Bugzilla – Bug 1081784
VUL-1: libmad: double free or corruption
Last modified: 2018-02-21 13:50:17 UTC
Created attachment 760820 [details] Reproducer While investigating CVE-2017-11548 I found this: kbabioch@opensuse423:~/Downloads/mpg321-0.3.2-orig> gdb mpg321 GNU gdb (GDB; openSUSE Leap 42.3) 8.0.1 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-suse-linux". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://bugs.opensuse.org/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from mpg321...done. (gdb) run libao_1.2.0_memory_corruption.mp3 Starting program: /home/kbabioch/Downloads/mpg321-0.3.2-orig/mpg321 libao_1.2.0_memory_corruption.mp3 Missing separate debuginfos, use: zypper install glibc-debuginfo-2.22-8.4.x86_64 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3. Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew, now maintained by Nanakos Chrysostomos and others. Uses code from various people. See 'README' for more! THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Playing MPEG stream from libao_1.2.0_memory_corruption.mp3 ... MPEG 1.0 layer III, 192 kbit/s, 44100 Hz mono [New Thread 0x7fffeee51700 (LWP 10840)] *** Error in `/home/kbabioch/Downloads/mpg321-0.3.2-orig/mpg321': double free or corruption (out): 0x00000000006222e0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x721af)[0x7ffff683f1af] /lib64/libc.so.6(+0x77706)[0x7ffff6844706] /lib64/libc.so.6(+0x78453)[0x7ffff6845453] /usr/lib64/libmad.so.0(mad_decoder_run+0x3e)[0x7ffff72806be] /home/kbabioch/Downloads/mpg321-0.3.2-orig/mpg321[0x403fcd] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ffff67ed6e5] /home/kbabioch/Downloads/mpg321-0.3.2-orig/mpg321[0x404ef9] ======= Memory map: ======== 00400000-00411000 r-xp 00000000 fe:02 282716 /home/kbabioch/Downloads/mpg321-0.3.2-orig/mpg321 00610000-00611000 r--p 00010000 fe:02 282716 /home/kbabioch/Downloads/mpg321-0.3.2-orig/mpg321 00611000-00612000 rw-p 00011000 fe:02 282716 /home/kbabioch/Downloads/mpg321-0.3.2-orig/mpg321 00612000-0063f000 rw-p 00000000 00:00 0 [heap] 7fffdc000000-7fffdc021000 rw-p 00000000 00:00 0 7fffdc021000-7fffe0000000 ---p 00000000 00:00 0 7fffe3fff000-7fffe8000000 rw-s 00000000 00:12 51622 /dev/shm/pulse-shm-2073225839 7fffe8000000-7fffe8021000 rw-p 00000000 00:00 0 7fffe8021000-7fffec000000 ---p 00000000 00:00 0 7fffee43a000-7fffee450000 r-xp 00000000 fe:02 142309 /lib64/libgcc_s.so.1 7fffee450000-7fffee64f000 ---p 00016000 fe:02 142309 /lib64/libgcc_s.so.1 7fffee64f000-7fffee650000 r--p 00015000 fe:02 142309 /lib64/libgcc_s.so.1 7fffee650000-7fffee651000 rw-p 00016000 fe:02 142309 /lib64/libgcc_s.so.1 7fffee651000-7fffee652000 ---p 00000000 00:00 0 7fffee652000-7fffeee52000 rw-p 00000000 00:00 0 7fffeee52000-7ffff2e52000 rw-s 00000000 00:05 52696 /memfd:pulseaudio (deleted) 7ffff2e52000-7ffff2e5a000 r-xp 00000000 fe:02 164287 /usr/lib64/ao/plugins-4/libalsa.so 7ffff2e5a000-7ffff3059000 ---p 00008000 fe:02 164287 /usr/lib64/ao/plugins-4/libalsa.so 7ffff3059000-7ffff305a000 r--p 00007000 fe:02 164287 /usr/lib64/ao/plugins-4/libalsa.so 7ffff305a000-7ffff305b000 rw-p 00008000 fe:02 164287 /usr/lib64/ao/plugins-4/libalsa.so 7ffff305b000-7ffff3087000 r-xp 00000000 fe:02 789884 /usr/lib64/libvorbis.so.0.4.6 7ffff3087000-7ffff3287000 ---p 0002c000 fe:02 789884 /usr/lib64/libvorbis.so.0.4.6 7ffff3287000-7ffff3288000 r--p 0002c000 fe:02 789884 /usr/lib64/libvorbis.so.0.4.6 7ffff3288000-7ffff3289000 rw-p 0002d000 fe:02 789884 /usr/lib64/libvorbis.so.0.4.6 7ffff3289000-7ffff328f000 r-xp 00000000 fe:02 789414 /usr/lib64/libogg.so.0.8.0 7ffff328f000-7ffff348e000 ---p 00006000 fe:02 789414 /usr/lib64/libogg.so.0.8.0 7ffff348e000-7ffff348f000 r--p 00005000 fe:02 789414 /usr/lib64/libogg.so.0.8.0 7ffff348f000-7ffff3490000 rw-p 00006000 fe:02 789414 /usr/lib64/libogg.so.0.8.0 7ffff3490000-7ffff34fe000 r-xp 00000000 fe:02 789400 /usr/lib64/libpcre.so.1.2.7 7ffff34fe000-7ffff36fd000 ---p 0006e000 fe:02 789400 /usr/lib64/libpcre.so.1.2.7 7ffff36fd000-7ffff36fe000 r--p 0006d000 fe:02 789400 /usr/lib64/libpcre.so.1.2.7 7ffff36fe000-7ffff36ff000 rw-p 0006e000 fe:02 789400 /usr/lib64/libpcre.so.1.2.7 7ffff36ff000-7ffff3716000 r-xp 00000000 fe:02 789325 /usr/lib64/libspeex.so.1.5.1 7ffff3716000-7ffff3916000 ---p 00017000 fe:02 789325 /usr/lib64/libspeex.so.1.5.1 7ffff3916000-7ffff3917000 r--p 00017000 fe:02 789325 /usr/lib64/libspeex.so.1.5.1 7ffff3917000-7ffff3918000 rw-p 00018000 fe:02 789325 /usr/lib64/libspeex.so.1.5.1 7ffff3918000-7ffff3bcb000 r-xp 00000000 fe:02 790204 /usr/lib64/libvorbisenc.so.2.0.9 7ffff3bcb000-7ffff3dca000 ---p 002b3000 fe:02 790204 /usr/lib64/libvorbisenc.so.2.0.9 7ffff3dca000-7ffff3de6000 r--p 002b2000 fe:02 790204 /usr/lib64/libvorbisenc.so.2.0.9 7ffff3de6000-7ffff3de7000 rw-p 002ce000 fe:02 790204 /usr/lib64/libvorbisenc.so.2.0.9 7ffff3de7000-7ffff3e1c000 r-xp 00000000 fe:02 789888 /usr/lib64/libFLAC.so.8.3.0 7ffff3e1c000-7ffff401c000 ---p 00035000 fe:02 789888 /usr/lib64/libFLAC.so.8.3.0 7ffff401c000-7ffff401d000 r--p 00035000 fe:02 789888 /usr/lib64/libFLAC.so.8.3.0 7ffff401d000-7ffff401e000 rw-p 00036000 fe:02 789888 /usr/lib64/libFLAC.so.8.3.0 7ffff401e000-7ffff4031000 r-xp 00000000 fe:02 789516 /usr/lib64/libgpg-error.so.0.22.0 7ffff4031000-7ffff4231000 ---p 00013000 fe:02 789516 /usr/lib64/libgpg-error.so.0.22.0 7ffff4231000-7ffff4232000 r--p 00013000 fe:02 789516 /usr/lib64/libgpg-error.so.0.22.0 7ffff4232000-7ffff4233000 rw-p 00014000 fe:02 789516 /usr/lib64/libgpg-error.so.0.22.0 7ffff4233000-7ffff430f000 r-xp 00000000 fe:02 789912 /usr/lib64/libgcrypt.so.20.0.1 7ffff430f000-7ffff450f000 ---p 000dc000 fe:02 789912 /usr/lib64/libgcrypt.so.20.0.1 7ffff450f000-7ffff4510000 r--p 000dc000 fe:02 789912 /usr/lib64/libgcrypt.so.20.0.1 7ffff4510000-7ffff4519000 rw-p 000dd000 fe:02 789912 /usr/lib64/libgcrypt.so.20.0.1 7ffff4519000-7ffff4540000 r-xp 00000000 fe:02 789463 /usr/lib64/liblzma.so.5.2.2 7ffff4540000-7ffff4740000 ---p 00027000 fe:02 789463 /usr/lib64/liblzma.so.5.2.2 7ffff4740000-7ffff4741000 r--p 00027000 fe:02 789463 /usr/lib64/liblzma.so.5.2.2 7ffff4741000-7ffff4742000 rw-p 00028000 fe:02 789463 /usr/lib64/liblzma.so.5.2.2 7ffff4742000-7ffff4756000 r-xp 00000000 fe:02 141840 /lib64/libresolv-2.22.so 7ffff4756000-7ffff4955000 ---p 00014000 fe:02 141840 /lib64/libresolv-2.22.so 7ffff4955000-7ffff4956000 r--p 00013000 fe:02 141840 /lib64/libresolv-2.22.so 7ffff4956000-7ffff4957000 rw-p 00014000 fe:02 141840 /lib64/libresolv-2.22.so 7ffff4957000-7ffff4959000 rw-p 00000000 00:00 0 7ffff4959000-7ffff495d000 r-xp 00000000 fe:02 142369 /lib64/libcap.so.2.22 7ffff495d000-7ffff4b5c000 ---p 00004000 fe:02 142369 /lib64/libcap.so.2.22 7ffff4b5c000-7ffff4b5d000 r--p 00003000 fe:02 142369 /lib64/libcap.so.2.22 7ffff4b5d000-7ffff4b5e000 rw-p 00004000 fe:02 142369 /lib64/libcap.so.2.22 7ffff4b5e000-7ffff4b81000 r-xp 00000000 fe:02 143185 /lib64/libselinux.so.1 7ffff4b81000-7ffff4d80000 ---p 00023000 fe:02 143185 /lib64/libselinux.so.1 7ffff4d80000-7ffff4d81000 r--p 00022000 fe:02 143185 /lib64/libselinux.so.1 7ffff4d81000-7ffff4d82000 rw-p 00023000 fe:02 143185 /lib64/libselinux.so.1 7ffff4d82000-7ffff4d84000 rw-p 00000000 00:00 0 7ffff4d84000-7ffff4d87000 r-xp 00000000 fe:02 789694 /usr/lib64/libXau.so.6.0.0 7ffff4d87000-7ffff4f86000 ---p 00003000 fe:02 789694 /usr/lib64/libXau.so.6.0.0 7ffff4f86000-7ffff4f87000 r--p 00002000 fe:02 789694 /usr/lib64/libXau.so.6.0.0 7ffff4f87000-7ffff4f88000 rw-p 00003000 fe:02 789694 /usr/lib64/libXau.so.6.0.0 7ffff4f88000-7ffff4fec000 r-xp 00000000 fe:02 790580 /usr/lib64/libsndfile.so.1.0.25 7ffff4fec000-7ffff51ec000 ---p 00064000 fe:02 790580 /usr/lib64/libsndfile.so.1.0.25 7ffff51ec000-7ffff51ee000 r--p 00064000 fe:02 790580 /usr/lib64/libsndfile.so.1.0.25 7ffff51ee000-7ffff51ef000 rw-p 00066000 fe:02 790580 /usr/lib64/libsndfile.so.1.0.25 7ffff51ef000-7ffff51f3000 rw-p 00000000 00:00 0 7ffff51f3000-7ffff5276000 r-xp 00000000 fe:02 790352 /usr/lib64/libsystemd.so.0.13.0 7ffff5276000-7ffff5476000 ---p 00083000 fe:02 790352 /usr/lib64/libsystemd.so.0.13.0 7ffff5476000-7ffff5479000 r--p 00083000 fe:02 790352 /usr/lib64/libsystemd.so.0.13.0 7ffff5479000-7ffff547a000 rw-p 00086000 fe:02 790352 /usr/lib64/libsystemd.so.0.13.0 7ffff547a000-7ffff5499000 r-xp 00000000 fe:02 789997 /usr/lib64/libxcb.so.1.1.0 7ffff5499000-7ffff5698000 ---p 0001f000 fe:02 789997 /usr/lib64/libxcb.so.1.1.0 7ffff5698000-7ffff5699000 r--p 0001e000 fe:02 789997 /usr/lib64/libxcb.so.1.1.0 7ffff5699000-7ffff569a000 rw-p 0001f000 fe:02 789997 /usr/lib64/libxcb.so.1.1.0 7ffff569a000-7ffff56e0000 r-xp 00000000 fe:02 142352 /lib64/libdbus-1.so.3.8.14 7ffff56e0000-7ffff58df000 ---p 00046000 fe:02 142352 /lib64/libdbus-1.so.3.8.14 7ffff58df000-7ffff58e0000 r--p 00045000 fe:02 142352 /lib64/libdbus-1.so.3.8.14 7ffff58e0000-7ffff58e1000 rw-p 00046000 fe:02 142352 /lib64/libdbus-1.so.3.8.14 7ffff58e1000-7ffff58eb000 r-xp 00000000 fe:02 789483 /usr/lib64/libjson-c.so.2.0.1 7ffff58eb000-7ffff5aea000 ---p 0000a000 fe:02 789483 /usr/lib64/libjson-c.so.2.0.1 7ffff5aea000-7ffff5aeb000 r--p 00009000 fe:02 789483 /usr/lib64/libjson-c.so.2.0.1 7ffff5aeb000-7ffff5aec000 rw-p 0000a000 fe:02 789483 /usr/lib64/libjson-c.so.2.0.1 7ffff5aec000-7ffff5b68000 r-xp 00000000 fe:02 790869 /usr/lib64/pulseaudio/libpulsecommon-9.0.so 7ffff5b68000-7ffff5d67000 ---p 0007c000 fe:02 790869 /usr/lib64/pulseaudio/libpulsecommon-9.0.so 7ffff5d67000-7ffff5d68000 r--p 0007b000 fe:02 790869 /usr/lib64/pulseaudio/libpulsecommon-9.0.so 7ffff5d68000-7ffff5d6a000 rw-p 0007c000 fe:02 790869 /usr/lib64/pulseaudio/libpulsecommon-9.0.so 7ffff5d6a000-7ffff5db6000 r-xp 00000000 fe:02 790867 /usr/lib64/libpulse.so.0.20.0 7ffff5db6000-7ffff5fb6000 ---p 0004c000 fe:02 790867 /usr/lib64/libpulse.so.0.20.0 7ffff5fb6000-7ffff5fb7000 r--p 0004c000 fe:02 790867 /usr/lib64/libpulse.so.0.20.0 7ffff5fb7000-7ffff5fb8000 rw-p 0004d000 fe:02 790867 /usr/lib64/libpulse.so.0.20.0 7ffff5fb8000-7ffff5fbb000 r-xp 00000000 fe:02 790865 /usr/lib64/libpulse-simple.so.0.1.0 7ffff5fbb000-7ffff61bb000 ---p 00003000 fe:02 790865 /usr/lib64/libpulse-simple.so.0.1.0 7ffff61bb000-7ffff61bc000 r--p 00003000 fe:02 790865 /usr/lib64/libpulse-simple.so.0.1.0 7ffff61bc000-7ffff61bd000 rw-p 00004000 fe:02 790865 /usr/lib64/libpulse-simple.so.0.1.0 7ffff61bd000-7ffff61c0000 r-xp 00000000 fe:02 164289 /usr/lib64/ao/plugins-4/libpulse.so 7ffff61c0000-7ffff63bf000 ---p 00003000 fe:02 164289 /usr/lib64/ao/plugins-4/libpulse.so 7ffff63bf000-7ffff63c0000 r--p 00002000 fe:02 164289 /usr/lib64/ao/plugins-4/libpulse.so 7ffff63c0000-7ffff63c1000 rw-p 00003000 fe:02 164289 /usr/lib64/ao/plugins-4/libpulse.so 7ffff63c1000-7ffff63c3000 r-xp 00000000 fe:02 164288 /usr/lib64/ao/plugins-4/liboss.so 7ffff63c3000-7ffff65c3000 ---p 00002000 fe:02 164288 /usr/lib64/ao/plugins-4/liboss.so 7ffff65c3000-7ffff65c4000 r--p 00002000 fe:02 164288 /usr/lib64/ao/plugins-4/liboss.so 7ffff65c4000-7ffff65c5000 rw-p 00003000 fe:02 164288 /usr/lib64/ao/plugins-4/liboss.so 7ffff65c5000-7ffff65cc000 r-xp 00000000 fe:02 141842 /lib64/librt-2.22.so 7ffff65cc000-7ffff67cb000 ---p 00007000 fe:02 141842 /lib64/librt-2.22.so 7ffff67cb000-7ffff67cc000 r--p 00006000 fe:02 141842 /lib64/librt-2.22.so 7ffff67cc000-7ffff67cd000 rw-p 00007000 fe:02 141842 /lib64/librt-2.22.so 7ffff67cd000-7ffff6966000 r-xp 00000000 fe:02 141808 /lib64/libc-2.22.so 7ffff6966000-7ffff6b66000 ---p 00199000 fe:02 141808 /lib64/libc-2.22.so 7ffff6b66000-7ffff6b6a000 r--p 00199000 fe:02 141808 /lib64/libc-2.22.so 7ffff6b6a000-7ffff6b6c000 rw-p 0019d000 fe:02 141808 /lib64/libc-2.22.so 7ffff6b6c000-7ffff6b70000 rw-p 00000000 00:00 0 7ffff6b70000-7ffff6c6c000 r-xp 00000000 fe:02 141816 /lib64/libm-2.22.so 7ffff6c6c000-7ffff6e6b000 ---p 000fc000 fe:02 141816 /lib64/libm-2.22.so 7ffff6e6b000-7ffff6e6c000 r--p 000fb000 fe:02 141816 /lib64/libm-2.22.so 7ffff6e6c000-7ffff6e6d000 rw-p 000fc000 fe:02 141816 /lib64/libm-2.22.so 7ffff6e6d000-7ffff6e6f000 r-xp 00000000 fe:02 141814 /lib64/libdl-2.22.so 7ffff6e6f000-7ffff706f000 ---p 00002000 fe:02 141814 /lib64/libdl-2.22.so 7ffff706f000-7ffff7070000 r--p 00002000 fe:02 141814 /lib64/libdl-2.22.so 7ffff7070000-7ffff7071000 rw-p 00003000 fe:02 141814 /lib64/libdl-2.22.so 7ffff7071000-7ffff7079000 r-xp 00000000 fe:02 791278 /usr/lib64/libao.so.4.1.0 7ffff7079000-7ffff7278000 ---p 00008000 fe:02 791278 /usr/lib64/libao.so.4.1.0 7ffff7278000-7ffff7279000 r--p 00007000 fe:02 791278 /usr/lib64/libao.so.4.1.0 7ffff7279000-7ffff727a000 rw-p 00008000 fe:02 791278 /usr/lib64/libao.so.4.1.0 7ffff727a000-7ffff7299000 r-xp 00000000 fe:02 798144 /usr/lib64/libmad.so.0.2.1 7ffff7299000-7ffff7498000 ---p 0001f000 fe:02 798144 /usr/lib64/libmad.so.0.2.1 7ffff7498000-7ffff7499000 r--p 0001e000 fe:02 798144 /usr/lib64/libmad.so.0.2.1 7ffff7499000-7ffff749a000 rw-p 0001f000 fe:02 798144 /usr/lib64/libmad.so.0.2.1 Thread 1 "mpg321" received signal SIGABRT, Aborted. 0x00007ffff68018d7 in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: zypper install libmad0-debuginfo-0.15.1b-2.1.x86_64 (gdb) bt #0 0x00007ffff68018d7 in raise () from /lib64/libc.so.6 #1 0x00007ffff6802caa in abort () from /lib64/libc.so.6 #2 0x00007ffff683f1b4 in __libc_message () from /lib64/libc.so.6 #3 0x00007ffff6844706 in malloc_printerr () from /lib64/libc.so.6 #4 0x00007ffff6845453 in _int_free () from /lib64/libc.so.6 #5 0x00007ffff72806be in mad_decoder_run () from /usr/lib64/libmad.so.0 #6 0x0000000000403fcd in main (argc=<optimized out>, argv=<optimized out>) at mpg321.c:1092 Someone in the Debian community also hit on this already: References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
Duplicate *** This bug has been marked as a duplicate of bug 1082025 ***