Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Mar 2017 11:10:14 +0000
From: "Agostino Sarubbo" <ago@...too.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: potrace: heap-based buffer overflow in bm_readbody_bmp (bitmap_io.c) (incomplete fix for CVE-2016-8698)

Description:
potrace is a utility that transforms bitmaps into vector graphics.

A fuzz on 1.14 showed that an overflow previously reported as CVE-2016-8698 was not really fixed. Since there isn’t a public git repository, I uploaded the patch on my ‘poc’ repository on github. The patch was sent from the 
upstream maintainer, Mr. Peter Selinger.

The complete ASan output:

# potrace $FILE
==7325==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x00000051dc51 bp 0x7ffc766b1a30 sp 0x7ffc766b1a28
READ of size 8 at 0x60200000efd0 thread T0
    #0 0x51dc50 in bm_readbody_bmp /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/bitmap_io.c:754:4
    #1 0x51dc50 in bm_read /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/bitmap_io.c:138
    #2 0x510a45 in process_file /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/main.c:1058:9
    #3 0x50dd56 in main /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/main.c:1214:7
    #4 0x7f6c7333e78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x419b68 in getenv (/usr/bin/potrace+0x419b68)

0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
    #0 0x4d2b25 in calloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72
    #1 0x519776 in bm_new /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/bitmap.h:121:30
    #2 0x519776 in bm_readbody_bmp /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/bitmap_io.c:574
    #3 0x519776 in bm_read /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/bitmap_io.c:138
    #4 0x510a45 in process_file /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/main.c:1058:9
    #5 0x50dd56 in main /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/main.c:1214:7
    #6 0x7f6c7333e78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/potrace-1.14/work/potrace-1.14/src/bitmap_io.c:754:4 in bm_readbody_bmp
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 04 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7325==ABORTING

Affected version:
1.14

Fixed version:
1.15

Commit fix:
https://github.com/asarubbo/poc/blob/master/00219-potrace-heapoverflow-bm_readbody_bmp-PATCH

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00210-potrace-heapoverflow-bm_readbody_bmp

Timeline:
2017-02-26: bug discovered and reported to upstream
2017-02-28: upstream released a patch
2017-03-03: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/03/03/potrace-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c-incomplete-fix-for-cve-2016-8698

--
Agostino Sarubbo
Gentoo Linux Developer


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.