Bug 696012

Summary: Some issues found fuzzing mupdf
Product: MuPDF Reporter: Marco Grassi <marco.gra>
Component: fuzzingAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED WORKSFORME    
Severity: normal CC: marco.gra, mehmetgelisin, robin.watts, sebastian.rasmussen, vficaj
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: mupdf issues

Description Marco Grassi 2015-05-26 12:51:58 UTC
Created attachment 11708 [details]
mupdf issues

Hi, 

I spent some time fuzzing mupdf (well in particular the mudraw shell utility) looking for some bugs.

I attach my 4 minimized testcases for the bugs and some output that can be helpful.

I've done the fuzzing on linux x64 and retested quickly on os x 10.10 with the 1.7a version compiled from sources in release mode.

1. double free / heap issue, classified exploitable by exploitable.py . I have minimized the testcase to obtain mupdf_doublefree.pdf attached, but it doesn't contain pages, so better to reproduce with mudraw instead of mu x11 for example.

crash report from a non minimized testcase:

Faulting Frame:
   fz_free @ 0x0000000000507b95: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Disassembly:
   0x00007ffff7745cb9: movsxd rdx,edi
   0x00007ffff7745cbc: movsxd rsi,esi
   0x00007ffff7745cbf: movsxd rdi,ecx
   0x00007ffff7745cc2: mov eax,0xea
   0x00007ffff7745cc7: syscall
=> 0x00007ffff7745cc9: cmp rax,0xfffffffffffff000
   0x00007ffff7745ccf: ja 0x7ffff7745cea <__GI_raise+90>
   0x00007ffff7745cd1: repz ret
   0x00007ffff7745cd3: nop DWORD PTR [rax+rax*1+0x0]
   0x00007ffff7745cd8: test eax,eax
Stack Head (11 entries):
   __GI_raise                @ 0x00007ffff7745cc9: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI_abort                @ 0x00007ffff77490d8: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __libc_message            @ 0x00007ffff7782394: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   malloc_printerr           @ 0x00007ffff778e66e: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   _int_free                 @ 0x00007ffff778e66e: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   fz_free                   @ 0x0000000000507b95: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   fz_drop_shade_imp         @ 0x0000000000569e7f: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   evict                     @ 0x000000000058da86: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   fz_empty_store            @ 0x0000000000590838: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_close_document        @ 0x0000000000650a70: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   main                      @ 0x0000000000412a0a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Registers:
rax=0x0000000000000000 rbx=0x000000000000008f rcx=0xffffffffffffffff rdx=0x0000000000000006 
rsi=0x00000000000021ca rdi=0x00000000000021ca rbp=0x00007fffffffd520 rsp=0x00007fffffffd188 
 r8=0x3035633339363130  r9=0x656c65722f646c69 r10=0x0000000000000008 r11=0x0000000000000246 
r12=0x00007fffffffd330 r13=0x0000000000000007 r14=0x000000000000008f r15=0x0000000000000007 
rip=0x00007ffff7745cc9 efl=0x0000000000000246  cs=0x0000000000000033  ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000 
Extra Data:
   Description: Heap error
   Short description: HeapError (10/22)
   Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.

2. Stack Overflow issue, classified unknown by exploitable.py . I have minimized the testcase to obtain mupdf_stackoverflow.pdf attached, but it doesn't contain pages, so better to reproduce with mudraw instead of mu x11 for example.

crash report from a non minimized testcase:

Faulting Frame:
   sprintf @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Disassembly:
   0x00007ffff7745cb9: movsxd rdx,edi
   0x00007ffff7745cbc: movsxd rsi,esi
   0x00007ffff7745cbf: movsxd rdi,ecx
   0x00007ffff7745cc2: mov eax,0xea
   0x00007ffff7745cc7: syscall
=> 0x00007ffff7745cc9: cmp rax,0xfffffffffffff000
   0x00007ffff7745ccf: ja 0x7ffff7745cea <__GI_raise+90>
   0x00007ffff7745cd1: repz ret
   0x00007ffff7745cd3: nop DWORD PTR [rax+rax*1+0x0]
   0x00007ffff7745cd8: test eax,eax
Stack Head (22 entries):
   __GI_raise                @ 0x00007ffff7745cc9: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI_abort                @ 0x00007ffff77490d8: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __libc_message            @ 0x00007ffff7782394: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI___fortify_fail       @ 0x00007ffff7819c9c: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI___chk_fail           @ 0x00007ffff7818b60: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   _IO_str_chk_overflow      @ 0x00007ffff7818069: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __GI__IO_default_xsputn   @ 0x00007ffff778a70c: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   _IO_vfprintf_internal     @ 0x00007ffff77597df: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   ___vsprintf_chk           @ 0x00007ffff78180f4: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   ___sprintf_chk            @ 0x00007ffff781804d: in /lib/x86_64-linux-gnu/libc-2.19.so (BL)
   sprintf                   @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_simple_font_by_n @ 0x00000000007658e1: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_simple_font      @ 0x000000000076cc5c: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_load_font             @ 0x000000000076cc5c: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   get_font_info             @ 0x0000000000742632: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_update_text_appearanc @ 0x0000000000745b31: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Registers:
rax=0x0000000000000000 rbx=0x0000000000000074 rcx=0xffffffffffffffff rdx=0x0000000000000006 
rsi=0x000000000000222e rdi=0x000000000000222e rbp=0x00007fffffff9c80 rsp=0x00007fffffff9968 
 r8=0x00007ffff7885dc0  r9=0x00000000016513c8 r10=0x0000000000000008 r11=0x0000000000000246 
r12=0x00007fffffff9af0 r13=0x0000000000000005 r14=0x0000000000000074 r15=0x0000000000000005 
rip=0x00007ffff7745cc9 efl=0x0000000000000246  cs=0x0000000000000033  ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000 
Extra Data:
   Description: Abort signal
   Short description: AbortSignal (20/22)
   Explanation: The target is stopped on a SIGABRT. SIGABRTs are often generated by libc and compiled check-code to indicate potentially exploitable conditions. Unfortunately this command does not yet further analyze these crashes.
---END SUMMARY---
---CRASH SUMMARY---
Filename: mupdf_findings_min_testsuite/fuzzer02/crashes/id:000091,sig:11,src:023213+020158,op:splice,rep:8
SHA1: a6af1d4e7de1cc745cbd46ebe4c49c0a07ca36b0
Classification: PROBABLY_NOT_EXPLOITABLE
Hash: 7179cf9721b9eb4a6b9afa3654a7861b.57223ee08c416d6913e924754556f61f
Command: mupdf-1.7a-source/build/release/mudraw -F txt mupdf_findings_min_testsuite/fuzzer02/crashes/id:000091,sig:11,src:023213+020158,op:splice,rep:8
Faulting Frame:
   pdf_get_xref_entry @ 0x0000000000663d37: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Disassembly:
   0x0000000000663d1a: mov rax,QWORD PTR [rsp+0x10]
   0x0000000000663d1f: mov rcx,QWORD PTR [rsp+0x8]
   0x0000000000663d24: mov rdx,QWORD PTR [rsp]
   0x0000000000663d28: lea rsp,[rsp+0x98]
   0x0000000000663d30: mov rax,QWORD PTR [rbp+0xa0]
=> 0x0000000000663d37: mov rdx,QWORD PTR [rax+0x8]
   0x0000000000663d3b: test rdx,rdx
   0x0000000000663d3e: je 0x663e88 <pdf_get_xref_entry+1464>
   0x0000000000663d44: lea rsp,[rsp-0x98]
   0x0000000000663d4c: mov QWORD PTR [rsp],rdx
Stack Head (11 entries):
   pdf_get_xref_entry        @ 0x0000000000663d37: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_cache_object          @ 0x000000000067d962: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_resolve_indirect      @ 0x0000000000684fe6: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_objcmp_resolve        @ 0x00000000005eec2a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_name_eq               @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_name_eq               @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_repair_obj            @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_repair_xref           @ 0x0000000000d9e8f7: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_init_document         @ 0x0000000000681946: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_open_document         @ 0x0000000000682cbb: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   main                      @ 0x00000000004135a9: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Registers:
rax=0x0000000000000000 rbx=0x0000000000000002 rcx=0x000000000166a5e8 rdx=0x0000000000000002 
rsi=0x000000000166a4c0 rdi=0x000000000165b010 rbp=0x000000000166a4c0 rsp=0x00007fffffffd160 
 r8=0x00000000000005b0  r9=0x0000000000000000 r10=0x0000000000000000 r11=0x000000000167a708 
r12=0x0000000000000006 r13=0x000000000165b070 r14=0x000000000165b010 r15=0x00007fffffffd490 
rip=0x0000000000663d37 efl=0x0000000000010283  cs=0x0000000000000033  ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000 
Extra Data:
   Description: Access violation near NULL on source operand
   Short description: SourceAvNearNull (16/22)
   Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.

3. objcmp issue. The same apply as the previous issues, classified as probably exploitable

crash analysis from a non minimized testcase:

Faulting Frame:
   pdf_objcmp @ 0x00000000005ed7c8: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Disassembly:
   0x00000000005ed7b4: mov r14,QWORD PTR [rsp+0x38]
   0x00000000005ed7b9: mov r15,QWORD PTR [rsp+0x40]
   0x00000000005ed7be: add rsp,0x48
   0x00000000005ed7c2: ret
   0x00000000005ed7c3: nop DWORD PTR [rax+rax*1+0x0]
=> 0x00000000005ed7c8: cmp BYTE PTR [rsi+0x2],0x6e
   0x00000000005ed7cc: mov eax,0x1
   0x00000000005ed7d1: jne 0x5ed765 <pdf_objcmp+997>
   0x00000000005ed7d3: nop
   0x00000000005ed7d4: lea rsp,[rsp-0x98]
Stack Head (21 entries):
   pdf_objcmp                @ 0x00000000005ed7c8: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_name_eq               @ 0x000000000061c398: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_name_eq               @ 0x000000000061c398: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_stream_has_crypt      @ 0x000000000061c398: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_open_raw_filter       @ 0x000000000061c398: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_open_filter           @ 0x000000000061f0ed: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_open_image_stream     @ 0x000000000061f7a6: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_open_contents_stream  @ 0x000000000062374a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_process_contents      @ 0x0000000000d5c55f: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_run_xobject           @ 0x0000000000d859fd: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_process_Do            @ 0x0000000000d51496: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_process_keyword       @ 0x0000000000d54d49: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_process_stream        @ 0x0000000000d5a034: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_process_contents      @ 0x0000000000d5c57a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_run_page_contents_wit @ 0x0000000000619c83: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_run_page_contents     @ 0x000000000061a8e3: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Registers:
rax=0x0000000000000170 rbx=0x000000000165b010 rcx=0x000000000000000a rdx=0x0000000000000051 
rsi=0x0000000000000170 rdi=0x000000000165b010 rbp=0x000000000167e9d0 rsp=0x00007fffffffc1f0 
 r8=0x00000000000008f0  r9=0x000000000000000b r10=0x0000000000000021 r11=0x000000000165b010 
r12=0x000000000167a6b0 r13=0x000000000166a4c0 r14=0x0000000000000000 r15=0x0000000000000005 
rip=0x00000000005ed7c8 efl=0x0000000000010297  cs=0x0000000000000033  ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000 
Extra Data:
   Description: Access violation near NULL on destination operand
   Short description: DestAvNearNull (15/22)
   Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.

4. getxref issue, same as the issues before. Classified as probably not exploitable

crash analysis from a non minimized testcase:

Faulting Frame:
   pdf_get_xref_entry @ 0x0000000000663d37: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Disassembly:
   0x0000000000663d1a: mov rax,QWORD PTR [rsp+0x10]
   0x0000000000663d1f: mov rcx,QWORD PTR [rsp+0x8]
   0x0000000000663d24: mov rdx,QWORD PTR [rsp]
   0x0000000000663d28: lea rsp,[rsp+0x98]
   0x0000000000663d30: mov rax,QWORD PTR [rbp+0xa0]
=> 0x0000000000663d37: mov rdx,QWORD PTR [rax+0x8]
   0x0000000000663d3b: test rdx,rdx
   0x0000000000663d3e: je 0x663e88 <pdf_get_xref_entry+1464>
   0x0000000000663d44: lea rsp,[rsp-0x98]
   0x0000000000663d4c: mov QWORD PTR [rsp],rdx
Stack Head (11 entries):
   pdf_get_xref_entry        @ 0x0000000000663d37: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_cache_object          @ 0x000000000067d962: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_resolve_indirect      @ 0x0000000000684fe6: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_objcmp_resolve        @ 0x00000000005eec2a: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_name_eq               @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_name_eq               @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_repair_obj            @ 0x0000000000d9b2f2: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_repair_xref           @ 0x0000000000d9e8f7: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_init_document         @ 0x0000000000681946: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   pdf_open_document         @ 0x0000000000682cbb: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
   main                      @ 0x00000000004135a9: in /home/marco/Development/Fuzzing/mupdf-1.7a-source/build/release/mudraw
Registers:
rax=0x0000000000000000 rbx=0x0000000000000011 rcx=0x000000000166a5e8 rdx=0x0000000000000011 
rsi=0x000000000166a4c0 rdi=0x000000000165b010 rbp=0x000000000166a4c0 rsp=0x00007fffffffd160 
 r8=0x00000000000005b0  r9=0x0000000000000000 r10=0x0000000000000000 r11=0x000000000167a744 
r12=0x0000000000000006 r13=0x000000000165b070 r14=0x000000000165b010 r15=0x00007fffffffd490 
rip=0x0000000000663d37 efl=0x0000000000010287  cs=0x0000000000000033  ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000 
Extra Data:
   Description: Access violation near NULL on source operand
   Short description: SourceAvNearNull (16/22)
   Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.



if you need the non-minimized testcases or additional informations, please let me know

Thanks

Marco
Comment 1 Sebastian Rasmussen 2015-07-25 03:29:52 UTC
I belive that the commit below fixes the problem illustrated by 
mupdf_doublefree.pdf from issues.zip

http://git.ghostscript.com/?p=user/sebras/mupdf.git;a=commit;h=8832b9a6a0444a0c3df2e5b3ce4cb00807dabd1a

Marco Grassi, do you mind explaining how you ran afl-fuzz to find these?
Comment 3 Robin Watts 2015-10-02 11:09:57 UTC
Many thanks for these.

Testing with the latest release version on Windows shows no crashes. Testing with valgrind on 64bit Ubuntu shows no leaks or illegal accesses.

I can only think that we've fixed the issues.

If you do not believe this to be the case, please let us know!

Thanks again.
Comment 7 Ken Sharp 2021-10-30 08:09:07 UTC
User disabled due to spam, spam comment marked private to make it invisible