oss-sec mailing list archives
graphicsmagick: use-after-free in ReadWMFImage (wmf.c)
From: "Agostino Sarubbo" <ago () gentoo org>
Date: Fri, 18 Aug 2017 13:54:06 +0000
Description: graphicsmagick is a collection of tools and libraries for many image formats. The complete ASan output of the issue: # gm convert -negate -clip $FILE out ==24889==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000005c0 at pc 0x7fca38d0da52 bp 0x7ffc6119c090 sp 0x7ffc6119c088 READ of size 8 at 0x60c0000005c0 thread T0 #0 0x7fca38d0da51 in ReadWMFImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/coders/wmf.c:2720:5 #1 0x7fca3e7e7e88 in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/constitute.c:1607:13 #2 0x7fca3e67af18 in ConvertImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:4348:22 #3 0x7fca3e6b70c5 in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:8869:17 #4 0x7fca3e76285b in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17396:10 #5 0x7fca3e75f991 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17449:16 #6 0x7fca3cfca680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289 #7 0x419cd8 in _init (/usr/bin/gm+0x419cd8) 0x60c0000005c0 is located 64 bytes inside of 120-byte region [0x60c000000580,0x60c0000005f8) freed by thread T0 here: #0 0x4cf4d0 in __interceptor_cfree /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:55 #1 0x7fca38ac70cd in wmf_lite_destroy /var/tmp/portage/media-libs/libwmf-0.2.8.4-r6/work/libwmf-0.2.8.4/src/api.c:336 previously allocated by thread T0 here: #0 0x4cf688 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:66 #1 0x7fca38ac72f7 in wmf_malloc /var/tmp/portage/media-libs/libwmf-0.2.8.4-r6/work/libwmf-0.2.8.4/src/api.c:482 SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/coders/wmf.c:2720:5 in ReadWMFImage Shadow bytes around the buggy address: 0x0c187fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fff8070: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c187fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c187fff8090: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fff80a0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa =>0x0c187fff80b0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fa 0x0c187fff80c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c187fff80d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c187fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c187fff80f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fff8100: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24889==ABORTING Affected version: 1.3.26 Fixed version: N/A Commit fix: http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: CVE-2017-12936 Reproducer: https://github.com/asarubbo/poc/blob/master/00302-graphicsmagick-UAF-ReadWMFImage Timeline: 2017-07-14: bug discovered and reported to upstream 2017-07-26: upstream released a fix 2017-08-05: blog post about the issue 2017-08-18: CVE assigned Note: This bug was found with American Fuzzy Lop. This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative. Permalink: https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-use-after-free-in-readwmfimage-wmf-c/ -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- graphicsmagick: use-after-free in ReadWMFImage (wmf.c) Agostino Sarubbo (Aug 18)