Bug 697548

Summary: Null pointer dereference in ref_stack_index()
Product: Ghostscript Reporter: Kamil Frankowicz <kamil.frankowicz>
Component: FuzzingAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal CC: chris.liddell, hertzog, ruc.iser
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: POC to trigger null pointer dereference (gs)

Description Kamil Frankowicz 2017-02-03 09:56:33 UTC 
Created attachment 13347 [details]
POC to trigger null pointer dereference (gs)

After some fuzz testing I found a crashing test case.

Git HEAD: 0dbfbb773e40d23de5052fc5641387dad5d79bae

To reproduce: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER null_ptr_ref_stack_index -c quit

ASAN:

==7046==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000018a9438 bp 0x7ffe09812530 sp 0x7ffe098121e0 T0)
==7046==The signal is caused by a READ memory access.
==7046==Hint: address points to the zero page.
    #0 0x18a9437 in mem_get_bits_rectangle XYZ/ghostpdl/./base/gdevmem.c:632:69
    #1 0x1afa1cc in zgetbitsrect XYZ/ghostpdl/./psi/zdevice.c:184:12
    #2 0x19fa3b7 in interp XYZ/ghostpdl/./psi/interp.c:1578:40
    #3 0x19fa3b7 in gs_call_interp XYZ/ghostpdl/./psi/interp.c:511
    #4 0x19fa3b7 in gs_interpret XYZ/ghostpdl/./psi/interp.c:468
    #5 0x19cd1b2 in gs_main_interpret XYZ/ghostpdl/./psi/imain.c:245:12
    #6 0x19cd1b2 in gs_main_run_string_end XYZ/ghostpdl/./psi/imain.c:663
    #7 0x19cd1b2 in gs_main_run_string_with_length XYZ/ghostpdl/./psi/imain.c:621
    #8 0x19d914b in run_string XYZ/ghostpdl/./psi/imainarg.c:977:16
    #9 0x19d914b in runarg XYZ/ghostpdl/./psi/imainarg.c:967
    #10 0x19d85a8 in argproc XYZ/ghostpdl/./psi/imainarg.c:900:16
    #11 0x19d10e3 in gs_main_init_with_args XYZ/ghostpdl/./psi/imainarg.c:238:24
    #12 0x547488 in main XYZ/ghostpdl/./psi/gs.c:96:16
    #13 0x7f0936f4b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x47b888 in _start (/usr/local/bin/gs+0x47b888)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./base/gdevmem.c:632:69 in mem_get_bits_rectangle
==7046==ABORTING
Comment 1 Raphaël Hertzog 2017-04-06 07:11:56 UTC 
Anyone looking into this one? I confirm the segfault and it crashes on all versions available in Debian (3.05, 3.06 and 3.20).
Comment 2 Raphaël Hertzog 2017-04-06 07:13:21 UTC 
Bah, I meant 9.05, 9.06 and 9.20 (and not 3.x obviously).
Comment 3 Chris Liddell (chrisl) 2017-04-06 07:26:51 UTC 
I'm confused: the title says "Null pointer dereference in ref_stack_index()", but the asan crash log shows the fault in "mem_get_bits_rectangle"....
Comment 4 Ken Sharp 2017-04-06 07:37:24 UTC 
(In reply to Chris Liddell (chrisl) from comment #3)
> I'm confused: the title says "Null pointer dereference in
> ref_stack_index()", but the asan crash log shows the fault in
> "mem_get_bits_rectangle"....

For me, its a GPF in ref_stack_index(), the call stack is utterly different from the stack given in comment #0
Comment 5 Raphaël Hertzog 2017-04-06 07:53:17 UTC 
Yeah, the initial stack trace looks wrong. Even the reproducer file mentions ref_stack_index. Here is the stack trace that I get:

Program received signal SIGSEGV, Segmentation fault.
ref_stack_index (pstack=0x5555557c027a, idx=1436942025) at ./psi/istack.c:224
224	./psi/istack.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0  ref_stack_index (pstack=0x5555557c027a, idx=1436942025) at ./psi/istack.c:224
#1  0x00007ffff706db79 in stack_param_enumerate (plist=0x555555db7e70, penum=0x7fffffffc780, 
    key=0x7fffffffc790, type=0x7fffffffc770) at ./psi/iparam.c:400
#2  0x00007ffff706ed50 in ref_param_read_typed (plist=0x7fffffffd1d0, pkey=<optimized out>, 
    pvalue=0x7fffffffc810) at ./psi/iparam.c:775
#3  0x00007ffff6fca9e3 in param_read_requested_typed (plist=plist@entry=0x7fffffffd1d0, 
    pkey=pkey@entry=0x7ffff71401f5 "Margins", pvalue=pvalue@entry=0x7fffffffc810)
    at ./base/gsparam.c:264
#4  0x00007ffff6fcade8 in param_read_float_array (plist=plist@entry=0x7fffffffd1d0, 
    pkey=pkey@entry=0x7ffff71401f5 "Margins", pvalue=pvalue@entry=0x7fffffffc920)
    at ./base/gsparam.c:333
#5  0x00007ffff6fb792a in gx_default_put_params (dev=dev@entry=0x5555558076d8, 
    plist=plist@entry=0x7fffffffd1d0) at ./base/gsdparam.c:1500
#6  0x00007ffff6e45f87 in gdev_prn_put_params (pdev=pdev@entry=0x5555558076d8, 
    plist=plist@entry=0x7fffffffd1d0) at ./base/gdevprn.c:897
#7  0x00007ffff6e857ac in bit_put_params (pdev=0x5555558076d8, plist=0x7fffffffd1d0)
    at ./devices/gdevbit.c:686
#8  0x00007ffff6fbb190 in gs_putdeviceparams (dev=dev@entry=0x5555558076d8, 
    plist=plist@entry=0x7fffffffd1d0) at ./base/gsdparam.c:965
#9  0x00007ffff7099219 in zputdeviceparams (i_ctx_p=0x5555557c3c20) at ./psi/zdevice.c:421
#10 0x00007ffff706c2d2 in interp (pi_ctx_p=pi_ctx_p@entry=0x555555774680, pref=<optimized out>, 
    perror_object=perror_object@entry=0x7fffffffdb70) at ./psi/interp.c:1574
#11 0x00007ffff706cd45 in gs_call_interp (perror_object=0x7fffffffdb70, pexit_code=0x7fffffffdb6c, 
    user_errors=1, pref=0x7fffffffda00, pi_ctx_p=0x555555774680) at ./psi/interp.c:511
#12 gs_interpret (pi_ctx_p=0x555555774680, pref=pref@entry=0x7fffffffdb30, user_errors=1, 
    pexit_code=0x7fffffffdb6c, perror_object=<optimized out>) at ./psi/interp.c:468
#13 0x00007ffff7061215 in gs_main_interpret (perror_object=<optimized out>, pexit_code=<optimized out>, 
    user_errors=<optimized out>, pref=0x7fffffffdb30, minst=<optimized out>) at ./psi/imain.c:245
#14 gs_main_run_string_end (minst=<optimized out>, user_errors=<optimized out>, 
    pexit_code=<optimized out>, perror_object=<optimized out>) at ./psi/imain.c:663
#15 0x00007ffff7062ca9 in run_string (minst=minst@entry=0x5555557745e0, 
    str=str@entry=0x55555586fbc0 "<4356452d323031372d353935315f6e756c6c5f7074725f7265665f737461636b5f696e646578>.runfile", options=options@entry=3) at ./psi/imainarg.c:977
#16 0x00007ffff7062e2a in runarg (minst=0x5555557745e0, pre=0x7ffff713e5c5 "", arg=<optimized out>, 
    post=0x7ffff715bfd4 ".runfile", options=3) at ./psi/imainarg.c:967
#17 0x00007ffff7064518 in gs_main_init_with_args (minst=0x5555557745e0, argc=8, argv=0x7fffffffe768)
    at ./psi/imainarg.c:238
#18 0x0000555555554acb in main (argc=8, argv=0x7fffffffe768) at ./psi/dxmainc.c:86
Comment 6 Chris Liddell (chrisl) 2017-04-06 08:53:32 UTC 
Sorry, the confusion over the title and the stack trace in the description meant I thought it was someone else's area, and they thought it was mine - hence we both ignored it.....

Fixed in:

http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=bfa6b2ec