ghostscript 8.63 pdf parsing overflow sample malformed file: Program terminated with signal 11, Segmentation fault. [New process 22489] #0 0xb7860dde in gs_gc_reclaim () from /usr/lib/libgs.so.8 (gdb) i r eax 0x41414141 1094795585 ecx 0x8195374 135877492 edx 0x81779a8 135756200 ebx 0xb7c7cff4 -1211641868 esp 0xbfd4fb30 0xbfd4fb30 ebp 0xbfd50278 0xbfd50278 esi 0x8193b28 135871272 edi 0x43434343 1128481603 eip 0xb7860dde 0xb7860dde <gs_gc_reclaim+494> eflags 0x210287 [ CF PF SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/11i $pc 0xb7860dde <gs_gc_reclaim+494>: mov 0xc(%eax),%edx 0xb7860de1 <gs_gc_reclaim+497>: orl $0xfffffffe,(%esi) 0xb7860de4 <gs_gc_reclaim+500>: test %edx,%edx 0xb7860de6 <gs_gc_reclaim+502>: je 0xb7860e02 <gs_gc_reclaim+530> 0xb7860de8 <gs_gc_reclaim+504>: mov %eax,0xc(%esp) 0xb7860dec <gs_gc_reclaim+508>: lea 0xc(%esi),%eax 0xb7860def <gs_gc_reclaim+511>: mov %eax,0x4(%esp) 0xb7860df3 <gs_gc_reclaim+515>: mov -0x6c8(%ebp),%eax 0xb7860df9 <gs_gc_reclaim+521>: mov %edi,0x8(%esp) 0xb7860dfd <gs_gc_reclaim+525>: mov %eax,(%esp) 0xb7860e00 <gs_gc_reclaim+528>: call *%edx (gdb) x/x 0x8193b28 0x8193b28: 0x42424242 (gdb) analysis shows exploitation is straight forward, since we control eax which gets moved to edx which in turn gets called at gs_gc_reclaim+528 bash$ perl pdf2pspoc.pl ; pdf2ps evil.pdf **** Warning: Specified xref location is beyond end of file. **** Warning: An error occurred while reading an XREF table. **** The file has been damaged. This may have been caused **** by a problem while converting or transfering the file. **** Ghostscript will attempt to recover the data. **** Error reading a content stream. The page may be incomplete. **** Unknown operator: '%%EOF' Error: /typecheck in --run-- Operand stack: --nostringval-- --dict:5/14(L)-- F1 20 83 7 0 -- nostringval-- Type Font Encoding WinAnsiEncoding Subtype 14 Type1 Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- -- nostringval-- 2 %stopped_push --nostringval-- --nostringval-- -- nostringval-- false 1 %stopped_push 1905 1 3 %oparray_pop 1904 1 3 %oparray_pop 1888 1 3 %oparray_pop --nostringval-- -- nostringval-- 2 1 1 --nostringval-- %for_pos_int_continue -- nostringval-- --nostringval-- --nostringval-- --nostringval-- %array_continue --nostringval-- false 1 %stopped_push -- nostringval-- %loop_continue --nostringval-- --nostringval-- -- nostringval-- --nostringval-- false 1 %stopped_push --nostringval-- %loop_continue --nostringval-- Dictionary stack: --dict:1150/1684(ro)(G)-- --dict:1/20(G)-- --dict:75/200(L)-- -- dict:75/200(L)-- --dict:106/127(ro)(G)-- --dict:275/300(ro)(G)-- -- dict:24/25(L)-- --dict:4/6(L)-- --dict:25/40(L)-- Current allocation mode is local Last OS error: 2 GPL Ghostscript 8.63: Unrecoverable error, exit code 1 $ poc to reproduce available via email on request.
Created attachment 5080 [details] poc This is a perl script that can be used to create the malformed file. It has been tested on ver. 8.64 as well. The offsets differ, but the bug is the same so it is just a matter of tweaking the buffer / addresses to get code execution.
Alex we have agreed to let kokanin@gmail.com (knud) work on this and collect the bounty, please confirm the bug and review any subsequent patches.
Interesting that the /BaseFont name is just a skosh over 6800 bytes. This does not correspond to any buffer sizes, and the maximum name length in the scanner is supposed to be 16,383 (if EXTEND_NAMES is 0) or 1,023 (if EXTEND_NAMES is 4, which I _think_ is the default). Since the PS/PDF scanner is part of the interpreter, Alex is definitely the correct person for this assignment.
Fix memory corruption caused by long names. The length of name in the scanner buffer may exceed the maximum name size and should be checked. The following patch has been committed as a rev. 9797. http://ghostscript.com/pipermail/gs-cvs/2009-June/009430.html Regression testing shows no differences.
*** Bug 690522 has been marked as a duplicate of this bug. ***