Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 5 Oct 2015 08:10:39 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Heap overflow and DoS with a tga file
 in gdk-pixbuf < 2.32.1

2015-10-05 7:18 GMT-03:00 Andreas Stieger <astieger@...e.com>:

> Hello,
>
> On 10/01/2015 04:56 PM, Gustavo Grieco wrote:
> > Do you also need a crasher and a stack trace?
>
> Could you make them available please?
>

Sure! Please find attached the two test cases as well as a minimal example
of a vulnerable program: it is just a call to
gdk_pixbuf_new_from_file_at_size. Also, a detailed backtrace of the heap
overflow is here:

Starting program: pixbuf_vuln_poc overflow.tga
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
scale_line (weights=weights@...ry=0x2aab3c468c10, n_x=148, n_y=148,
dest=dest@...ry=0x630ee0 "", dest_x=dest_x@...ry=0,
    dest_end=dest_end@...ry=0x631144 "", dest_channels=dest_channels@...ry=4,
dest_has_alpha=dest_has_alpha@...ry=1, src=src@...ry=0x63ce60,
    src_channels=src_channels@...ry=4, src_has_alpha=src_has_alpha@...ry=1,
x_init=<optimized out>, x_step=x_step@...ry=9629110,
    src_width=src_width@...ry=22627, check_size=check_size@...ry=0,
color1=color1@...ry=0, color2=color2@...ry=0) at pixops.c:974
974
(gdb) bt
#0  scale_line (weights=weights@...ry=0x2aab3c468c10, n_x=148, n_y=148,
dest=dest@...ry=0x630ee0 "", dest_x=dest_x@...ry=0,
    dest_end=dest_end@...ry=0x631144 "", dest_channels=dest_channels@...ry=4,
dest_has_alpha=dest_has_alpha@...ry=1, src=src@...ry=0x63ce60,
    src_channels=src_channels@...ry=4, src_has_alpha=src_has_alpha@...ry=1,
x_init=<optimized out>, x_step=x_step@...ry=9629110,
    src_width=src_width@...ry=22627, check_size=check_size@...ry=0,
color1=color1@...ry=0, color2=color2@...ry=0) at pixops.c:974
#1  0x00002aaaaace5698 in pixops_process (dest_buf=<optimized out>,
render_x0=0, render_y0=<optimized out>, render_x1=<optimized out>,
    render_y1=<optimized out>, dest_rowstride=<optimized out>,
dest_channels=4, dest_has_alpha=1, src_buf=0x2aaaad14f010 "",
src_width=22627,
    src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1,
scale_x=<optimized out>, scale_y=<optimized out>, check_x=0, check_y=0,
    check_size=0, color1=0, color2=0, filter=0x7ffffffedc90,
line_func=0x2aaaaace3c10 <scale_line>, pixel_func=0x2aaaaace49a0
<scale_pixel>)
    at pixops.c:1366
#2  0x00002aaaaace5f09 in _pixops_scale_real
(interp_type=PIXOPS_INTERP_BILINEAR, interp_type@...ry
=PIXOPS_INTERP_NEAREST,
    scale_y=0,0068091545299791946, scale_x=0,0068060281964025283,
src_has_alpha=1, src_channels=4, src_rowstride=90508, src_height=26435,
    src_width=22627, src_buf=0x2aaaad14f010 "", dest_has_alpha=1,
dest_channels=4, dest_rowstride=616, render_y1=<optimized out>,
render_x1=154,
    render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at
pixops.c:2230
#3  _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@...ry=154,
dest_height=dest_height@...ry=180, dest_rowstride=616, dest_channels=4,
    dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627,
src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1,
    dest_x=dest_x@...ry=0, dest_y=dest_y@...ry=0,
dest_region_width=dest_region_width@...ry=154,
dest_region_height=dest_region_height@...ry=180,
    offset_x=offset_x@...ry=0, offset_y=<optimized out>,
scale_x=scale_x@...ry=0,0068060281964025283, scale_y=scale_y@...ry
=0,0068091545299791946,
    interp_type=interp_type@...ry=PIXOPS_INTERP_BILINEAR) at pixops.c:2285
#4  0x00002aaaaacdda2d in gdk_pixbuf_scale (src=0x618000, dest=0x618050,
dest_x=0, dest_y=0, dest_width=154, dest_height=180, offset_x=0,
    offset_y=<optimized out>, scale_x=0,0068060281964025283,
scale_y=0,0068091545299791946, interp_type=GDK_INTERP_BILINEAR) at
gdk-pixbuf-scale.c:147
#5  0x00002aaaaacde07a in gdk_pixbuf_scale_simple (src=src@...ry=0x618000,
dest_width=154, dest_height=dest_height@...ry=180,
    interp_type=interp_type@...ry=GDK_INTERP_BILINEAR) at
gdk-pixbuf-scale.c:321
#6  0x00002aaaaacdf340 in get_scaled_pixbuf (scaled=0x616440,
pixbuf=0x618000) at gdk-pixbuf-scaled-anim.c:138
#7  0x00002aaaaacdae88 in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffffffe36b "overflow.tga", width=<optimized out>,
height=<optimized out>,
    preserve_aspect_ratio=<optimized out>, error=0x7fffffffdee0) at
gdk-pixbuf-io.c:1377
#8  0x00000000004007b8 in main ()

(gdb) x/i $rip
=> 0x2aaaaace3dd0 <scale_line+448>:        movzbl 0x3(%rcx),%edx
(gdb) info registers
rax            0x0        0
rbx            0x94        148
rcx            0x2aaa2d6d51c4        46910394945988
rdx            0x0        0
rsi            0x4        4
rdi            0x2aab3c468c10        46914939030544
rbp            0x2aab3c468e60        0x2aab3c468e60
rsp            0x7ffffffeda18        0x7ffffffeda18
r8             0x0        0
r9             0x0        0
r10            0x0        0
r11            0x0        0
r12            0x0        0
r13            0x63ce60        6540896
r14            0x2aab3c468c10        46914939030544
r15            0x94        148
rip            0x2aaaaace3dd0        0x2aaaaace3dd0 <scale_line+448>
eflags         0x10202        [ IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0

And the backtrace of the DoS here:

Starting program: pixbuf_vuln_poc DoS.tga
[Depuración de hilo usando libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at
io-tga.c:367
367
(gdb) bt
#0  0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at
io-tga.c:367
#1  parse_data_for_row (err=0x7ffffffede28, ctx=0x614ca0) at io-tga.c:413
#2  gdk_pixbuf__tga_load_increment (data=0x614ca0, buffer=<optimized out>,
size=<optimized out>, err=0x7ffffffede28) at io-tga.c:922
#3  0x00002aaaaacdca45 in gdk_pixbuf_loader_load_module
(loader=loader@...ry=0x60f200,
image_type=image_type@...ry=0x0,
    error=error@...ry=0x7ffffffede28) at gdk-pixbuf-loader.c:445
#4  0x00002aaaaacdd2b8 in gdk_pixbuf_loader_close
(loader=loader@...ry=0x60f200,
error=error@...ry=0x7fffffffdef0) at gdk-pixbuf-loader.c:810
#5  0x00002aaaaacdae2a in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffffffe370 "DoS.tga", width=<optimized out>,
height=<optimized out>,
    preserve_aspect_ratio=<optimized out>, error=0x7fffffffdef0) at
gdk-pixbuf-io.c:1372
#6  0x00000000004007b8 in main ()

(gdb) x/i $rip
=> 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612>:        mov
 0x8(%rdx),%rdx
(gdb) info registers
rax            0x6163e0        6382560
rbx            0x614ca0        6376608
rcx            0x7        7
rdx            0x0        0
rsi            0x611b02        6363906
rdi            0x618000        6389760
rbp            0x7ffffffede28        0x7ffffffede28
rsp            0x7ffffffedd80        0x7ffffffedd80
r8             0x616200        6382080
r9             0x6163e7        6382567
r10            0x8        8
r11            0x2aaaaaf05c10        46912500685840
r12            0x0        0
r13            0x0        0
r14            0x15        21
r15            0xb        11
rip            0x2aaaacf4c384        0x2aaaacf4c384
<gdk_pixbuf__tga_load_increment+612>
eflags         0x10202        [ IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0


>
> Thanks,
> Andreas
>
> --
> Andreas Stieger <astieger@...e.com>
> Project Manager Security
> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB
> 21284 (AG Nürnberg)
>
>
>

Content of type "text/html" skipped

Download attachment "overflow.tga.gz" of type "application/x-gzip" (105 bytes)

Download attachment "DoS.tga.gz" of type "application/x-gzip" (60 bytes)

View attachment "pixbuf_vuln_poc.c" of type "text/x-csrc" (397 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.