ytnef:allocation failed in TNEFFillMapi
Description
ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries.
An allocation failed was found in function TNEFFillMapi in ytnef.c, which allows attackers to cause a denial of service via a crafted file.
#ytnefprint $FILE
==17209==ERROR: failed to allocate 0xa3dd42000 (43986984960) bytes of LargeMmapAllocator (error code: 12)
==17209==Process memory map follows:
0x000000400000-0x000000566000 /home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint
0x000000766000-0x000000767000 /home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint
0x000000767000-0x00000077f000 /home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint
0x00000077f000-0x0000013e5000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x602e00000000
0x602e00000000-0x602e00010000
0x602e00010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x603e00000000
0x603e00000000-0x603e00010000
0x603e00010000-0x606000000000
0x606000000000-0x606000010000
0x606000010000-0x606e00000000
0x606e00000000-0x606e00010000
0x606e00010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x608e00000000
0x608e00000000-0x608e00010000
0x608e00010000-0x60e000000000
0x60e000000000-0x60e000010000
0x60e000010000-0x60ee00000000
0x60ee00000000-0x60ee00010000
0x60ee00010000-0x60f000000000
0x60f000000000-0x60f000010000
0x60f000010000-0x60fe00000000
0x60fe00000000-0x60fe00010000
0x60fe00010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x611e00000000
0x611e00000000-0x611e00010000
0x611e00010000-0x614000000000
0x614000000000-0x614000010000
0x614000010000-0x614e00000000
0x614e00000000-0x614e00010000
0x614e00010000-0x616000000000
0x616000000000-0x616000010000
0x616000010000-0x616e00000000
0x616e00000000-0x616e00010000
0x616e00010000-0x618000000000
0x618000000000-0x618000010000
0x618000010000-0x618e00000000
0x618e00000000-0x618e00010000
0x618e00010000-0x61a000000000
0x61a000000000-0x61a000010000
0x61a000010000-0x61ae00000000
0x61ae00000000-0x61ae00010000
0x61ae00010000-0x61c000000000
0x61c000000000-0x61c000010000
0x61c000010000-0x61ce00000000
0x61ce00000000-0x61ce00010000
0x61ce00010000-0x61e000000000
0x61e000000000-0x61e000010000
0x61e000010000-0x61ee00000000
0x61ee00000000-0x61ee00010000
0x61ee00010000-0x620000000000
0x620000000000-0x620000010000
0x620000010000-0x620e00000000
0x620e00000000-0x620e00010000
0x620e00010000-0x624000000000
0x624000000000-0x624000010000
0x624000010000-0x624e00000000
0x624e00000000-0x624e00010000
0x624e00010000-0x640000000000
0x640000000000-0x640000003000
0x7f3806b00000-0x7f3806c00000
0x7f3806d00000-0x7f3806e00000
0x7f3806f00000-0x7f3807000000
0x7f3807100000-0x7f3807200000
0x7f380725b000-0x7f38095ad000
0x7f38095ad000-0x7f3809763000 /usr/lib64/libc-2.17.so
0x7f3809763000-0x7f3809963000 /usr/lib64/libc-2.17.so
0x7f3809963000-0x7f3809967000 /usr/lib64/libc-2.17.so
0x7f3809967000-0x7f3809969000 /usr/lib64/libc-2.17.so
0x7f3809969000-0x7f380996e000
0x7f380996e000-0x7f3809983000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7f3809983000-0x7f3809b82000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7f3809b82000-0x7f3809b83000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7f3809b83000-0x7f3809b84000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7f3809b84000-0x7f3809b86000 /usr/lib64/libdl-2.17.so
0x7f3809b86000-0x7f3809d86000 /usr/lib64/libdl-2.17.so
0x7f3809d86000-0x7f3809d87000 /usr/lib64/libdl-2.17.so
0x7f3809d87000-0x7f3809d88000 /usr/lib64/libdl-2.17.so
0x7f3809d88000-0x7f3809e88000 /usr/lib64/libm-2.17.so
0x7f3809e88000-0x7f380a088000 /usr/lib64/libm-2.17.so
0x7f380a088000-0x7f380a089000 /usr/lib64/libm-2.17.so
0x7f380a089000-0x7f380a08a000 /usr/lib64/libm-2.17.so
0x7f380a08a000-0x7f380a091000 /usr/lib64/librt-2.17.so
0x7f380a091000-0x7f380a290000 /usr/lib64/librt-2.17.so
0x7f380a290000-0x7f380a291000 /usr/lib64/librt-2.17.so
0x7f380a291000-0x7f380a292000 /usr/lib64/librt-2.17.so
0x7f380a292000-0x7f380a2a9000 /usr/lib64/libpthread-2.17.so
0x7f380a2a9000-0x7f380a4a8000 /usr/lib64/libpthread-2.17.so
0x7f380a4a8000-0x7f380a4a9000 /usr/lib64/libpthread-2.17.so
0x7f380a4a9000-0x7f380a4aa000 /usr/lib64/libpthread-2.17.so
0x7f380a4aa000-0x7f380a4ae000
0x7f380a4ae000-0x7f380a4ce000 /usr/lib64/ld-2.17.so
0x7f380a54a000-0x7f380a6b3000
0x7f380a6b3000-0x7f380a6cd000
0x7f380a6cd000-0x7f380a6ce000 /usr/lib64/ld-2.17.so
0x7f380a6ce000-0x7f380a6cf000 /usr/lib64/ld-2.17.so
0x7f380a6cf000-0x7f380a6d0000
0x7ffff94d9000-0x7ffff94fa000 [stack]
0x7ffff9503000-0x7ffff9505000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==17209==End of process memory map.
==17209==CHECK failed: /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
#0 0x4e9e9f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:69
#1 0x5017c5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
#2 0x4f2460 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
#3 0x4fac3e in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132
#4 0x425eef in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41
#5 0x425eef in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70
#6 0x425eef in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:407
#7 0x4208c3 in __asan::Allocator::Calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:615
#8 0x4208c3 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:796
#9 0x4dfa28 in calloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:75
#10 0x51d470 in TNEFFillMapi /home/haojun/Downloads/ytnef-master/lib/ytnef.c:482:18
#11 0x52bca1 in TNEFParse /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1184:15
#12 0x52a3b2 in TNEFParseFile /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1042:10
#13 0x515530 in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:80:9
#14 0x7f38095ceb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
#15 0x41a8db in _start (/home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint+0x41a8db)
Affected version: 1.9.2
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
CVE:N/A
Reproducer:
Timeline:
2017-06-08:bug discovered and reported to the ytnef GitHub issue page
2017-07-30:blog post about the issue
Permalink:
https://somevulnsofadlab.blogspot.com/2017/07/ytnefallocation-failed-in-tneffillmapi.html
评论
发表评论