | ||||
| Description | Hi, I encountered an FPE crash in the latest version of the code repository when running `file` with `-m` option, like: ```bash file -m poc.input poc.input ``` The command specifies a custom magicfile and takes the same file as its processing input. By enabling the AddressSanitizer, I got the crash report below: ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==852954==ERROR: AddressSanitizer: FPE on unknown address 0x5a624d1e0508 (pc 0x5a624d1e0508 bp 0x7fff0b219ee0 sp 0x7fff0b219bb0 T0) #0 0x5a624d1e0508 in cvt_32 /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:1108:2 0000001 0x5a624d1dae79 in mconvert /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:1180:7 0000002 0x5a624d1cfac5 in mget /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:1990:7 0000003 0x5a624d1c3b25 in match /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:258:11 0000004 0x5a624d1c277d in file_softmagic /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:136:13 0000005 0x5a624d1b5a7c in file_buffer /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/funcs.c:460:7 0000006 0x5a624d17b189 in file_or_fd /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/magic.c:533:6 0000007 0x5a624d17b46a in magic_file /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/magic.c:417:9 0000008 0x5a624d1785db in process /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/file.c:649:9 #9 0x5a624d17653a in main /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/file.c:441:8 0000010 0x79a16062a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 0000011 0x79a16062a28a in __libc_start_main csu/../csu/libc-start.c:360:3 0000012 0x5a624d09b6d4 in _start (/home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/bin_asan/bin/file+0x5f6d4) (BuildId: 9d2bed194842bd6929bbc564051f0ceb26123118) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:1108:2 in cvt_32 ==852954==ABORTING ``` The crash happens at the `DO_CVT` macro within `cvt_32` function in `softmagic.c`. The `DO_CVT` macro is expanded as: ```c // ... case 6: if (static_cast<uint32_t>(m->_u._mask) == 0) return -1; p->l /= static_cast<uint32_t>(m->_u._mask); break; // ... ``` The `/=` operation is excatly the crash site, where `m->_u._mask` has a value of `0xFFFFFFFFFFFFFFFF`, causing a division error. This crash appears to be a bug of the `file` tool. I'll appreciate your further investigation and reply. | ||||
| Steps To Reproduce | After downloading the attached `poc.input` file, run `file` with the command: ```bash file -m poc.input poc.input ``` The process will immediately be killed as: ``` 'file' terminated by signal SIGFPE (Floating point exception) ``` This crash can also be triggered by invoking `libmagic` directly. The PoC program is: ```c #include "magic.h" #include <stdio.h> int main(){ magic_t magic_cookie = magic_open(MAGIC_NONE); if (!magic_cookie) { return 1; } if (magic_check(magic_cookie, "./poc.input") != 0) { return 1; } printf("%s\n", magic_file(magic_cookie, "./poc.input")); magic_close(magic_cookie); return 0; } ``` It can be compiled using command: ```bash clang poc.c -o poc -fsanitize=address -g -I path/to/libmagic/header path/to/libmagic.a -llzma -lzstd -lz ``` | ||||
| Tags | libmagic | ||||
|
|
|
|
|
This crash can be reproduced in the latest commit 4e847cd. Let me know if there are any reproducing problems. |
|
|
Can't reproduce this on NetBSD/amd64. What architecture are you running on? |
|
|
I am also using an amd64 machine, but it runs a GNU/Linux operating system. I suspect the issue lies in the difference in integer size, as the crash appears to be caused by an integer overflow during division. I recommend investigating this problem in a GNU/Linux environment. Below are the detailed steps to reproduce the issue: ## Test Environment Ubuntu 24.04.1 LTS, 64 bit, x86_64 GNU/Linux file (master 2458386) ## To Reproduce 1. Compile the latest file (i.e., 2458386): ``` $ git clone git@github.com:file/file.git $ cd file $ autoreconf -fi $ mkdir build && cd build $ ../configure --prefix=$PWD/bin $ make && make install ``` 2. Run with the given PoC: ``` $ wget https://bugs.astron.com/file_download.php\?file_id\=502\&type\=bug -O poc.input $ ./bin/bin/file -m poc.input poc.input ``` file will crash with `[1] 306593 floating point exception ./bin/bin/file -m poc.input poc.input` |
|
|
After further investigation, I have identified the root cause of the issue as an **integer overflow**. The provided PoC triggers this bug during the `FILE_OPDIVIDE` operation. The corresponding values involved are: - `p->sl = -2147483648` - `m->num_mask = -1`. The value `-2147483648`(i.e., `0x80000000`) is the smallest possible value for a signed 32-bit integer (`int32_t`), and dividing it by `-1` results in an integer overflow. This bug was introduced in **commit 58b213e**, which added signed value calculations in the `DO_CVT` function. |
|
|
Fixed, thanks! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-03-26 10:48 | pvz122 | New Issue | |
| 2025-03-26 10:48 | pvz122 | Tag Attached: libmagic | |
| 2025-03-26 10:48 | pvz122 | File Added: poc.input | |
| 2025-03-31 11:17 | pvz122 | Note Added: 0004199 | |
| 2025-04-06 20:36 | christos | Assigned To | => christos |
| 2025-04-06 20:36 | christos | Status | new => assigned |
| 2025-04-06 20:37 | christos | Status | assigned => feedback |
| 2025-04-06 20:37 | christos | Note Added: 0004206 | |
| 2025-04-07 02:24 | pvz122 | Note Added: 0004207 | |
| 2025-04-07 02:24 | pvz122 | Status | feedback => assigned |
| 2025-04-07 03:43 | pvz122 | Note Added: 0004208 | |
| 2025-04-07 20:19 | christos | Status | assigned => resolved |
| 2025-04-07 20:19 | christos | Resolution | open => fixed |
| 2025-04-07 20:19 | christos | Fixed in Version | => HEAD |
| 2025-04-07 20:19 | christos | Note Added: 0004209 |
