oss-sec mailing list archives
?????? [oss-security] 3 bugs refer to buffer overflow in in libtiff 4.0.6
From: "PXO????" <271193918 () qq com>
Date: Wed, 27 Apr 2016 16:01:42 +0800
It seems not a patch upstream. The bugs detail I add as follows: 3 bugs: one stack buffer overflow in thumbnail and two heap buffer overflows in bmp2tiff. Because they deal with different buffer(stack and heap), stack trace of alloc and read are also different. ##################################### 1) stack buffer overflow in thumbnail ##################################### Memory corruption bugs can be triggered when thumbnail function _TIFFVGetField handling maliciously crafted tiff file, it will cause the target application to crash. overview: alloc workflow: thumbnail.c:147 read workflow : --> thumbnail.c:124 // if (!cpIFD(in, out) || !TIFFWriteDirectory(out)) --> thumbnail.c:373 // cpTags(in, out) --> thumbnail.c:297 // cpTag(in, out, p->tag, p->count, p->type) --> thumbnail.c:152 // CopyField(tag, shortv) --> tif_dir.c:1158 // status = TIFFVGetField(tif, tag, ap); --> tif_dir.c:1174 // return (fip && (isPseudoTag(tag) || TIFFFieldSet(tif, fip->field_bit)) ? (*tif->tif_tagmethods.vgetfield)(tif, tag, ap) : 0); --> tif_dir.c:1053 // *va_arg(ap, uint32*) = (uint32)tv->count; my gdb log as follows: 1) gdb --args thumbnail poc1.tiff out.tiff // crash Program received signal SIGSEGV, Segmentation fault. 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 1073 *va_arg(ap, void **) = tv->value; (gdb) p tv->value $1 = (void *) 0x651240 (gdb) info registers rax 0x1 1 rbx 0x147 327 rcx 0x0 0 rdx 0x651240 6623808 rsi 0x147 327 rdi 0x7fffffffdc30 140737488346160 rbp 0x7fffffffdca8 0x7fffffffdca8 rsp 0x7fffffffdc70 0x7fffffffdc70 r8 0x3 3 r9 0x7ffff7acd7b8 140737348687800 r10 0x2 2 r11 0x0 0 r12 0x6512e0 6623968 r13 0x651120 6623520 r14 0x6605c0 6686144 r15 0x650010 6619152 rip 0x404c90 0x404c90 <_TIFFVGetField+4784> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) x/i $rip => 0x404c90 <_TIFFVGetField+4784>: mov %rdx,(%rax) (gdb) x/x $ebx 0x147: Cannot access memory at address 0x147 (gdb) bt #0 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 #1 0x0000000000407177 in TIFFGetField (tif=<optimized out>, tag=tag@entry=327) at tif_dir.c:1158 #2 0x00000000004023a9 in cpTag (in=in@entry=0x650930, out=out@entry=0x650010, tag=327, count=<optimized out>, type=<optimized out>) at thumbnail.c:152 #3 0x00000000004019fb in cpTags (out=<optimized out>, in=<optimized out>) at thumbnail.c:297 #4 cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:373 #5 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:124 (gdb) 2) gdb thumbnail b main b thumbnail.c:124 // 124, if (!cpIFD(in, out) || !TIFFWriteDirectory(out)), this function is called many times b thumbnail.c:373 b thumbnail.c:297 b thumbnail.c:152 // 152, CopyField(tag, shortv); b tif_dir.c:1158 // 1158, status = TIFFVGetField(tif, tag, ap), this function is called many times b tif_dir.c:1073 r poc1.tiff out.tiff (gdb) r poc1.tiff out.tiff Starting program: /usr/local/bin/thumbnail poc1.tiff out.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered. TIFFReadDirectory: Warning, Unknown field with tag 128 (0x80) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5888 (0x1700) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8960 (0x2300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 18247 (0x4747) encountered. TIFFReadDirectory: Warning, Unknown field with tag 327 (0x147) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5146 (0x141a) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "ModeNumber"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFReadDirectory: Warning, Ignoring ColorMap since BitsPerSample tag not found. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. ...... ...... Breakpoint 1, TIFFGetField (tif=0x650930, tag=tag@entry=305) at tif_dir.c:1158 1158 status = TIFFVGetField(tif, tag, ap); (gdb) bt #0 TIFFGetField (tif=0x650930, tag=tag@entry=305) at tif_dir.c:1158 #1 0x0000000000402231 in cpTag (in=in@entry=0x650930, out=out@entry=0x650010, tag=tag@entry=305, count=count@entry=65535, type=type@entry=TIFF_ASCII) at thumbnail.c:205 #2 0x000000000040192e in generateThumbnail (out=0x650010, in=0x650930) at thumbnail.c:645 #3 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:122 (gdb) c Continuing. Breakpoint 1, TIFFGetField (tif=0x650930, tag=tag@entry=270) at tif_dir.c:1158 1158 status = TIFFVGetField(tif, tag, ap); (gdb) bt #0 TIFFGetField (tif=0x650930, tag=tag@entry=270) at tif_dir.c:1158 #1 0x0000000000402231 in cpTag (in=in@entry=0x650930, out=out@entry=0x650010, tag=tag@entry=270, count=count@entry=65535, type=type@entry=TIFF_ASCII) at thumbnail.c:205 #2 0x0000000000401949 in generateThumbnail (out=0x650010, in=0x650930) at thumbnail.c:646 #3 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:122 ...... ...... Breakpoint 1, TIFFGetField (tif=tif@entry=0x650930, tag=tag@entry=259) at tif_dir.c:1158 1158 status = TIFFVGetField(tif, tag, ap); ...... ...... (gdb) c Continuing. Breakpoint 1, TIFFGetField (tif=0x650930, tag=tag@entry=327) at tif_dir.c:1158 1158 status = TIFFVGetField(tif, tag, ap); (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 1073 *va_arg(ap, void **) = tv->value; (gdb) c When tag=tag@entry=327 , crash happens 3) If we make a breakpoint in tif_dir.c:1073 Program received signal SIGSEGV, Segmentation fault. 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 1073 *va_arg(ap, void **) = tv->value; (gdb) bt #0 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 #1 0x0000000000407177 in TIFFGetField (tif=<optimized out>, tag=tag@entry=327) at tif_dir.c:1158 #2 0x00000000004023a9 in cpTag (in=in@entry=0x650930, out=out@entry=0x650010, tag=327, count=<optimized out>, type=<optimized out>) at thumbnail.c:152 #3 0x00000000004019fb in cpTags (out=<optimized out>, in=<optimized out>) at thumbnail.c:297 #4 cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:373 #5 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:124 (gdb) list tif_dir.c:1073 1068 if (fip->field_type == TIFF_ASCII 1069 || fip->field_readcount == TIFF_VARIABLE 1070 || fip->field_readcount == TIFF_VARIABLE2 1071 || fip->field_readcount == TIFF_SPP 1072 || tv->count > 1) { 1073 *va_arg(ap, void **) = tv->value; // tv->value 1074 ret_val = 1; 1075 } else { 1076 char *val = (char *)tv->value; 1077 assert( tv->count == 1 ); (gdb) memory error can be detected by asan and log as follows: ==31486==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfabce80 at pc 0x8058db9 bp 0xbfabcc98 sp 0xbfabcc8c WRITE of size 4 at 0xbfabce80 thread T0 #0 0x8058db8 in _TIFFVGetField /root/AFL/bin/tiff-4.0.6-ASAN/libtiff/tif_dir.c:1053 #1 0x8059dae in TIFFVGetField /root/AFL/bin/tiff-4.0.6-ASAN/libtiff/tif_dir.c:1174 #2 0x8059c25 in TIFFGetField /root/AFL/bin/tiff-4.0.6-ASAN/libtiff/tif_dir.c:1158 #3 0x80499b1 in cpTag /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:152 #4 0x804a0e6 in cpTags /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:297 #5 0x804a776 in cpIFD /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:373 #6 0x8049808 in main /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:124 #7 0xb70a0a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82) #8 0x80492d0 (/root/AFL/bin/tiff-4.0.6-ASAN/tools/crashes/thumbnail+0x80492d0) Address 0xbfabce80 is located in stack of thread T0 at offset 96 in frame #0 0x8049885 in cpTag /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:147 This frame has 7 object(s): [32, 34) 'shortv1' [96, 98) 'shortv1' <== Memory access at offset 96 partially overflows this variable [160, 164) 'tr' [224, 228) 'tg' [288, 292) 'tb' [352, 356) 'doubleav' [416, 424) 'ifd8' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /root/AFL/bin/tiff-4.0.6-ASAN/libtiff/tif_dir.c:1053 _TIFFVGetField Shadow bytes around the buggy address: 0x37f57980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f57990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f579a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x37f579b0: f1 f1 04 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 0x37f579c0: 00 00 00 00 f1 f1 f1 f1 02 f4 f4 f4 f2 f2 f2 f2 =>0x37f579d0:[02]f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 0x37f579e0: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 0x37f579f0: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f3 f3 f3 f3 0x37f57a00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x37f57a10: 02 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x37f57a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==31486==ABORTING #################################### 2) heap buffer overflow in bmp2tiff #################################### Memory corruption bugs can be triggered when bmp2tiff handling maliciously crafted bmp file, it will cause the target application to crash. overview: alloc workflow: --> bmp2tiff.c:line 672 , comprbuf = (unsigned char *) _TIFFmalloc( compr_size ) // allocate space for compressed scanline buffer --> allocate space for compressed scanline buffer --> _TIFFmalloc in libtiff/tif_unix.c:line 316 --> call malloc read workflow : from bmp2tiff.c:line 745 to line 752 if (comprbuf[i] == 0) /* Next scanline */ i++; else if (comprbuf[i] == 1) /* End of image */ break; else if (comprbuf[i] == 2) { /* Move to... */ i++; if (i < compr_size - 1) { j+=comprbuf[i]+comprbuf[i+1]*width; // line 752 i += 2; } bmp2tiff.c:line 752 deals with comprbuf and does not check the length of Image width. memory error can be detected by asan and log as follows: root@debug:~/Desktop/AFL/tiff-4.0.6-Asan/tools/crashes# ./bmp2tiff poc_745.bmp 1.tiff ================================================================= ==2557==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff9 at pc 0x403b67 bp 0x7ffd894ad1a0 sp 0x7ffd894ad198 READ of size 1 at 0x60300000eff9 thread T0 #0 0x403b66 in main /root/Desktop/AFL/tiff-4.0.6-Asan/tools/bmp2tiff.c:745 #1 0x7f3722bd1ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #2 0x4019f8 (/root/Desktop/AFL/tiff-4.0.6-Asan/tools/crashes/bmp2tiff+0x4019f8) 0x60300000eff9 is located 0 bytes to the right of 25-byte region [0x60300000efe0,0x60300000eff9) allocated by thread T0 here: #0 0x7f37232cf7ef in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547ef) #1 0x45d76e in _TIFFmalloc /root/Desktop/AFL/tiff-4.0.6-Asan/libtiff/tif_unix.c:316 #2 0x403277 in main /root/Desktop/AFL/tiff-4.0.6-Asan/tools/bmp2tiff.c:672 #3 0x7f3722bd1ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Desktop/AFL/tiff-4.0.6-Asan/tools/bmp2tiff.c:745 main Shadow bytes around the buggy address: 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00[01] 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==2557==ABORTING #################################### 3) heap buffer overflow in bmp2tiff #################################### Memory corruption bugs can be triggered when bmp2tiff handling maliciously crafted bmp file, it will cause the target application to crash. overview: alloc workflow: --> bmp2tiff.c:line 678 , uncomprbuf = (unsigned char *)_TIFFmalloc(uncompr_size) //allocate space for uncompressed scanline buffer --> allocate space for compressed scanline buffer --> _TIFFmalloc in libtiff/tif_unix.c:line 316 read workflow : from bmp2tiff.c:line 775 to line 752 --> bmp2tiff.c:775 // if (TIFFWriteScanline(out, uncomprbuf + (length - row - 1) * width, row, 0) < 0) --> tif_write.c:173 // status = (*tif->tif_encoderow)(tif, (uint8*) buf, tif->tif_scanlinesize, sample); --> tif_packbits.c:85 // PackBitsEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) --> for (; cc > 0 && b == *bp; cc--, bp++) PackBitsEncode.c:line 85 does not check the length of bp passed through buf. memory error can be detected by asan and log as follows: root@debug:~/Desktop/AFL/tiff-4.0.6/tools# ./bmp2tiff ./crashes/poc_775.bmp 1.tiff================================================================= ==2525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310000107fd at pc 0x4870a0 bp 0x7fff3553b750 sp 0x7fff3553b748 READ of size 1 at 0x6310000107fd thread T0 #0 0x48709f in PackBitsEncode /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_packbits.c:85 #1 0x458563 in TIFFWriteScanline /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_write.c:173 #2 0x403f83 in main /root/Desktop/AFL/tiff-4.0.6/tools/bmp2tiff.c:775 #3 0x7f8f61e1aec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #4 0x4019f8 (/root/Desktop/AFL/tiff-4.0.6/tools/bmp2tiff+0x4019f8) 0x6310000107fd is located 0 bytes to the right of 65533-byte region [0x631000000800,0x6310000107fd) allocated by thread T0 here: #0 0x7f8f625187ef in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547ef) #1 0x45d76e in _TIFFmalloc /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_unix.c:316 #2 0x4032b4 in main /root/Desktop/AFL/tiff-4.0.6/tools/bmp2tiff.c:678 #3 0x7f8f61e1aec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_packbits.c:85 PackBitsEncode Shadow bytes around the buggy address: 0x0c627fffa0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05] 0x0c627fffa100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==2525==ABORTING ------------------ From Debug_Orz ------------------ ???????? ------------------ ??????: "Jodie Cunningham";<jodie.cunningham () gmail com>; ????????: 2016??4??27??(??????) ????12:26 ??????: "oss-security"<oss-security () lists openwall com>; ????: Re: [oss-security] 3 bugs refer to buffer overflow in in libtiff 4.0.6 On Tue, Apr 26, 2016 at 10:36 PM, PXO???? <271193918 () qq com> wrote:
Hello oss-security, I did some test and found three bugs refer to buffer overflow: one stack buffer overflow in thumbnail and two buffer overflows in bmp2tiff. Please let me know whether CVE Identifier number could be assigned. Overview: Running each poc file crashes thumbnail and bmp2tiff made with AddressSanitizer in tiff-4.0.6. I have attached poc and log files . ------------------ From Debug_Orz
Is there a patch upstream?
Current thread:
- 3 bugs refer to buffer overflow in in libtiff 4.0.6 PXO???? (Apr 26)
- Re: 3 bugs refer to buffer overflow in in libtiff 4.0.6 Jodie Cunningham (Apr 26)
- ?????? [oss-security] 3 bugs refer to buffer overflow in in libtiff 4.0.6 PXO???? (Apr 27)
- Re: 3 bugs refer to buffer overflow in in libtiff 4.0.6 Bob Friesenhahn (Apr 27)
- Re: 3 bugs refer to buffer overflow in in libtiff 4.0.6 cve-assign (Jun 06)
- Re: 3 bugs refer to buffer overflow in in libtiff 4.0.6 Jodie Cunningham (Apr 26)