Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Jun 2017 14:31:03 +0800 (CST)
From: xiaoqixue_1 <xiaoqixue_1@....com>
To: oss-security@...ts.openwall.com
Subject: CVE-request: heap-buffer-overflow in jasper



Description:
jasper is an open-source initiative to provide a free software-based reference 
implementation of the codec specified in the JPEG-2000 Part-1 standard.


A crafted image causes a read overflow in the latest version 2.0.12. 
And this issue also exsits in the latest commit of github repo. 
(https://github.com/mdadams/jasper)






The complete ASan output:
# ./install/bin/jasper -f $FILE -F /tmp/1.pnm -T pnm
=================================================================
==1220==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee18 at pc 0x7fe8a1e0211b bp 0x7fffb4a6cb20 sp 0x7fffb4a6cb18
READ of size 8 at 0x60300000ee18 thread T0
    #0 0x7fe8a1e0211a in jp2_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:405
    #1 0x7fe8a1ddc192 in jas_image_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_image.c:444
    #2 0x40217a in main /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/appl/jasper.c:236
    #3 0x7fe8a1a00f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #4 0x401958 (/data/xqx/tests/libjasper-test/codes/abuild/install/bin/jasper+0x401958)


0x60300000ee18 is located 0 bytes to the right of 24-byte region [0x60300000ee00,0x60300000ee18)
allocated by thread T0 here:
    #0 0x7fe8a2125862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862)
    #1 0x7fe8a1de5ec3 in jas_malloc /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_malloc.c:242
    #2 0x7fe8a1de6072 in jas_alloc2 /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_malloc.c:275
    #3 0x7fe8a1dfb896 in jp2_cdef_getdata /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_cod.c:468
    #4 0x7fe8a1dfaa46 in jp2_box_get /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_cod.c:303
    #5 0x7fe8a1e0015a in jp2_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:159
    #6 0x7fe8a1ddc192 in jas_image_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_image.c:444
    #7 0x40217a in main /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/appl/jasper.c:236
    #8 0x7fe8a1a00f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)


SUMMARY: AddressSanitizer: heap-buffer-overflow /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:405 jp2_decode
Shadow bytes around the buggy address:
  0x0c067fff9d70: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9d80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff9d90: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff9da0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9db0: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x0c067fff9dc0: 00 00 00[fa]fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff9dd0: fa fa 00 00 00 02 fa fa 00 00 07 fa fa fa 00 00
  0x0c067fff9de0: 05 fa fa fa 00 00 07 fa fa fa 00 00 00 06 fa fa
  0x0c067fff9df0: 00 00 00 06 fa fa 00 00 00 06 fa fa 00 00 06 fa
  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1220==ABORTING






Affected version:
the Latest version 2.0.12, and also in the latest commit 1cce277.


Fixed version:
N/A


Commit fix:
N/A


Credit:
the bug is found by Qixue Xiao and Kang Li.


CVE:
N/A


Reproducer:
https://github.com/xiaoqx/pocs/blob/master/026-jasper-jps_decode-heapoverflow


Timeline:
2017-06-14: bug discovered and reported upstream


Note:
This bug was found with American Fuzzy Lop.




-- 
xiaoqixue_1@....com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.