Bug 1060321

Summary: VUL-1: CVE-2017-13735: libraw: There is a floating point exception in the kodak_radc_load_raw functionin dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denialof service attack.
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/191123/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: POC1

Description Marcus Meissner 2017-09-26 04:52:01 UTC 
+++ This bug was initially created as a clone of Bug #1056170 +++

CVE-2017-13735

There is a floating point exception in the kodak_radc_load_raw function
in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial
of service attack.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1483988
Comment 1 Marcus Meissner 2017-09-26 04:54:58 UTC 
Description of problem:

There is a floating point exception in dcraw_common.cpp of libRAW. 

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./multirender_test POC1

Steps to Reproduce:

$ ./multirender_test POC1
Processing file POC1
Floating point exception

The GDB debugging information is as follows:

$ ./multirender_test POC1
gdb-peda$ r
...

Breakpoint 1, LibRaw::kodak_radc_load_raw (this=0x7ffffff9d6e8) at internal/dcraw_common.cpp:2751
2751		    val = (buf[c][y+1][x] << 4) / mul[c];
gdb-peda$ c 11
Will ignore next 10 crossings of breakpoint 1.  Continuing.

Breakpoint 1, LibRaw::kodak_radc_load_raw (this=0x7ffffff9d6e8) at internal/dcraw_common.cpp:2751
2751		    val = (buf[c][y+1][x] << 4) / mul[c];
gdb-peda$ n

Program received signal SIGFPE, Arithmetic exception.

[----------------------------------registers-----------------------------------]
RAX: 0x1f70 
RBX: 0x0 
RCX: 0x2afa 
RDX: 0x0 
RSI: 0x7ffff7fda0d0 --> 0x1 
RDI: 0x7ffff7d952c0 --> 0x1 
RBP: 0x602878 --> 0x6028a0 --> 0x0 
RSP: 0x7ffffff993a0 --> 0x0 
RIP: 0x7ffff7a65e2b (<LibRaw::kodak_radc_load_raw()+7259>:	idiv   DWORD PTR [rsp+0x9c])
R8 : 0x7ffffff99dec --> 0x11380f00121d10bd 
R9 : 0x0 
R10: 0x7ffffff99dec --> 0x11380f00121d10bd 
R11: 0x14 
R12: 0x0 
R13: 0x7ffffff9d6e8 --> 0x7ffff7d94a30 --> 0x7ffff7b48e10 (<LibRaw::open_datastream(LibRaw_abstract_datastream*)>:	push   rbp)
R14: 0x0 
R15: 0x300
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a65e1f <LibRaw::kodak_radc_load_raw()+7247>:	movsx  eax,WORD PTR [rax+rbx*2+0x304]
   0x7ffff7a65e27 <LibRaw::kodak_radc_load_raw()+7255>:	shl    eax,0x4
   0x7ffff7a65e2a <LibRaw::kodak_radc_load_raw()+7258>:	cdq    
=> 0x7ffff7a65e2b <LibRaw::kodak_radc_load_raw()+7259>:	idiv   DWORD PTR [rsp+0x9c]
   0x7ffff7a65e32 <LibRaw::kodak_radc_load_raw()+7266>:	test   eax,eax
   0x7ffff7a65e34 <LibRaw::kodak_radc_load_raw()+7268>:	mov    r15d,0x0
   0x7ffff7a65e3a <LibRaw::kodak_radc_load_raw()+7274>:	cmovns r15w,ax
   0x7ffff7a65e3f <LibRaw::kodak_radc_load_raw()+7279>:	mov    r13,rbp
[------------------------------------stack-------------------------------------]
0000| 0x7ffffff993a0 --> 0x0 
0008| 0x7ffffff993a8 --> 0x700000000 
0016| 0x7ffffff993b0 --> 0x90000000c ('\x0c')
0024| 0x7ffffff993b8 --> 0x8 
0032| 0x7ffffff993c0 --> 0x7ffffff9a6fa --> 0x0 
0040| 0x7ffffff993c8 --> 0x304 
0048| 0x7ffffff993d0 --> 0x7ffffff9a6f8 --> 0x0 
0056| 0x7ffffff993d8 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGFPE
0x00007ffff7a65e2b in LibRaw::kodak_radc_load_raw (this=0x7ffffff9d6e8) at internal/dcraw_common.cpp:2751
2751		    val = (buf[c][y+1][x] << 4) / mul[c];
gdb-peda$ x/xw ($rsp+0x9c)
0x7ffffff9943c:	0x00000000
gdb-peda$ 


The vulnerability was triggered in function LibRaw::kodak_radc_load_raw (this=0x7ffffff9d6e8) at internal/dcraw_common.cpp:2751
2749		for (y=0; y < 2; y++)
2750		  for (x=0; x < width/2; x++) {
2751		    val = (buf[c][y+1][x] << 4) / mul[c];
2752		    if (val < 0) val = 0;
2753		    if (c) RAW(row+y*2+c-1,x*2+2-c) = val;
2754		    else   RAW(row+r*2+y,x*2+y) = val;
2755		  }



Actual results:

crash

Expected results:

crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Marcus Meissner 2017-09-26 04:55:59 UTC 
Created attachment 741888 [details]
POC1

QA REPRODUCER:

use a libraw using program to open POC1, e.g.:

shotwell POC1

should not abort with: Floating point exception (core dumped)
Comment 3 Petr Gajdos 2017-09-26 12:14:42 UTC 
Using native tools:

12:
$ simple_dcraw POC1
Floating point exception (core dumped)
$

42.3:
$ simple_dcraw POC1
Floating point exception (core dumped)
$

radc_divbyzero.txt from the upstream bug points to
https://github.com/LibRaw/LibRaw/commit/82616eff4c7f7437e96bdeeed238c3ef3dc12d60#diff-f29c1da0e3b6207b99ae3e301dcb547a

42.3:

$ simple_dcraw POC1
Cannot unpack POC1: Input/output error
$

12:

$ simple_dcraw POC1
Cannot unpack POC1: Input/output error
$
Comment 4 Petr Gajdos 2017-09-26 12:15:35 UTC 
Package submitted to 42.2, 42.3 and 12.
Comment 5 Bernhard Wiedemann 2017-09-26 14:02:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1060321) was mentioned in
https://build.opensuse.org/request/show/528790 42.2 / libraw
https://build.opensuse.org/request/show/528791 42.3 / libraw
Comment 7 Swamp Workflow Management 2017-10-03 22:11:37 UTC 
openSUSE-SU-2017:2638-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1060163,1060321
CVE References: CVE-2017-13735,CVE-2017-14265
Sources used:
openSUSE Leap 42.3 (src):    libraw-0.17.1-11.1
openSUSE Leap 42.2 (src):    libraw-0.17.1-2.11.1
Comment 10 Swamp Workflow Management 2017-12-21 11:10:19 UTC 
SUSE-SU-2017:3392-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1060321,1063798,1072385
CVE References: CVE-2017-13735,CVE-2017-14608,CVE-2017-16909
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    libraw-0.15.4-16.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    libraw-0.15.4-16.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libraw-0.15.4-16.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libraw-0.15.4-16.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libraw-0.15.4-16.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libraw-0.15.4-16.1
Comment 11 Marcus Meissner 2018-02-12 09:05:41 UTC 
released