1217900 – (CVE-2023-49464) VUL-0: CVE-2023-49464: libheif: UAF

Bug 1217900 (CVE-2023-49464) - VUL-0: CVE-2023-49464: libheif: UAF

Summary: VUL-0: CVE-2023-49464: libheif: UAF

Status:	RESOLVED FIXED

Alias:	CVE-2023-49464

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/387372/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-49464:6.2:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-12-08 07:57 UTC by SMASH SMASH
Modified:	2024-05-15 14:47 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-12-08 07:57:31 UTC

libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49464

Comment 1 Alexander Bergmann 2023-12-08 08:28:10 UTC

The affected code was introduced in v1.16.0.

SUSE:SLE-15-SP4:Update  libheif-1.12.0

ALP would need the fix.

Current PR:
https://github.com/strukturag/libheif/pull/1049
https://github.com/strukturag/libheif/pull/1049/commits/2bf226a300951e6897ee7267d0dd379ba5ad7287

Comment 2 Petr Gajdos 2023-12-11 11:14:08 UTC

libheif-1.17.5$ mkdir build && cd build
libheif-1.17.5/build$ CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release ..
libheif-1.17.5/build$ make -j8

libheif-1.17.5/build$ examples/heif-convert /217900/poc3-hof 
File contains 1 image
=================================================================
==14972==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000a200 at pc 0x7f5edbe915c9 bp 0x7ffcb9152500 sp 0x7ffcb91524f8
READ of size 2 at 0x60e00000a200 thread T0
    #0 0x7f5edbe915c8 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int) (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x2915c8) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #1 0x7f5edbd6c54a in HeifFile::get_luma_bits_per_pixel_from_configuration(unsigned int) const (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x16c54a) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #2 0x7f5edbcef3f3 in HeifContext::Image::get_luma_bits_per_pixel() const (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0xef3f3) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #3 0x55ff10668bc5 in main (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/examples/heif-convert+0x9bc5) (BuildId: 1be7bcbce01218a6e8431a650b95fc45b81cdbbb)
    #4 0x7f5edb4281af in __libc_start_call_main (/lib64/libc.so.6+0x281af) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605)
    #5 0x7f5edb428278 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x28278) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605)
    #6 0x55ff1066c964 in _start ../sysdeps/x86_64/start.S:115

Address 0x60e00000a200 is a wild pointer inside of access range of size 0x000000000002.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x2915c8) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398) in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int)
Shadow bytes around the buggy address:
  0x60e000009f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x60e00000a200:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60e00000a480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14972==ABORTING
libheif-1.17.5/build$

libheif-1.17.5/build$ examples/heif-convert /217900/poc3-huaf 
File contains 1 image
=================================================================
==14973==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000000910 at pc 0x7f3d8ee915c9 bp 0x7fffcb9abae0 sp 0x7fffcb9abad8
READ of size 2 at 0x60e000000910 thread T0
    #0 0x7f3d8ee915c8 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int) (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x2915c8) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #1 0x7f3d8ed6c54a in HeifFile::get_luma_bits_per_pixel_from_configuration(unsigned int) const (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x16c54a) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #2 0x7f3d8ecef3f3 in HeifContext::Image::get_luma_bits_per_pixel() const (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0xef3f3) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #3 0x562143719bc5 in main (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/examples/heif-convert+0x9bc5) (BuildId: 1be7bcbce01218a6e8431a650b95fc45b81cdbbb)
    #4 0x7f3d8e4281af in __libc_start_call_main (/lib64/libc.so.6+0x281af) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605)
    #5 0x7f3d8e428278 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x28278) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605)
    #6 0x56214371d964 in _start ../sysdeps/x86_64/start.S:115

0x60e000000910 is located 16 bytes inside of 160-byte region [0x60e000000900,0x60e0000009a0)
freed by thread T0 here:
    #0 0x7f3d8f0dd5b8 in operator delete(void*) (/lib64/libasan.so.8+0xdd5b8) (BuildId: 51abdf279242631ef4cd19c07d46c0c9a17cc1c9)
    #1 0x7f3d8eca0739 in std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0xa0739) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)

previously allocated by thread T0 here:
    #0 0x7f3d8f0dcb78 in operator new(unsigned long) (/lib64/libasan.so.8+0xdcb78) (BuildId: 51abdf279242631ef4cd19c07d46c0c9a17cc1c9)
    #1 0x7f3d8ec83897 in Box::read(BitstreamRange&, std::shared_ptr<Box>*) (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x83897) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x2915c8) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398) in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int)
Shadow bytes around the buggy address:
  0x60e000000680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x60e000000700: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x60e000000780: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x60e000000800: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x60e000000880: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
=>0x60e000000900: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x60e000000980: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x60e000000a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x60e000000a80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x60e000000b00: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x60e000000b80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14973==ABORTING
libheif-1.17.5/build$


libheif-1.17.5/build$ examples/heif-convert /217900/poc3-segv 
File contains 1 image
AddressSanitizer:DEADLYSIGNAL
=================================================================
==14981==ERROR: AddressSanitizer: SEGV on unknown address 0x60e0002303c0 (pc 0x7fd425c90b2b bp 0x0ffa846a0600 sp 0x7ffd7d632cd0 T0)
==14981==The signal is caused by a READ memory access.
    #0 0x7fd425c90b2b in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int) (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x290b2b) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #1 0x7fd425b6c54a in HeifFile::get_luma_bits_per_pixel_from_configuration(unsigned int) const (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x16c54a) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #2 0x7fd425aef3f3 in HeifContext::Image::get_luma_bits_per_pixel() const (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0xef3f3) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398)
    #3 0x562cf72fcbc5 in main (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/examples/heif-convert+0x9bc5) (BuildId: 1be7bcbce01218a6e8431a650b95fc45b81cdbbb)
    #4 0x7fd4252281af in __libc_start_call_main (/lib64/libc.so.6+0x281af) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605)
    #5 0x7fd425228278 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x28278) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605)
    #6 0x562cf7300964 in _start ../sysdeps/x86_64/start.S:115

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x290b2b) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398) in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int)
==14981==ABORTING
libheif-1.17.5/build$

Comment 3 Petr Gajdos 2023-12-11 12:14:11 UTC

AFTER

libheif-1.17.5/build$ examples/heif-convert  /217898/poc2
File contains 1 image
Could not decode image: 0: Unsupported feature: Unsupported codec
libheif-1.17.5/build$ examples/heif-convert /217900/poc3-hof
File contains 1 image
Input image has undefined bit-depth
libheif-1.17.5/build$ examples/heif-convert /217900/poc3-segv
File contains 1 image
Input image has undefined bit-depth
libheif-1.17.5/build$ examples/heif-convert /217900/poc3-huaf
File contains 1 image
Input image has undefined bit-depth
libheif-1.17.5/build$

Comment 4 Petr Gajdos 2023-12-11 12:34:58 UTC

Submit request into devel project:
https://build.opensuse.org/request/show/1132479

Comment 5 Petr Gajdos 2023-12-12 09:58:10 UTC

ALP:
https://build.suse.de/request/show/315447

I believe all fixed.