[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 5 Oct 2015 08:14:31 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Heap overflow with a gif file in
gdk-pixbuf < 2.32.1
>
> Could you please share you fuzzed sample?
Sure!, please find attached the compressed test case as well as a minimal
example of a vulnerable program: it is just a call to
gdk_pixbuf_new_from_file_at_size. Trying to attach the test case in the
last version of Evolution will also produce a crash.
A detailed backtrace of the heap overflow is here:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized out>,
src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4,
src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24,
render_y1=<optimized out>,
render_x1=6, render_y0=<optimized out>, render_x0=0,
dest_buf=<optimized out>) at pixops.c:332
332 pixops.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized
out>, src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4,
src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24,
render_y1=<optimized out>,
render_x1=6, render_y0=<optimized out>, render_x0=0,
dest_buf=<optimized out>) at pixops.c:332
#1 _pixops_scale_real (interp_type=interp_type@...ry=PIXOPS_INTERP_NEAREST,
scale_y=1, scale_x=1, src_has_alpha=1, src_channels=4,
src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_has_alpha=<optimized out>, dest_channels=4,
dest_rowstride=24, render_y1=<optimized out>, render_x1=6,
render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at
pixops.c:2207
#2 _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@...ry=6,
dest_height=dest_height@...ry=65532, dest_rowstride=24, dest_channels=4,
dest_has_alpha=<optimized out>, src_buf=0x7fffb599b010 "",
src_width=65519, src_height=4096, src_rowstride=262076, src_channels=4,
src_has_alpha=1, dest_x=dest_x@...ry=0, dest_y=dest_y@...ry=0,
dest_region_width=dest_region_width@...ry=6,
dest_region_height=dest_region_height@...ry=4096,
offset_x=offset_x@...ry=-32768, offset_y=<optimized out>,
scale_x=scale_x@...ry=1,
scale_y=scale_y@...ry=1,
interp_type=interp_type@...ry=PIXOPS_INTERP_NEAREST)
at pixops.c:2285
#3 0x00007ffff7bc6a2d in gdk_pixbuf_scale (src=0x6288a0, dest=0x628850,
dest_x=0, dest_y=0, dest_width=6, dest_height=4096, offset_x=-32768,
offset_y=<optimized out>, scale_x=1, scale_y=1,
interp_type=GDK_INTERP_NEAREST) at gdk-pixbuf-scale.c:147
#4 0x00007ffff595b40b in gif_get_lzw (context=0x6160e0) at io-gif.c:967
#5 gif_main_loop (context=context@...ry=0x6160e0) at io-gif.c:1424
#6 0x00007ffff595ba4c in gdk_pixbuf__gif_image_load_increment
(data=0x6160e0, buf=0x60fa0c "GIF89a\357\377", size=1357, error=<optimized
out>)
at io-gif.c:1610
#7 0x00007ffff7bc5a45 in gdk_pixbuf_loader_load_module
(loader=loader@...ry=0x60f2a0,
image_type=image_type@...ry=0x0,
error=error@...ry=0x7ffffffee478) at gdk-pixbuf-loader.c:445
#8 0x00007ffff7bc62b8 in gdk_pixbuf_loader_close
(loader=loader@...ry=0x60f2a0,
error=error@...ry=0x7fffffffe548) at gdk-pixbuf-loader.c:810
#9 0x00007ffff7bc3e2a in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffffffe890 "sigsegv.gif", width=<optimized out>,
height=<optimized out>,
preserve_aspect_ratio=<optimized out>, error=0x7fffffffe548) at
gdk-pixbuf-io.c:1372
#10 0x0000000000400838 in main ()
(gdb) x/i $rip
=> 0x7ffff7bced38 <_pixops_scale+1048>: mov (%r9),%r15d
(gdb) info registers
rax 0x7ffff7e4c010 140737352351760
rbx 0x80068000 2147909632 <callto:2147909632>
rcx 0x0 0
rdx 0x80008000 2147516416 <callto:2147516416>
rsi 0x7fffb599b010 140736240136208
rdi 0x7ffff7e4c010 140737352351760
rbp 0x80068000 0x80068000
rsp 0x7ffffffee130 0x7ffffffee130
r8 0x1000 4096
r9 0x7fffb597b028 140736240005160
r10 0x10000 65536
r11 0x80068000 2147909632 <callto:2147909632>
r12 0x4 4
r13 0x8000 32768
r14 0x80008000 2147516416 <callto:2147516416>
r15 0x7ffff7e4c010 140737352351760
rip 0x7ffff7bced38 0x7ffff7bced38 <_pixops_scale+1048>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
and the valgrind report:
==8162== Memcheck, a memory error detector
==8162== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==8162== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==8162== Command: ../bins/gdk-pixbuf sigsegv.gif
==8162==
==8162== Warning: set address range perms: large range [0x3a00e040,
0x79fca040) (undefined)
==8162== Invalid read of size 4
==8162== at 0x4E4CD38: _pixops_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E44A2C: gdk_pixbuf_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x74B540A: gif_main_loop (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162== by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162== by 0x4E43A44: gdk_pixbuf_loader_load_module (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E442B7: gdk_pixbuf_loader_close (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x400837: main (in
/home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf)
==8162== Address 0x39fee058 is in the BSS segment of
/usr/lib/valgrind/memcheck-amd64-linux
==8162==
==8162== Invalid read of size 4
==8162== at 0x4E4CD48: _pixops_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E44A2C: gdk_pixbuf_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x74B540A: gif_main_loop (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162== by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162== by 0x4E43A44: gdk_pixbuf_loader_load_module (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E442B7: gdk_pixbuf_loader_close (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x400837: main (in
/home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf)
==8162== Address 0x39fee058 is in the BSS segment of
/usr/lib/valgrind/memcheck-amd64-linux
==8162==
==8162== Warning: set address range perms: large range [0x3a00e028,
0x79fca058) (noaccess)
Gerror: GIF file was missing some data (perhaps it was truncated somehow?)
>
>
> Thanks,
> Andreas
>
> --
> Andreas Stieger <astieger@...e.com>
> Project Manager Security
> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB
21284 (AG Nürnberg)
>
>
Content of type "text/html" skipped
View attachment "pixbuf_vuln_poc.c" of type "text/x-csrc" (397 bytes)
Download attachment "overflow.gif.gz" of type "application/x-gzip" (449 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
