Bug 690829

Summary: buffer overflow in errprintf
Product: Ghostscript Reporter: David Srbecky <dsrbecky>
Component: PS InterpreterAssignee: Alex Cherepanov <alex>
Status: RESOLVED FIXED    
Severity: normal CC: htl10, jackie.rosen
Priority: P4 Keywords: bountiable
Version: 8.70   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: MS-Publisher-Imagesetter-Portability.ps
MS-Publisher-Imagesetter-Speed.ps
patch

Description David Srbecky 2009-10-18 14:18:55 UTC
The bug is present in 8.70 (8.64 works fine).

The postscript file was generated in Windows by "MS Publisher Imagesetter". (I
was trying to print a test page via IPP)

The bug is only present if the "MS Publisher Imagesetter" postscript setting is
"Optimize for speed".  "Optimize for compatibility" works fine.

I am running Fedora 11 (2.6.30.8-64.fc11.i586).

My printer is HP LaserJet M1120n MFP (using the hplip driver).

I hope this helps.

Stacktrace from /var/log/cups/error_log:

D [18/Oct/2009:22:44:37 +0200] [Job 41] cups_put_params(0x96e116c, 0xbfcba828)
D [18/Oct/2009:22:44:37 +0200] [Job 41] *** buffer overflow detected ***:
/usr/bin/gs terminated
D [18/Oct/2009:22:44:37 +0200] [Job 41] ======= Backtrace: =========
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(__fortify_fail+0x40)[0xcd1ec0]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6[0xcd0010]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6[0xccf748]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(_IO_default_xsputn+0xbe)[0xc464ce]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(_IO_vfprintf+0x38da)[0xc1b56a]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(__vsprintf_chk+0xa7)[0xccf7f7]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(errprintf+0x54)[0x6549e4]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(cups_put_params+0xb94)[0x6283e4]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(gs_putdeviceparams+0x4c)[0x641dfc]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/lib/libgs.so.8[0x426680]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/lib/libgs.so.8[0x3f6e10]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(gs_interpret+0x180)[0x3f7e40]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/lib/libgs.so.8[0x3eb4d4]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(gs_main_run_string_end+0x38)[0x3eb518]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(gs_main_run_string_with_length+0x92)[0x3eb952]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(gs_main_run_string+0x4a)[0x3eb9aa]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/lib/libgs.so.8[0x3ec780]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/lib/libgs.so.8[0x3ed5b0]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(gs_main_init_with_args+0x526)[0x3eee66]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(gsapi_init_with_args+0x3e)[0x3efe6e]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/bin/gs(main+0xbc)[0x80487ec]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(__libc_start_main+0xe6[0xbeda66]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/bin/gs[0x8048691]
Comment 1 Marcos H. Woehrmann 2009-10-19 06:40:39 UTC
Please attach an example PostScript file.
Comment 2 David Srbecky 2009-10-19 08:18:39 UTC
Created attachment 5505 [details]
MS-Publisher-Imagesetter-Portability.ps

Windows test page produced by MS Publisher Imagesetter.  Optimize for
portability.
Comment 3 David Srbecky 2009-10-19 08:19:18 UTC
Created attachment 5506 [details]
MS-Publisher-Imagesetter-Speed.ps

Windows test page produced by MS Publisher Imagesetter.  Optimize for speed.
Comment 4 Ken Sharp 2009-10-19 09:03:15 UTC
Both files work correctly with GS (X11 device) on Fedora with the current HEAD.
This is not a surprise, the stack trace shows:

D [18/Oct/2009:22:44:37 +0200] [Job 41] cups_put_params(0x96e116c, 0xbfcba828)
D [18/Oct/2009:22:44:37 +0200] [Job 41] *** buffer overflow detected ***:
/usr/bin/gs terminated
D [18/Oct/2009:22:44:37 +0200] [Job 41] ======= Backtrace: =========
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(__fortify_fail+0x40)[0xcd1ec0]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6[0xcd0010]
D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6[0xccf748]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(_IO_default_xsputn+0xbe)[0xc464ce]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(_IO_vfprintf+0x38da)[0xc1b56a]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/lib/libc.so.6(__vsprintf_chk+0xa7)[0xccf7f7]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(errprintf+0x54)[0x6549e4]
D [18/Oct/2009:22:44:37 +0200] [Job 41]
/usr/lib/libgs.so.8(cups_put_params+0xb94)[0x6283e4]
D [18/Oct/2009:22:44:37 +0200] [Job 41]


Which indicates that cups_put_params, presumably part of CUPS (a CUPS device?),
was executed, and that caused both the call to errprintf and the resulting stack
overflow. 

Since I didn't use CUPS, I didn't get an error....

Trying with the CUPS device, but without invoking CUPS itself (I don't have a
working CUPS setup) did not produce an error on Fedora.
Comment 5 Ralph Giles 2009-10-19 18:25:13 UTC
I cannot reproduce either. Fedora 11 x86_64 with either 8.70 or HEAD (r10180).

I tried:

bin/gs -sDEVICE=cups -o /dev/null MS-Publisher-Imagesetter-Speed.ps

Perhaps we need the job options. Can you give us a command line that fails?
Comment 6 Ralph Giles 2009-10-22 11:17:22 UTC
I also tried 'lpr MS-Publisher-Imagesetter-Speed.ps' and the job printed without
error. That was to a postscript printer though, so it may not have invoked
ghostscript.
Comment 7 Ralph Giles 2009-10-22 11:51:51 UTC
I also tried printing through cups (Fedora 11 x86_64) with the pxlmono driver,
still no reproduction. We'll need more information before we can address this.
Comment 8 Alex Cherepanov 2009-10-23 16:39:57 UTC
I think that the current implementation of errprintf() and outprintf()
is a security hole. It's quite easy to smash the stack using a long message.

First, we can use vsnprintf() to truncate long messages.

Second, it's possible to write a subroutine that either
- estimates the print size and allocates a buffer
- or writes the long messages in parts.
Comment 9 Hin-Tak Leung 2009-10-24 07:46:44 UTC
if you do 'debuginfo-install ghostscript' and manage to reproduce the bug, the
stack trace would show the line numbers, etc, I think; or one could do objdump
/usr/lib/libgs.so.8 to turn those addresses into line numbers.

Also, one of cups's other log should have the command-line used to invoke gs. Am
on fedora 11 x86_64 and can't reproduce this either.
Comment 10 Henry Stiles 2009-12-17 09:42:27 UTC
make bountiable and assign to alex.
Comment 11 Carl 2009-12-18 02:22:01 UTC
"Comment #25 From  Vincent Danen  2009-11-27 10:18:34 EDT  -------

This issue does not affect Red Hat Enterprise Linux due it using the older
versions of ghostscript.

The incorrect debug logging code in gdevcups.c is not present in ghostscript
8.15 and earlier; it was introduced in version 8.64.  Likewise, in order to
exploit this the MediaType string needs to be larger than the 1024-byte buffer
in errprintf, but in older versions of ghostscript, gdevcups does not write out
the MediaType string in its debug logging at all.  There are also no other
calls to errprint or outprintf that use the %s specifier with user-supplied
strings."

Can someone confirm that 8.15 is not vulnerable?
Comment 12 Hin-Tak Leung 2009-12-18 17:23:15 UTC
> This issue does not affect Red Hat Enterprise Linux due it using the older
versions of ghostscript.

> The incorrect debug logging code in gdevcups.c is not present in ghostscript
> 8.15 and earlier; ...

> Can someone confirm that 8.15 is not vulnerable?

That's a non-question - gdevcups.c was not in *GPL* ghostscript 8.15, because it
was only merged in around 8.5x ; however, before the 8.5x merge, most linux
distribution (including RHEL) were shipping ESP ghostscript, which *did* have
gdevcups.c . Whether the gdevcups.c shipped by RHEL in ESP ghostscript is a
question you need to ask Redhat personnel and/or examine what they actually ship
(grab the src rpm).
Comment 13 Alex Cherepanov 2009-12-29 14:20:05 UTC
Created attachment 5827 [details]
patch

Use safer function vsnprintf() instead of vsprintf() for error reporting.
Truncate long messages, issue a warning, and continue.

The patch has been committed as a rev. 10568.
Regression testing shows no differences.