Created attachment 11708 [details] mupdf issues Hi, I spent some time fuzzing mupdf (well in particular the mudraw shell utility) looking for some bugs. I attach my 4 minimized testcases for the bugs and some output that can be helpful. I've done the fuzzing on linux x64 and retested quickly on os x 10.10 with the 1.7a version compiled from sources in release mode. 1. double free / heap issue, classified exploitable by exploitable.py . I have minimized the testcase to obtain mupdf_doublefree.pdf attached, but it doesn't contain pages, so better to reproduce with mudraw instead of mu x11 for example. crash report from a non minimized testcase: Faulting Frame: fz_free @ 0x0000000000507b95: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Disassembly: 0x00007ffff7745cb9: movsxd rdx,edi 0x00007ffff7745cbc: movsxd rsi,esi 0x00007ffff7745cbf: movsxd rdi,ecx 0x00007ffff7745cc2: mov eax,0xea 0x00007ffff7745cc7: syscall => 0x00007ffff7745cc9: cmp rax,0xfffffffffffff000 0x00007ffff7745ccf: ja 0x7ffff7745cea <__GI_raise+90> 0x00007ffff7745cd1: repz ret 0x00007ffff7745cd3: nop DWORD PTR [rax+rax*1+0x0] 0x00007ffff7745cd8: test eax,eax Stack Head (11 entries): __GI_raise @ 0x00007ffff7745cc9: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) __GI_abort @ 0x00007ffff77490d8: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) __libc_message @ 0x00007ffff7782394: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) malloc_printerr @ 0x00007ffff778e66e: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) _int_free @ 0x00007ffff778e66e: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) fz_free @ 0x0000000000507b95: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw fz_drop_shade_imp @ 0x0000000000569e7f: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw evict @ 0x000000000058da86: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw fz_empty_store @ 0x0000000000590838: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_close_document @ 0x0000000000650a70: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw main @ 0x0000000000412a0a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Registers: rax=0x0000000000000000 rbx=0x000000000000008f rcx=0xffffffffffffffff rdx=0x0000000000000006 rsi=0x00000000000021ca rdi=0x00000000000021ca rbp=0x00007fffffffd520 rsp=0x00007fffffffd188 r8=0x3035633339363130 r9=0x656c65722f646c69 r10=0x0000000000000008 r11=0x0000000000000246 r12=0x00007fffffffd330 r13=0x0000000000000007 r14=0x000000000000008f r15=0x0000000000000007 rip=0x00007ffff7745cc9 efl=0x0000000000000246 cs=0x0000000000000033 ss=0x000000000000002b ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000 Extra Data: Description: Heap error Short description: HeapError (10/22) Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. 2. Stack Overflow issue, classified unknown by exploitable.py . I have minimized the testcase to obtain mupdf_stackoverflow.pdf attached, but it doesn't contain pages, so better to reproduce with mudraw instead of mu x11 for example. crash report from a non minimized testcase: Faulting Frame: sprintf @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Disassembly: 0x00007ffff7745cb9: movsxd rdx,edi 0x00007ffff7745cbc: movsxd rsi,esi 0x00007ffff7745cbf: movsxd rdi,ecx 0x00007ffff7745cc2: mov eax,0xea 0x00007ffff7745cc7: syscall => 0x00007ffff7745cc9: cmp rax,0xfffffffffffff000 0x00007ffff7745ccf: ja 0x7ffff7745cea <__GI_raise+90> 0x00007ffff7745cd1: repz ret 0x00007ffff7745cd3: nop DWORD PTR [rax+rax*1+0x0] 0x00007ffff7745cd8: test eax,eax Stack Head (22 entries): __GI_raise @ 0x00007ffff7745cc9: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) __GI_abort @ 0x00007ffff77490d8: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) __libc_message @ 0x00007ffff7782394: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) __GI___fortify_fail @ 0x00007ffff7819c9c: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) __GI___chk_fail @ 0x00007ffff7818b60: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) _IO_str_chk_overflow @ 0x00007ffff7818069: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) __GI__IO_default_xsputn @ 0x00007ffff778a70c: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) _IO_vfprintf_internal @ 0x00007ffff77597df: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) ___vsprintf_chk @ 0x00007ffff78180f4: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) ___sprintf_chk @ 0x00007ffff781804d: in /lib/x86_64-linux-gnu/libc-2.19.so (BL) sprintf @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_load_simple_font_by_n @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_load_simple_font @ 0x000000000076cc5c: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_load_font @ 0x000000000076cc5c: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw get_font_info @ 0x0000000000742632: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_update_text_appearanc @ 0x0000000000745b31: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Registers: rax=0x0000000000000000 rbx=0x0000000000000074 rcx=0xffffffffffffffff rdx=0x0000000000000006 rsi=0x000000000000222e rdi=0x000000000000222e rbp=0x00007fffffff9c80 rsp=0x00007fffffff9968 r8=0x00007ffff7885dc0 r9=0x00000000016513c8 r10=0x0000000000000008 r11=0x0000000000000246 r12=0x00007fffffff9af0 r13=0x0000000000000005 r14=0x0000000000000074 r15=0x0000000000000005 rip=0x00007ffff7745cc9 efl=0x0000000000000246 cs=0x0000000000000033 ss=0x000000000000002b ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000 Extra Data: Description: Abort signal Short description: AbortSignal (20/22) Explanation: The target is stopped on a SIGABRT. SIGABRTs are often generated by libc and compiled check-code to indicate potentially exploitable conditions. Unfortunately this command does not yet further analyze these crashes. ---END SUMMARY--- ---CRASH SUMMARY--- Filename: mupdf_findings_min_testsuite/fuzzer02/crashes/id:000091,sig:11,src:023213+020158,op:splice,rep:8 SHA1: a6af1d4e7de1cc745cbd46ebe4c49c0a07ca36b0 Classification: PROBABLY_NOT_EXPLOITABLE Hash: 7179cf9721b9eb4a6b9afa3654a7861b.57223ee08c416d6913e924754556f61f Command: mupdf-1.7a-source/build/release/mudraw -F txt mupdf_findings_min_testsuite/fuzzer02/crashes/id:000091,sig:11,src:023213+020158,op:splice,rep:8 Faulting Frame: pdf_get_xref_entry @ 0x0000000000663d37: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Disassembly: 0x0000000000663d1a: mov rax,QWORD PTR [rsp+0x10] 0x0000000000663d1f: mov rcx,QWORD PTR [rsp+0x8] 0x0000000000663d24: mov rdx,QWORD PTR [rsp] 0x0000000000663d28: lea rsp,[rsp+0x98] 0x0000000000663d30: mov rax,QWORD PTR [rbp+0xa0] => 0x0000000000663d37: mov rdx,QWORD PTR [rax+0x8] 0x0000000000663d3b: test rdx,rdx 0x0000000000663d3e: je 0x663e88 <pdf_get_xref_entry+1464> 0x0000000000663d44: lea rsp,[rsp-0x98] 0x0000000000663d4c: mov QWORD PTR [rsp],rdx Stack Head (11 entries): pdf_get_xref_entry @ 0x0000000000663d37: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_cache_object @ 0x000000000067d962: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_resolve_indirect @ 0x0000000000684fe6: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_objcmp_resolve @ 0x00000000005eec2a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_name_eq @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_name_eq @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_repair_obj @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_repair_xref @ 0x0000000000d9e8f7: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_init_document @ 0x0000000000681946: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_open_document @ 0x0000000000682cbb: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw main @ 0x00000000004135a9: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Registers: rax=0x0000000000000000 rbx=0x0000000000000002 rcx=0x000000000166a5e8 rdx=0x0000000000000002 rsi=0x000000000166a4c0 rdi=0x000000000165b010 rbp=0x000000000166a4c0 rsp=0x00007fffffffd160 r8=0x00000000000005b0 r9=0x0000000000000000 r10=0x0000000000000000 r11=0x000000000167a708 r12=0x0000000000000006 r13=0x000000000165b070 r14=0x000000000165b010 r15=0x00007fffffffd490 rip=0x0000000000663d37 efl=0x0000000000010283 cs=0x0000000000000033 ss=0x000000000000002b ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000 Extra Data: Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor. 3. objcmp issue. The same apply as the previous issues, classified as probably exploitable crash analysis from a non minimized testcase: Faulting Frame: pdf_objcmp @ 0x00000000005ed7c8: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Disassembly: 0x00000000005ed7b4: mov r14,QWORD PTR [rsp+0x38] 0x00000000005ed7b9: mov r15,QWORD PTR [rsp+0x40] 0x00000000005ed7be: add rsp,0x48 0x00000000005ed7c2: ret 0x00000000005ed7c3: nop DWORD PTR [rax+rax*1+0x0] => 0x00000000005ed7c8: cmp BYTE PTR [rsi+0x2],0x6e 0x00000000005ed7cc: mov eax,0x1 0x00000000005ed7d1: jne 0x5ed765 <pdf_objcmp+997> 0x00000000005ed7d3: nop 0x00000000005ed7d4: lea rsp,[rsp-0x98] Stack Head (21 entries): pdf_objcmp @ 0x00000000005ed7c8: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_name_eq @ 0x000000000061c398: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_name_eq @ 0x000000000061c398: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_stream_has_crypt @ 0x000000000061c398: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_open_raw_filter @ 0x000000000061c398: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_open_filter @ 0x000000000061f0ed: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_open_image_stream @ 0x000000000061f7a6: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_open_contents_stream @ 0x000000000062374a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_process_contents @ 0x0000000000d5c55f: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_run_xobject @ 0x0000000000d859fd: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_process_Do @ 0x0000000000d51496: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_process_keyword @ 0x0000000000d54d49: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_process_stream @ 0x0000000000d5a034: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_process_contents @ 0x0000000000d5c57a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_run_page_contents_wit @ 0x0000000000619c83: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_run_page_contents @ 0x000000000061a8e3: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Registers: rax=0x0000000000000170 rbx=0x000000000165b010 rcx=0x000000000000000a rdx=0x0000000000000051 rsi=0x0000000000000170 rdi=0x000000000165b010 rbp=0x000000000167e9d0 rsp=0x00007fffffffc1f0 r8=0x00000000000008f0 r9=0x000000000000000b r10=0x0000000000000021 r11=0x000000000165b010 r12=0x000000000167a6b0 r13=0x000000000166a4c0 r14=0x0000000000000000 r15=0x0000000000000005 rip=0x00000000005ed7c8 efl=0x0000000000010297 cs=0x0000000000000033 ss=0x000000000000002b ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000 Extra Data: Description: Access violation near NULL on destination operand Short description: DestAvNearNull (15/22) Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference. 4. getxref issue, same as the issues before. Classified as probably not exploitable crash analysis from a non minimized testcase: Faulting Frame: pdf_get_xref_entry @ 0x0000000000663d37: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Disassembly: 0x0000000000663d1a: mov rax,QWORD PTR [rsp+0x10] 0x0000000000663d1f: mov rcx,QWORD PTR [rsp+0x8] 0x0000000000663d24: mov rdx,QWORD PTR [rsp] 0x0000000000663d28: lea rsp,[rsp+0x98] 0x0000000000663d30: mov rax,QWORD PTR [rbp+0xa0] => 0x0000000000663d37: mov rdx,QWORD PTR [rax+0x8] 0x0000000000663d3b: test rdx,rdx 0x0000000000663d3e: je 0x663e88 <pdf_get_xref_entry+1464> 0x0000000000663d44: lea rsp,[rsp-0x98] 0x0000000000663d4c: mov QWORD PTR [rsp],rdx Stack Head (11 entries): pdf_get_xref_entry @ 0x0000000000663d37: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_cache_object @ 0x000000000067d962: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_resolve_indirect @ 0x0000000000684fe6: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_objcmp_resolve @ 0x00000000005eec2a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_name_eq @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_name_eq @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_repair_obj @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_repair_xref @ 0x0000000000d9e8f7: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_init_document @ 0x0000000000681946: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw pdf_open_document @ 0x0000000000682cbb: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw main @ 0x00000000004135a9: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw Registers: rax=0x0000000000000000 rbx=0x0000000000000011 rcx=0x000000000166a5e8 rdx=0x0000000000000011 rsi=0x000000000166a4c0 rdi=0x000000000165b010 rbp=0x000000000166a4c0 rsp=0x00007fffffffd160 r8=0x00000000000005b0 r9=0x0000000000000000 r10=0x0000000000000000 r11=0x000000000167a744 r12=0x0000000000000006 r13=0x000000000165b070 r14=0x000000000165b010 r15=0x00007fffffffd490 rip=0x0000000000663d37 efl=0x0000000000010287 cs=0x0000000000000033 ss=0x000000000000002b ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000 Extra Data: Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor. if you need the non-minimized testcases or additional informations, please let me know Thanks Marco
I belive that the commit below fixes the problem illustrated by mupdf_doublefree.pdf from issues.zip http://git.ghostscript.com/?p=user/sebras/mupdf.git;a=commit;h=8832b9a6a0444a0c3df2e5b3ce4cb00807dabd1a Marco Grassi, do you mind explaining how you ran afl-fuzz to find these?
Another two bugs are fixed here: http://git.ghostscript.com/?p=user/sebras/mupdf.git;a=commit;h=106028f987f40352fe611c487945fedf99165b18 and http://git.ghostscript.com/?p=user/sebras/mupdf.git;a=commit;h=52180016685d587e78a81a315b7763694db5b116
Many thanks for these. Testing with the latest release version on Windows shows no crashes. Testing with valgrind on 64bit Ubuntu shows no leaks or illegal accesses. I can only think that we've fixed the issues. If you do not believe this to be the case, please let us know! Thanks again.
User disabled due to spam, spam comment marked private to make it invisible