Skip to content

Buffer Underflow in ogg123

Hi, I have found a buffer underflow in vorbis-tools version 1.4.3 and would like to report this issue. Could you please confirm if this is a security vulnerability? I am happy to provide any additional information needed.

Summary

A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1.4.3 package. This vulnerability occurs in the remote control functionality when processing malformed input, leading to a stack buffer underflow that can cause application crashes and potentially allow code execution.

Details

  • Vulnerability Type: Stack Buffer Underflow
  • Version: 1.4.3
  • Binary: ogg123
  • Function: remotethread() in remote.c

Reproduction

Environment

  • Operating System: Ubuntu 22.04 LTS
  • Architecture: x86_64
  • Compiler: clang with AddressSanitizer (clang version: 14.0.0)

Reproduction steps

# Setup
wget -O- https://github.com/xiph/vorbis-tools/archive/refs/tags/v1.4.3.tar.gz | tar zxv
cd vorbis-tools-1.4.3

cat > build.sh << 'EOF'
#!/bin/bash

./autogen.sh 
./configure CC=clang CXX=clang++ \
    CFLAGS="-fsanitize=address -g -O1" \
    CXXFLAGS="-fsanitize=address -g -O1" \
    LDFLAGS="-fsanitize=address"

make
EOF

# Compile with AddressSanitizer
chmod +x build.sh
./build.sh

# Execute 
echo -e '\x00K' | ./ogg123/ogg123 -R k

Execution Output

$ echo -e '\x00K' | ./ogg123/ogg123 -R k
@R ogg123 from vorbis-tools 1.4.3
=================================================================
==1634880==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x71b8ebbff5df at pc 0x5a29659f3db7 bp 0x71b8ebbff5b0 sp 0x71b8ebbff5a8
WRITE of size 1 at 0x71b8ebbff5df thread T1
    #0 0x5a29659f3db6 in remotethread /root/dataset_rep/vorbis-tools-1.4.3/ogg123/remote.c:153:24
    #1 0x71b8ef51eac2 in start_thread nptl/./nptl/pthread_create.c:442:8
    #2 0x71b8ef5afa03 in __clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

Address 0x71b8ebbff5df is located in stack of thread T1 at offset 31 in frame
    #0 0x5a29659f38bf in remotethread /root/dataset_rep/vorbis-tools-1.4.3/ogg123/remote.c:127

  This frame has 2 object(s):
    [32, 1057) 'buf' (line 132) <== Memory access at offset 31 underflows this variable
    [1200, 1328) 'fd' (line 136)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T1 created by T0 here:
    #0 0x5a296598ebac in __interceptor_pthread_create (/root/dataset_rep/vorbis-tools-1.4.3/ogg123/ogg123+0x97bac) (BuildId: ab2e1c704cceea8cddfb6b90bc39407883baa1be)
    #1 0x5a29659f34c8 in remote_mainloop /root/dataset_rep/vorbis-tools-1.4.3/ogg123/remote.c:269:7
    #2 0x5a29659ecf4d in main /root/dataset_rep/vorbis-tools-1.4.3/ogg123/ogg123.c:474:5
    #3 0x71b8ef4b3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: stack-buffer-underflow /root/dataset_rep/vorbis-tools-1.4.3/ogg123/remote.c:153:24 in remotethread
Shadow bytes around the buggy address:
  0x0e379d777e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0e379d777e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0e379d777e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0e379d777e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0e379d777ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0e379d777eb0: 00 00 00 00 00 00 00 00 f1 f1 f1[f1]00 00 00 00
  0x0e379d777ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0e379d777ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0e379d777ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0e379d777ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0e379d777f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1634880==ABORTING

Root Cause Avalysis

When the -R argument is included in the parameters, remote_mainloop is called at: https://github.com/xiph/vorbis-tools/blob/0b3fbf42eb3897d32f4a75baa2dc915a4ca45e8e/ogg123/ogg123.c#L474

remote_mainloop starts remotethread at: https://github.com/xiph/vorbis-tools/blob/0b3fbf42eb3897d32f4a75baa2dc915a4ca45e8e/ogg123/remote.c#L269

In remotethread, there's a section that processes input received via fgets and uses buf[strlen(buf)-1]=0 to null-terminate the newline character. However, when EOF or a null character is input at the beginning, strlen returns 0, causing a 1-byte buffer underflow. https://github.com/xiph/vorbis-tools/blob/0b3fbf42eb3897d32f4a75baa2dc915a4ca45e8e/ogg123/remote.c#L153

Security Impact

  • Denial of Service: Application crash with simple malformed input
  • Code Execution: Potential arbitrary code execution through stack buffer corruption
  • Information Disclosure: Stack memory leak and potential ASLR bypass

Proposed Fix

  • In remote.c at line 153
// Previous: buf[strlen(buf)-1]=0;
size_t len = strlen(buf);
if (len > 0 && buf[len-1] == '\n') {
    buf[len-1] = '\0';
}
  • Only accesses buf[len-1] when len > 0
  • Verifies character is actually a newline before removal
  • Prevents buffer underflow completely