Multiple bugs

[qflb]

the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x6091bc "\202\035)", running_event=144 '\220')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
2318 if (sysex_store[sysex_store_len - 1] == 0xF7) {
(gdb) bt
#0 0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x6091bc "\202\035)", running_event=144 '\220')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
#1 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#2 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe325 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#3 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cef
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cef:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>: movzbl (%rax),%eax
End of assembler dump.
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cff
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cff:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>: movzbl (%rax),%eax
0x00007ffff7bc1cf1 <_WM_SetupMidiEvent+3493>: cmp $0xf7,%al
0x00007ffff7bc1cf3 <_WM_SetupMidiEvent+3495>: jne 0x7ffff7bc1ed7 <_WM_SetupMidiEvent+3979>
0x00007ffff7bc1cf9 <_WM_SetupMidiEvent+3501>: movb $0x41,-0x40(%rbp)
0x00007ffff7bc1cfd <_WM_SetupMidiEvent+3505>: movb $0x10,-0x3f(%rbp)
End of assembler dump.
(gdb) i r
rax 0x1006096af 4301297327
rbx 0x0 0
rcx 0x0 0
rdx 0xffffffff 4294967295
rsi 0x6091bc 6328764
rdi 0x6096b0 6330032
rbp 0x7fffffffdbd0 0x7fffffffdbd0
rsp 0x7fffffffdb40 0x7fffffffdb40
r8 0x0 0
r9 0x7ffff78b97b8 140737346508728
r10 0x7ffff78b8760 140737346504544
r11 0xffffff01 4294967041
r12 0x401ea0 4202144
r13 0x7fffffffdf80 140737488347008
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc1cee 0x7ffff7bc1cee <_WM_SetupMidiEvent+3490>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x1006096af
0x1006096af: Cannot access memory at address 0x1006096af
(gdb)

------------------line:2318
//sysex_len , sysex_store_len = 0,sysex_store_len - 1 = 0xFFFFFFFF 0x6096b0 + 0xFFFFFFFF = 0x1006096af

sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;

if (sysex_store[sysex_store_len - 1] == 0xF7) {
uint8_t rolandsysexid[] = { 0x41, 0x10, 0x42, 0x12 };

This vulnerability has been assigned as CVE-2017-11661

the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
274 if (*tracks[i] > 0x7f) {
(gdb) bt
#0 0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
#1 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe325 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#2 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc59d9,0x00007ffff7bc59ff
Dump of assembler code from 0x7ffff7bc59d9 to 0x7ffff7bc59ff:
=> 0x00007ffff7bc59d9 <_WM_ParseNewMidi+2974>: movzbl (%rax),%eax
0x00007ffff7bc59dc <_WM_ParseNewMidi+2977>: test %al,%al
0x00007ffff7bc59de <_WM_ParseNewMidi+2979>: jns 0x7ffff7bc5a6d <_WM_ParseNewMidi+3122>
0x00007ffff7bc59e4 <_WM_ParseNewMidi+2985>: mov -0x68(%rbp),%eax
0x00007ffff7bc59e7 <_WM_ParseNewMidi+2988>: lea 0x0(,%rax,4),%rdx
0x00007ffff7bc59ef <_WM_ParseNewMidi+2996>: mov -0x18(%rbp),%rax
0x00007ffff7bc59f3 <_WM_ParseNewMidi+3000>: add %rax,%rdx
0x00007ffff7bc59f6 <_WM_ParseNewMidi+3003>: mov -0x68(%rbp),%eax
0x00007ffff7bc59f9 <_WM_ParseNewMidi+3006>: lea 0x0(,%rax,4),%rcx
End of assembler dump.
(gdb) i r
rax 0x7093a2 7377826
rbx 0x0 0
rcx 0x60909d 6328477
rdx 0x8 8
rsi 0x60909d 6328477
rdi 0x7ffff7f87010 140737353642000
rbp 0x7fffffffdc60 0x7fffffffdc60
rsp 0x7fffffffdbe0 0x7fffffffdbe0
r8 0x0 0
r9 0x7ffff78b97b8 140737346508728
r10 0x7fffffffd900 140737488345344
r11 0x7ffff7592fd0 140737343205328
r12 0x401ea0 4202144
r13 0x7fffffffdf80 140737488347008
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc59d9 0x7ffff7bc59d9 <_WM_ParseNewMidi+2974>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x7093a2
0x7093a2: Cannot access memory at address 0x7093a2
(gdb)

This vulnerability has been assigned as CVE-2017-11662

the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid

debug info:
Breakpoint 2, 0x00007ffff7bc1cd4 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
2315 memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7bc1cd9 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe349 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cb9,0x00007ffff7bc1cd9
Dump of assembler code from 0x7ffff7bc1cb9 to 0x7ffff7bc1cd9:
0x00007ffff7bc1cb9 <_WM_SetupMidiEvent+3437>: mov %rax,-0x48(%rbp)
0x00007ffff7bc1cbd <_WM_SetupMidiEvent+3441>: mov -0x5c(%rbp),%edx
0x00007ffff7bc1cc0 <_WM_SetupMidiEvent+3444>: mov -0x54(%rbp),%ecx
0x00007ffff7bc1cc3 <_WM_SetupMidiEvent+3447>: mov -0x48(%rbp),%rax
0x00007ffff7bc1cc7 <_WM_SetupMidiEvent+3451>: add %rax,%rcx
0x00007ffff7bc1cca <_WM_SetupMidiEvent+3454>: mov -0x80(%rbp),%rax
0x00007ffff7bc1cce <_WM_SetupMidiEvent+3458>: mov %rax,%rsi
0x00007ffff7bc1cd1 <_WM_SetupMidiEvent+3461>: mov %rcx,%rdi
0x00007ffff7bc1cd4 <_WM_SetupMidiEvent+3464>: callq 0x7ffff7bb1600 memcpy@plt
End of assembler dump.
(gdb) i r
rax 0x62bbd7 6470615
rbx 0x0 0
rcx 0x7fffe41b6010 140737020387344
rdx 0x3e494d4 65311956
rsi 0x62bbd7 6470615
rdi 0x7fffe41b6010 140737020387344
rbp 0x7fffffffdc00 0x7fffffffdc00
rsp 0x7fffffffdb70 0x7fffffffdb70
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x22 34
r11 0xf78b9701 4153120513
r12 0x401ea0 4202144
r13 0x7fffffffdfb0 140737488347056
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc1cd4 0x7ffff7bc1cd4 <_WM_SetupMidiEvent+3464>
eflags 0x202 [ IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x44750AB
0x44750ab: Cannot access memory at address 0x44750ab
(gdb) ni

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb)
------------------ line:2315
//point:sysex_len is larger than the length of event_data
sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;

This vulnerability has been assigned as CVE-2017-11663

the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7bc15d0 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62b927 "", running_event=0 '\000')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2122
#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe349 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc15b6,0x00007ffff7bc15d0
Dump of assembler code from 0x7ffff7bc15b6 to 0x7ffff7bc15d0:
0x00007ffff7bc15b6 <_WM_SetupMidiEvent+1642>: mov %rax,-0x50(%rbp)
0x00007ffff7bc15ba <_WM_SetupMidiEvent+1646>: mov -0x60(%rbp),%edx
0x00007ffff7bc15bd <_WM_SetupMidiEvent+1649>: mov -0x80(%rbp),%rcx
0x00007ffff7bc15c1 <_WM_SetupMidiEvent+1653>: mov -0x50(%rbp),%rax
0x00007ffff7bc15c5 <_WM_SetupMidiEvent+1657>: mov %rcx,%rsi
0x00007ffff7bc15c8 <_WM_SetupMidiEvent+1660>: mov %rax,%rdi
0x00007ffff7bc15cb <_WM_SetupMidiEvent+1663>: callq 0x7ffff7bb1600 memcpy@plt
End of assembler dump.
(gdb) i r
rax 0xffff8000086e68a4 -140737346901852
rbx 0x0 0
rcx 0x840e6 540902
rdx 0x42073 270451
rsi 0x62b927 6469927
rdi 0x7ffff7f03010 140737353101328
rbp 0x7fffffffdc00 0x7fffffffdc00
rsp 0x7fffffffdb68 0x7fffffffdb68
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x22 34
r11 0xf7592f01 4149817089
r12 0x401ea0 4202144
r13 0x7fffffffdfb0 140737488347056
r14 0x0 0
r15 0x0 0
rip 0x7ffff7592ffe 0x7ffff7592ffe <__memcpy_sse2_unaligned+46>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x66D99A
0x66d99a: Cannot access memory at address 0x66d99a
(gdb)

----------------line:2122--------------
//the tmp_length is larger than the length of event_data
text = malloc(tmp_length + 1);
memcpy(text, event_data, tmp_length);
text[tmp_length] = '\0';
midi_setup_trackname(mdi, text);

This vulnerability has been assigned as CVE-2017-11664

poc.zip

[psi29a]

Nice! We got our very first CVE! ;)

[psi29a]

So no new release until these are fixed.

[sezero]

I fixed the first crasher wit commit 809e400.

The remaining three may need more work. E.g. crasher-3 crashes because it
reads a crazy sysex_len, and the problem is that _WM_SetupMidiEvent() does
not know anything about the source length. f_midi.c:_WM_ParseNewMidi()
doesn't cache individual track sizes either, so the surgery may need starting
there.

[psi29a]

Nice work, are we going to back port this to 0.3 or are we leaving 0.3 behind now?

[sezero]

Backporting is easy. We have to fix the remaining three crashers first.

[sezero]

patch.txt

Please review the attached patch carefully.

It adds a new size parameter to _WM_SetupMidiEvent() so that it
knows where to stop reading.

• f_mus.c, f_xmidi.c: changes are like one-liner. Read through
  the source carefully though.

• The rest: changes are intrusive and it's very easy to make a
  mistake: please review carefully to see that

  • I didn't touch places where I shouldn't
  • I didn't miss any places that I should have touched.
  • The places I touched are touched correctly

With this, all four crashers are fixed for me.

(Tiny note: without this patch, crasher-1 didn't error out and
played something but with the patch applied it errors out.
(FWIW, libtimidity also does not error out with crasher-1.)
Not something that I worried myself about..)

[qflb]

Nice! I test with the patch , all four crashers are fixed .

[sezero]

Thanks for testing.

However, the patch is intrusive and the parts of the patch touching f_hmi.c
were broken. Fixed version attached (does not affect the crashers here.)

I'm in the process of testing / comparing wav outputs of HMI files from Daggerfall,
which is going fine so far. @psi29a, @chrisisonwildcode, any others: Please review
and test the new patch.

patch2.txt

[psi29a]

I'll review it later today. :)

[psi29a]

Is it not easier to review in a pull request?

[sezero]

On 8/2/17, Bret Curtis ***@***.***> wrote: Is it not easier to review in a pull request?

Well, I felt lazy for it. The patch is there, is it really difficult to review it?

[psi29a]

;) No, but I like if I have comments to place them in the code. shrugs

[sezero]

OK, here it is: 'bug175' branch, commit 660b513

[psi29a]

Will there be any addition changes to the DevTest.c tool?

[sezero]

I won't care about that one will leave that to @chrisisonwildcode

Is the patch good so far?

[psi29a]

I've been reviewing and commenting on it :)
660b513

[sezero]

I removed the branch and merged the changes to master, applying the
suggested cleanups as best as I could. If there are corrections to be made,
please make them on the master branch now. If/when all are OK, please
close this issue as fixed.

[psi29a]

I'll do another test-run through. Thanks for taking this head on!

[psi29a]

FYI with regard to devtest, test midi 3 gives a core dump but the rest of the midis validate as not working correctly with WildMIDI.

I'm going to re-open this ticket until it is fixed. This is not blocker for the 0.4.2 release.

@chrisisonwildcode you agree?

$ ./wildmidi-devtest poc/wildmidi_0.4.2_invalid_memory_read_1.mid
Testing: poc/wildmidi_0.4.2_invalid_memory_read_1.mid
Currupt Midi: expected event, got data
2 notes still on after end of file
FAILED: poc/wildmidi_0.4.2_invalid_memory_read_1.mid will not work correctly with WildMIDI

$ ./wildmidi-devtest poc/wildmidi_0.4.2_invalid_memory_read_2.mid
Testing: poc/wildmidi_0.4.2_invalid_memory_read_2.mid
Corrupt MIDI Data, Bad Port Prefix
Missing or Corrupt MIDI Data 0x0000004d
FAILED: poc/wildmidi_0.4.2_invalid_memory_read_2.mid will not work correctly with WildMIDI

$ ./wildmidi-devtest poc/wildmidi_0.4.2_invalid_memory_read_3.mid
Testing: poc/wildmidi_0.4.2_invalid_memory_read_3.mid
Segmentation fault (core dumped)

$ ./wildmidi-devtest poc/wildmidi_0.4.2_invalid_memory_read_4.mid
Testing: poc/wildmidi_0.4.2_invalid_memory_read_4.mid
Data too short: Missing MIDI Data
Missing or Corrupt MIDI Data 0x00000052
FAILED: poc/wildmidi_0.4.2_invalid_memory_read_4.mid will not work correctly with WildMIDI

[psi29a]

I'm wondering... would it be interesting to have a pre-flight check on a MIDI using something devtest related before rendering?

Perhaps in the wildmidi player itself, or exposed in the library that is used by the player so it can be optional? That way the end-user can get feedback about the MIDI file?

[sezero]

Applied a quick fix to devtest (commit d8a4668).

[psi29a]

me too!
#177

[psi29a]

I'll rebase against yours ;)

[psi29a]

way to take the wind out of my sails @sezero , I thought you didn't want to bother with it. :P

[sezero]

It was just a low hanging apple, so I just did it.

[psi29a]

:) no worries, thank you.

[sezero]

This can be closed as fixed now, I think.

[sezero]

Backported the fixes to wildmidi-0.3: commits a8134de, 0821702, and 08438a3

[sezero]

Backported the DevTest fix to wildmidi-0.3: commit 733bc79