Headline
CVE-2021-28275: Multiple Segmentation fault in jhead via a crafted jpg file · Issue #17 · Matthias-Wandel/jhead
A Denial of Service vulnerability exists in jhead 3.04 and 3.05 due to a wild address read in the Get16u function in exif.c in will cause segmentation fault via a crafted_file.
Description of problem:
Multiple Segmentation fault in jhead via a crafted jpg file
Version-Release number of selected component (if applicable):
I tested the following version:
Jhead version: 3.05
Jhead version: 3.04
How reproducible:
git clone --depth=1 https://github.com/Matthias-Wandel/jhead.git && cd jhead && make CC="clang" -e CFLAGS="-g -fsanitize=address" -e LDFLAGS="-g -fsanitize=address"
Steps to Reproduce:
1.just run the following command
Segmentation fault in ProcessCanonMakerNoteDir
./jhead -v ./tests_61418.jpg
Segmentation fault in Get16u
./jhead -v ./tests_61761.jpg
Segmentation fault in Get32s
./jhead -v ./tests_61763.jpg
poc:
jhead-multi-seg.zip
They are all because of wild-addr-read.
Actual results:
Segmentation fault in ProcessCanonMakerNoteDir
$ ./jhead -v ./tests_61418.jpg
Exif header 7166 bytes long
Exif section in Intel order
(dir has 9 entries)
Make = "Canon"
Model = "Canon DIGITAL IXUS?"
Orientation = 1
XResolution = 180/1
YResolution = 180/1
ResolutionUnit = 2
DateTime = "2001:06:09 15:17:32"
YCbCrPositioning = 1
ExifOffset = 184
Exif Dir:(dir has 27 entries)
ExposureTime = 1/350
FNumber = 40/10
ExifVersion = "0210"
DateTimeOriginal = "2001:06:09 15:17:32"
DateTimeDigitized = "2001:06:09 15:17:32"
ComponentsConfiguration = "?"
CompressedBitsPerPixel = 3/1
ShutterSpeedValue = 553859/65536
ApertureValue = 262144/65536
ExposureBiasValue = 0/3
MaxApertureValue = 194698/65536
SubjectDistance = 3750/1000
MeteringMode = 2
Flash = 0
FocalLength = 346/32
Maker note: (dir has 10 entries)
Canon maker tag 0001 Value = 0, 1024, 6, 0, 9728, 512, 0, 768, 256, 0, 0, 256, 0, 256, 512, 256, ...
Canon maker tag 0002 Value = 0, 0, 0, 256
Canon maker tag 0003 Value = 512, 23040, 54017, 40448
Canon maker tag 0004 Value = 0, 0, 0, 0, 7680, 0, 35840, 512, 32769, 3584, 1, 0, 0, 256, 1024
Canon maker tag 0000 Value = 0, 0, 0, 512, 48, 0
Canon maker tag 0006 Value = "IMG:JPEG file"
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25461==ERROR: AddressSanitizer: SEGV on unknown address 0x624100002100 (pc 0x0000004dfa3c bp 0x7ffe87baf3b0 sp 0x7ffe87baf2d0 T0)
==25461==The signal is caused by a READ memory access.
#0 0x4dfa3c in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:105:29
#1 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
#2 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
#3 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
#4 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
#5 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
#6 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
#7 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
#8 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
#9 0x7fb2b1d2083f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/makernote.c:105:29 in ProcessCanonMakerNoteDir
==25461==ABORTING
Segmentation fault in Get16u
$ ./jhead -v ./tests_61761.jpg
Exif header 7166 bytes long
Exif section in Intel order
(dir has 213 entries)
Make = "Canon"
Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag 0110 in Exif
Unknown Tag 6112 Value = 1
Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag e21a in Exif
Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag 011b in Exif
Unknown Tag 9e28 Value = 2
DateTime = "2001:06:09 1>:17:32"
YCbCrPositioning = 1
ExifOffset = 184
............
............
............
............
............
............
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25463==ERROR: AddressSanitizer: SEGV on unknown address 0x6241000011b7 (pc 0x0000004d399c bp 0x7ffc7716b130 sp 0x7ffc7716b0e0 T0)
==25463==The signal is caused by a READ memory access.
#0 0x4d399c in Get16u /root/fuzz/jhead/exif.c:323:17
#1 0x4d40e1 in PrintFormatNumber /root/fuzz/jhead/exif.c:378:45
#2 0x4dfbdd in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:123:21
#3 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
#4 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
#5 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
#6 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
#7 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
#8 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
#9 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
#10 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
#11 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
#12 0x7f45bf8ba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
#13 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/exif.c:323:17 in Get16u
==25463==ABORTING
Segmentation fault in Get32s
$ ./jhead -v ./tests_61763.jpg
Exif header 7166 bytes long
Exif section in Intel order
(dir has 42 entries)
Make = "Canon"
Model = "?anon DIGITAL IXUS?"
Orientation = 1
XResolution = 180/1
YResolution = 180/1
ResolutionUnit = 2
DateTime = "2001:06:09 15:17:32"
YCbCrPositioning = 1
ExifOffset = 184
Exif Dir:(dir has 27 e
............
............
............
............
............
............
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25465==ERROR: AddressSanitizer: SEGV on unknown address 0x62410000200b (pc 0x0000004d3bc8 bp 0x7ffe1275af10 sp 0x7ffe1275ae80 T0)
==25465==The signal is caused by a READ memory access.
#0 0x4d3bc8 in Get32s /root/fuzz/jhead/exif.c:336:18
#1 0x4d419b in PrintFormatNumber /root/fuzz/jhead/exif.c:388:32
#2 0x4dfbdd in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:123:21
#3 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
#4 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
#5 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
#6 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
#7 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
#8 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
#9 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
#10 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
#11 0x7f88040ac83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
#12 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/exif.c:336:18 in Get32s
==25465==ABORTING
Additional info:
Founder: giantbranch of NSFOCUS Security Team
Related news
Ubuntu Security Notice 6110-1 - It was discovered that Jhead did not properly handle certain crafted Canon images when processing them. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service. It was discovered that Jhead did not properly handle certain crafted images when printing Canon-specific information. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service. It was discovered that Jhead did not properly handle certain crafted images when removing unknown sections. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service.