Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 5 Oct 2015 08:14:31 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Heap overflow with a gif file in
 gdk-pixbuf < 2.32.1

>
> Could you please share you fuzzed sample?

Sure!, please find attached the compressed test case as well as a minimal
example of a vulnerable program: it is just a call to
gdk_pixbuf_new_from_file_at_size. Trying to attach the test case in the
last version of Evolution will also produce a crash.

A detailed backtrace of the heap overflow is here:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized out>,
src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4,
    src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24,
render_y1=<optimized out>,
    render_x1=6, render_y0=<optimized out>, render_x0=0,
dest_buf=<optimized out>) at pixops.c:332
332        pixops.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized
out>, src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4,
    src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24,
render_y1=<optimized out>,
    render_x1=6, render_y0=<optimized out>, render_x0=0,
dest_buf=<optimized out>) at pixops.c:332
#1  _pixops_scale_real (interp_type=interp_type@...ry=PIXOPS_INTERP_NEAREST,
scale_y=1, scale_x=1, src_has_alpha=1, src_channels=4,
    src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_has_alpha=<optimized out>, dest_channels=4,
    dest_rowstride=24, render_y1=<optimized out>, render_x1=6,
render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at
pixops.c:2207
#2  _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@...ry=6,
dest_height=dest_height@...ry=65532, dest_rowstride=24, dest_channels=4,
    dest_has_alpha=<optimized out>, src_buf=0x7fffb599b010 "",
src_width=65519, src_height=4096, src_rowstride=262076, src_channels=4,
    src_has_alpha=1, dest_x=dest_x@...ry=0, dest_y=dest_y@...ry=0,
dest_region_width=dest_region_width@...ry=6,
    dest_region_height=dest_region_height@...ry=4096,
offset_x=offset_x@...ry=-32768, offset_y=<optimized out>,
scale_x=scale_x@...ry=1,
    scale_y=scale_y@...ry=1,
interp_type=interp_type@...ry=PIXOPS_INTERP_NEAREST)
at pixops.c:2285
#3  0x00007ffff7bc6a2d in gdk_pixbuf_scale (src=0x6288a0, dest=0x628850,
dest_x=0, dest_y=0, dest_width=6, dest_height=4096, offset_x=-32768,
    offset_y=<optimized out>, scale_x=1, scale_y=1,
interp_type=GDK_INTERP_NEAREST) at gdk-pixbuf-scale.c:147
#4  0x00007ffff595b40b in gif_get_lzw (context=0x6160e0) at io-gif.c:967
#5  gif_main_loop (context=context@...ry=0x6160e0) at io-gif.c:1424
#6  0x00007ffff595ba4c in gdk_pixbuf__gif_image_load_increment
(data=0x6160e0, buf=0x60fa0c "GIF89a\357\377", size=1357, error=<optimized
out>)
    at io-gif.c:1610
#7  0x00007ffff7bc5a45 in gdk_pixbuf_loader_load_module
(loader=loader@...ry=0x60f2a0,
image_type=image_type@...ry=0x0,
    error=error@...ry=0x7ffffffee478) at gdk-pixbuf-loader.c:445
#8  0x00007ffff7bc62b8 in gdk_pixbuf_loader_close
(loader=loader@...ry=0x60f2a0,
error=error@...ry=0x7fffffffe548) at gdk-pixbuf-loader.c:810
#9  0x00007ffff7bc3e2a in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffffffe890 "sigsegv.gif", width=<optimized out>,
height=<optimized out>,
    preserve_aspect_ratio=<optimized out>, error=0x7fffffffe548) at
gdk-pixbuf-io.c:1372
#10 0x0000000000400838 in main ()
(gdb) x/i $rip
=> 0x7ffff7bced38 <_pixops_scale+1048>:        mov    (%r9),%r15d
(gdb) info registers
rax            0x7ffff7e4c010        140737352351760
rbx            0x80068000        2147909632 <callto:2147909632>
rcx            0x0        0
rdx            0x80008000        2147516416 <callto:2147516416>
rsi            0x7fffb599b010        140736240136208
rdi            0x7ffff7e4c010        140737352351760
rbp            0x80068000        0x80068000
rsp            0x7ffffffee130        0x7ffffffee130
r8             0x1000        4096
r9             0x7fffb597b028        140736240005160
r10            0x10000        65536
r11            0x80068000        2147909632 <callto:2147909632>
r12            0x4        4
r13            0x8000        32768
r14            0x80008000        2147516416 <callto:2147516416>
r15            0x7ffff7e4c010        140737352351760
rip            0x7ffff7bced38        0x7ffff7bced38 <_pixops_scale+1048>
eflags         0x10206        [ PF IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0

and the valgrind report:

==8162== Memcheck, a memory error detector
==8162== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==8162== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==8162== Command: ../bins/gdk-pixbuf sigsegv.gif
==8162==
==8162== Warning: set address range perms: large range [0x3a00e040,
0x79fca040) (undefined)
==8162== Invalid read of size 4
==8162==    at 0x4E4CD38: _pixops_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E44A2C: gdk_pixbuf_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x74B540A: gif_main_loop (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162==    by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162==    by 0x4E43A44: gdk_pixbuf_loader_load_module (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E442B7: gdk_pixbuf_loader_close (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x400837: main (in
/home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf)
==8162==  Address 0x39fee058 is in the BSS segment of
/usr/lib/valgrind/memcheck-amd64-linux
==8162==
==8162== Invalid read of size 4
==8162==    at 0x4E4CD48: _pixops_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E44A2C: gdk_pixbuf_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x74B540A: gif_main_loop (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162==    by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162==    by 0x4E43A44: gdk_pixbuf_loader_load_module (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E442B7: gdk_pixbuf_loader_close (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x400837: main (in
/home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf)
==8162==  Address 0x39fee058 is in the BSS segment of
/usr/lib/valgrind/memcheck-amd64-linux
==8162==
==8162== Warning: set address range perms: large range [0x3a00e028,
0x79fca058) (noaccess)
Gerror: GIF file was missing some data (perhaps it was truncated somehow?)

>
>
> Thanks,
> Andreas
>
> --
> Andreas Stieger <astieger@...e.com>
> Project Manager Security
> SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton, HRB
21284 (AG N├╝rnberg)
>
>

[ CONTENT OF TYPE text/html SKIPPED ]

#include <gdk-pixbuf/gdk-pixbuf.h>
// gcc pixbuf_vuln_poc.c -o pixbuf_vuln_poc  `pkg-config --libs --cflags gdk-pixbuf-2.0`

int main(int argc, char **argv) {
    GdkPixbuf* buf;
    int size = 180;
    GError* err = NULL;

    buf =  gdk_pixbuf_new_from_file_at_size(argv[1], size, size, &err);

    if (err)
      printf ("Gerror: %s\n", err->message);

    g_object_unref(buf);
    return 0;
}

[ CONTENT OF TYPE application/x-gzip SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ