Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACn5sdQE8spxUUZCSsXRwxRu-bYbEkWo8M55JwfBCQGaVvL9dw@mail.gmail.com>
Date: Mon, 5 Oct 2015 08:14:31 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Heap overflow with a gif file in
 gdk-pixbuf < 2.32.1

>
> Could you please share you fuzzed sample?

Sure!, please find attached the compressed test case as well as a minimal
example of a vulnerable program: it is just a call to
gdk_pixbuf_new_from_file_at_size. Trying to attach the test case in the
last version of Evolution will also produce a crash.

A detailed backtrace of the heap overflow is here:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized out>,
src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4,
    src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24,
render_y1=<optimized out>,
    render_x1=6, render_y0=<optimized out>, render_x0=0,
dest_buf=<optimized out>) at pixops.c:332
332        pixops.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized
out>, src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4,
    src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24,
render_y1=<optimized out>,
    render_x1=6, render_y0=<optimized out>, render_x0=0,
dest_buf=<optimized out>) at pixops.c:332
#1  _pixops_scale_real (interp_type=interp_type@...ry=PIXOPS_INTERP_NEAREST,
scale_y=1, scale_x=1, src_has_alpha=1, src_channels=4,
    src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_has_alpha=<optimized out>, dest_channels=4,
    dest_rowstride=24, render_y1=<optimized out>, render_x1=6,
render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at
pixops.c:2207
#2  _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@...ry=6,
dest_height=dest_height@...ry=65532, dest_rowstride=24, dest_channels=4,
    dest_has_alpha=<optimized out>, src_buf=0x7fffb599b010 "",
src_width=65519, src_height=4096, src_rowstride=262076, src_channels=4,
    src_has_alpha=1, dest_x=dest_x@...ry=0, dest_y=dest_y@...ry=0,
dest_region_width=dest_region_width@...ry=6,
    dest_region_height=dest_region_height@...ry=4096,
offset_x=offset_x@...ry=-32768, offset_y=<optimized out>,
scale_x=scale_x@...ry=1,
    scale_y=scale_y@...ry=1,
interp_type=interp_type@...ry=PIXOPS_INTERP_NEAREST)
at pixops.c:2285
#3  0x00007ffff7bc6a2d in gdk_pixbuf_scale (src=0x6288a0, dest=0x628850,
dest_x=0, dest_y=0, dest_width=6, dest_height=4096, offset_x=-32768,
    offset_y=<optimized out>, scale_x=1, scale_y=1,
interp_type=GDK_INTERP_NEAREST) at gdk-pixbuf-scale.c:147
#4  0x00007ffff595b40b in gif_get_lzw (context=0x6160e0) at io-gif.c:967
#5  gif_main_loop (context=context@...ry=0x6160e0) at io-gif.c:1424
#6  0x00007ffff595ba4c in gdk_pixbuf__gif_image_load_increment
(data=0x6160e0, buf=0x60fa0c "GIF89a\357\377", size=1357, error=<optimized
out>)
    at io-gif.c:1610
#7  0x00007ffff7bc5a45 in gdk_pixbuf_loader_load_module
(loader=loader@...ry=0x60f2a0,
image_type=image_type@...ry=0x0,
    error=error@...ry=0x7ffffffee478) at gdk-pixbuf-loader.c:445
#8  0x00007ffff7bc62b8 in gdk_pixbuf_loader_close
(loader=loader@...ry=0x60f2a0,
error=error@...ry=0x7fffffffe548) at gdk-pixbuf-loader.c:810
#9  0x00007ffff7bc3e2a in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffffffe890 "sigsegv.gif", width=<optimized out>,
height=<optimized out>,
    preserve_aspect_ratio=<optimized out>, error=0x7fffffffe548) at
gdk-pixbuf-io.c:1372
#10 0x0000000000400838 in main ()
(gdb) x/i $rip
=> 0x7ffff7bced38 <_pixops_scale+1048>:        mov    (%r9),%r15d
(gdb) info registers
rax            0x7ffff7e4c010        140737352351760
rbx            0x80068000        2147909632 <callto:2147909632>
rcx            0x0        0
rdx            0x80008000        2147516416 <callto:2147516416>
rsi            0x7fffb599b010        140736240136208
rdi            0x7ffff7e4c010        140737352351760
rbp            0x80068000        0x80068000
rsp            0x7ffffffee130        0x7ffffffee130
r8             0x1000        4096
r9             0x7fffb597b028        140736240005160
r10            0x10000        65536
r11            0x80068000        2147909632 <callto:2147909632>
r12            0x4        4
r13            0x8000        32768
r14            0x80008000        2147516416 <callto:2147516416>
r15            0x7ffff7e4c010        140737352351760
rip            0x7ffff7bced38        0x7ffff7bced38 <_pixops_scale+1048>
eflags         0x10206        [ PF IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0

and the valgrind report:

==8162== Memcheck, a memory error detector
==8162== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==8162== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==8162== Command: ../bins/gdk-pixbuf sigsegv.gif
==8162==
==8162== Warning: set address range perms: large range [0x3a00e040,
0x79fca040) (undefined)
==8162== Invalid read of size 4
==8162==    at 0x4E4CD38: _pixops_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E44A2C: gdk_pixbuf_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x74B540A: gif_main_loop (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162==    by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162==    by 0x4E43A44: gdk_pixbuf_loader_load_module (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E442B7: gdk_pixbuf_loader_close (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x400837: main (in
/home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf)
==8162==  Address 0x39fee058 is in the BSS segment of
/usr/lib/valgrind/memcheck-amd64-linux
==8162==
==8162== Invalid read of size 4
==8162==    at 0x4E4CD48: _pixops_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E44A2C: gdk_pixbuf_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x74B540A: gif_main_loop (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162==    by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162==    by 0x4E43A44: gdk_pixbuf_loader_load_module (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E442B7: gdk_pixbuf_loader_close (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162==    by 0x400837: main (in
/home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf)
==8162==  Address 0x39fee058 is in the BSS segment of
/usr/lib/valgrind/memcheck-amd64-linux
==8162==
==8162== Warning: set address range perms: large range [0x3a00e028,
0x79fca058) (noaccess)
Gerror: GIF file was missing some data (perhaps it was truncated somehow?)

>
>
> Thanks,
> Andreas
>
> --
> Andreas Stieger <astieger@...e.com>
> Project Manager Security
> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB
21284 (AG Nürnberg)
>
>

Content of type "text/html" skipped

View attachment "pixbuf_vuln_poc.c" of type "text/x-csrc" (397 bytes)

Download attachment "overflow.gif.gz" of type "application/x-gzip" (449 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.