oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1

From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Mon, 5 Oct 2015 08:10:39 -0300
2015-10-05 7:18 GMT-03:00 Andreas Stieger <astieger () suse com>:


Hello,

On 10/01/2015 04:56 PM, Gustavo Grieco wrote:

Do you also need a crasher and a stack trace?


Could you make them available please?



Sure! Please find attached the two test cases as well as a minimal example
of a vulnerable program: it is just a call to
gdk_pixbuf_new_from_file_at_size. Also, a detailed backtrace of the heap
overflow is here:

Starting program: pixbuf_vuln_poc overflow.tga
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148,
dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0,
    dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4,
dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60,
    src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1,
x_init=<optimized out>, x_step=x_step@entry=9629110,
    src_width=src_width@entry=22627, check_size=check_size@entry=0,
color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974
974
(gdb) bt
#0  scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148,
dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0,
    dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4,
dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60,
    src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1,
x_init=<optimized out>, x_step=x_step@entry=9629110,
    src_width=src_width@entry=22627, check_size=check_size@entry=0,
color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974
#1  0x00002aaaaace5698 in pixops_process (dest_buf=<optimized out>,
render_x0=0, render_y0=<optimized out>, render_x1=<optimized out>,
    render_y1=<optimized out>, dest_rowstride=<optimized out>,
dest_channels=4, dest_has_alpha=1, src_buf=0x2aaaad14f010 "",
src_width=22627,
    src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1,
scale_x=<optimized out>, scale_y=<optimized out>, check_x=0, check_y=0,
    check_size=0, color1=0, color2=0, filter=0x7ffffffedc90,
line_func=0x2aaaaace3c10 <scale_line>, pixel_func=0x2aaaaace49a0
<scale_pixel>)
    at pixops.c:1366
#2  0x00002aaaaace5f09 in _pixops_scale_real
(interp_type=PIXOPS_INTERP_BILINEAR, interp_type@entry
=PIXOPS_INTERP_NEAREST,
    scale_y=0,0068091545299791946, scale_x=0,0068060281964025283,
src_has_alpha=1, src_channels=4, src_rowstride=90508, src_height=26435,
    src_width=22627, src_buf=0x2aaaad14f010 "", dest_has_alpha=1,
dest_channels=4, dest_rowstride=616, render_y1=<optimized out>,
render_x1=154,
    render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at
pixops.c:2230
#3  _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=154,
dest_height=dest_height@entry=180, dest_rowstride=616, dest_channels=4,
    dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627,
src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1,
    dest_x=dest_x@entry=0, dest_y=dest_y@entry=0,
dest_region_width=dest_region_width@entry=154,
dest_region_height=dest_region_height@entry=180,
    offset_x=offset_x@entry=0, offset_y=<optimized out>,
scale_x=scale_x@entry=0,0068060281964025283, scale_y=scale_y@entry
=0,0068091545299791946,
    interp_type=interp_type@entry=PIXOPS_INTERP_BILINEAR) at pixops.c:2285
#4  0x00002aaaaacdda2d in gdk_pixbuf_scale (src=0x618000, dest=0x618050,
dest_x=0, dest_y=0, dest_width=154, dest_height=180, offset_x=0,
    offset_y=<optimized out>, scale_x=0,0068060281964025283,
scale_y=0,0068091545299791946, interp_type=GDK_INTERP_BILINEAR) at
gdk-pixbuf-scale.c:147
#5  0x00002aaaaacde07a in gdk_pixbuf_scale_simple (src=src@entry=0x618000,
dest_width=154, dest_height=dest_height@entry=180,
    interp_type=interp_type@entry=GDK_INTERP_BILINEAR) at
gdk-pixbuf-scale.c:321
#6  0x00002aaaaacdf340 in get_scaled_pixbuf (scaled=0x616440,
pixbuf=0x618000) at gdk-pixbuf-scaled-anim.c:138
#7  0x00002aaaaacdae88 in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffffffe36b "overflow.tga", width=<optimized out>,
height=<optimized out>,
    preserve_aspect_ratio=<optimized out>, error=0x7fffffffdee0) at
gdk-pixbuf-io.c:1377
#8  0x00000000004007b8 in main ()

(gdb) x/i $rip
=> 0x2aaaaace3dd0 <scale_line+448>:        movzbl 0x3(%rcx),%edx
(gdb) info registers
rax            0x0        0
rbx            0x94        148
rcx            0x2aaa2d6d51c4        46910394945988
rdx            0x0        0
rsi            0x4        4
rdi            0x2aab3c468c10        46914939030544
rbp            0x2aab3c468e60        0x2aab3c468e60
rsp            0x7ffffffeda18        0x7ffffffeda18
r8             0x0        0
r9             0x0        0
r10            0x0        0
r11            0x0        0
r12            0x0        0
r13            0x63ce60        6540896
r14            0x2aab3c468c10        46914939030544
r15            0x94        148
rip            0x2aaaaace3dd0        0x2aaaaace3dd0 <scale_line+448>
eflags         0x10202        [ IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0

And the backtrace of the DoS here:

Starting program: pixbuf_vuln_poc DoS.tga
[Depuración de hilo usando libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at
io-tga.c:367
367
(gdb) bt
#0  0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at
io-tga.c:367
#1  parse_data_for_row (err=0x7ffffffede28, ctx=0x614ca0) at io-tga.c:413
#2  gdk_pixbuf__tga_load_increment (data=0x614ca0, buffer=<optimized out>,
size=<optimized out>, err=0x7ffffffede28) at io-tga.c:922
#3  0x00002aaaaacdca45 in gdk_pixbuf_loader_load_module
(loader=loader@entry=0x60f200,
image_type=image_type@entry=0x0,
    error=error@entry=0x7ffffffede28) at gdk-pixbuf-loader.c:445
#4  0x00002aaaaacdd2b8 in gdk_pixbuf_loader_close
(loader=loader@entry=0x60f200,
error=error@entry=0x7fffffffdef0) at gdk-pixbuf-loader.c:810
#5  0x00002aaaaacdae2a in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffffffe370 "DoS.tga", width=<optimized out>,
height=<optimized out>,
    preserve_aspect_ratio=<optimized out>, error=0x7fffffffdef0) at
gdk-pixbuf-io.c:1372
#6  0x00000000004007b8 in main ()

(gdb) x/i $rip
=> 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612>:        mov
 0x8(%rdx),%rdx
(gdb) info registers
rax            0x6163e0        6382560
rbx            0x614ca0        6376608
rcx            0x7        7
rdx            0x0        0
rsi            0x611b02        6363906
rdi            0x618000        6389760
rbp            0x7ffffffede28        0x7ffffffede28
rsp            0x7ffffffedd80        0x7ffffffedd80
r8             0x616200        6382080
r9             0x6163e7        6382567
r10            0x8        8
r11            0x2aaaaaf05c10        46912500685840
r12            0x0        0
r13            0x0        0
r14            0x15        21
r15            0xb        11
rip            0x2aaaacf4c384        0x2aaaacf4c384
<gdk_pixbuf__tga_load_increment+612>
eflags         0x10202        [ IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0




Thanks,
Andreas

--
Andreas Stieger <astieger () suse com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB
21284 (AG Nürnberg)

Attachment: overflow.tga.gz
Description:

Attachment: DoS.tga.gz
Description:

Attachment: pixbuf_vuln_poc.c
Description:

Previous By Date Next
Previous By Thread Next

Current thread: