Null Pointer Dereference in ASDCP::KLVFilePacket::InitFromFile Function #139
Description
Description:
A null pointer dereference vulnerability has been identified in the ASDCP::KLVFilePacket::InitFromFile function of the asdcplib library.
The vulnerability arises from a lack of proper validation of the mxf input file, which allows a null pointer to be dereferenced.
This results in a segmentation fault, causing a potential denial of service (DoS).
Affected Software:
Software: asdcplib
Version: 2.13.1
Operating System: Debian 11
Kernel: Linux debian 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64 GNU/Linux
Steps to Reproduce:
Build the affected software (asdcplib) after enabling AddressSanitizer.
Execute any of the affected binaries (asdcp-info, asdcp-unwrap) with provided poc that triggers the vulnerable code path.
Observe the AddressSanitizer report indicating a null pointer dereference error.
Valgrind output:
==413847== Memcheck, a memory error detector
==413847== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==413847== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==413847== Command: ./asdcp-info ../../../ASDCP-WRITE.mxf
==413847==
==413847== Invalid write of size 8
==413847== at 0x4919BE8: ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&) (src/KLV.cpp:245)
==413847== by 0x4919970: ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&, ASDCP::UL const&) (src/KLV.cpp:193)
==413847== by 0x49227A1: ASDCP::MXF::RIP::InitFromFile(Kumu::IFileReader const&) (src/MXF.cpp:124)
==413847== by 0x4981DFC: ASDCP::MXF::TrackFileReader<ASDCP::MXF::OP1aHeader, ASDCP::MXF::OPAtomIndexFooter>::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (src/AS_DCP_internal.h:253)
==413847== by 0x4981722: ASDCP::h__ASDCPReader::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (src/h__Reader.cpp:75)
==413847== by 0x49972F0: ASDCP::PCM::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (src/AS_DCP_PCM.cpp:269)
==413847== by 0x49981A8: ASDCP::PCM::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (src/AS_DCP_PCM.cpp:435)
==413847== by 0x432AF2: FileInfoWrapper<ASDCP::PCM::MXFReader, MyAudioDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) (src/asdcp-info.cpp:323)
==413847== by 0x4306B9: show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) (src/asdcp-info.cpp:554)
==413847== by 0x4365DF: main (src/asdcp-info.cpp:703)
==413847== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==413847==
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==413847==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000004919be8 bp 0x000000000015 sp 0x001ffefff220 T413847)
==413847==The signal is caused by a WRITE memory access.
==413847==Hint: address points to the zero page.
==414057== Warning: invalid file descriptor 1024 in syscall close()
#0 0x4919be8 in ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&) /mnt/data/DCP/asdcplib/src/KLV.cpp:245:11
#1 0x4919970 in ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&, ASDCP::UL const&) /mnt/data/DCP/asdcplib/src/KLV.cpp:193:36
#2 0x49227a1 in ASDCP::MXF::RIP::InitFromFile(Kumu::IFileReader const&) /mnt/data/DCP/asdcplib/src/MXF.cpp:124:36
#3 0x4981dfc in ASDCP::MXF::TrackFileReader<ASDCP::MXF::OP1aHeader, ASDCP::MXF::OPAtomIndexFooter>::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /mnt/data/DCP/asdcplib/src/AS_DCP_internal.h:253:26
#4 0x4981722 in ASDCP::h__ASDCPReader::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /mnt/data/DCP/asdcplib/src/h__Reader.cpp:75:81
#5 0x49972f0 in ASDCP::PCM::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /mnt/data/DCP/asdcplib/src/AS_DCP_PCM.cpp:269:21
#6 0x49981a8 in ASDCP::PCM::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const /mnt/data/DCP/asdcplib/src/AS_DCP_PCM.cpp:435:20
#7 0x432af2 in FileInfoWrapper<ASDCP::PCM::MXFReader, MyAudioDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) /mnt/data/DCP/asdcplib/src/asdcp-info.cpp:323:23
#8 0x4306b9 in show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) /mnt/data/DCP/asdcplib/src/asdcp-info.cpp:554:24
#9 0x4365df in main /mnt/data/DCP/asdcplib/src/asdcp-info.cpp:703:16
#10 0x5145d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#11 0x40e659 in _start (/mnt/fast/DCP/asdcplib/build/src/asdcp-info+0x40e659)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /mnt/data/DCP/asdcplib/src/KLV.cpp:245:11 in ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&)
==413847==ABORTING
==413847==
==413847== HEAP SUMMARY:
==413847== in use at exit: 378,926 bytes in 5,927 blocks
==413847== total heap usage: 8,877 allocs, 2,950 frees, 581,139 bytes allocated
==413847==
==413847== LEAK SUMMARY:
==413847== definitely lost: 0 bytes in 0 blocks
==413847== indirectly lost: 0 bytes in 0 blocks
==413847== possibly lost: 0 bytes in 0 blocks
==413847== still reachable: 378,926 bytes in 5,927 blocks
==413847== suppressed: 0 bytes in 0 blocks
==413847== Rerun with --leak-check=full to see details of leaked memory
==413847==
==413847== For lists of detected and suppressed errors, rerun with: -s
==413847== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
POC:
poc.zip
Disclosure Timeline:
Date of Discovery: 31/05/2024
Date Reported to Vendor: 31/05/2024
Acknowledgments:
This vulnerability was discovered and reported by 0xd4n10.
Please let me know if you require any further information or assistance.