Bug 697985

Summary: heap-buffer-overflow in gs_alloc_ref_array(ialloc.c)
Product: Ghostscript Reporter: Kim Gwan Yeong <gy741.kim>
Component: FuzzingAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED QA Contact: gs-security
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: PoC

Description Kim Gwan Yeong 2017-06-06 18:57:34 UTC
Created attachment 13745 [details]
PoC

POC to trigger heap buffer overflow (gs)

I found a crashing test case.

Please confirm.

Version 9.22 and Git Head: 0af88bdacdd8962244ac0a538c78b56bd5cc9376

Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER $FILE -c qui

ASAN:
==25450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb01fef1c at pc 0x0a444993 bp 0xbf806c58 sp 0xbf806c48
WRITE of size 2 at 0xb01fef1c thread T0
    #0 0xa444992 in gs_alloc_ref_array psi/ialloc.c:261
    #1 0xa11b9c2 in scan_bos psi/iscanbin.c:246
    #2 0xa11b9c2 in scan_binary_token psi/iscanbin.c:170
    #3 0xa288b79 in gs_scan_token psi/iscan.c:957
    #4 0xa256a66 in interp psi/interp.c:1364
    #5 0xa263659 in gs_call_interp psi/interp.c:517
    #6 0xa263659 in gs_interpret psi/interp.c:474
    #7 0xa20a738 in gs_main_interpret psi/imain.c:235
    #8 0xa20a738 in gs_main_run_string_end psi/imain.c:651
    #9 0xa20a738 in gs_main_run_string_with_length psi/imain.c:609
    #10 0xa20a738 in gs_main_run_string psi/imain.c:591
    #11 0xa216404 in run_string psi/imainarg.c:983
    #12 0xa216404 in runarg psi/imainarg.c:973
    #13 0xa21e229 in argproc psi/imainarg.c:906
    #14 0xa21e229 in gs_main_init_with_args psi/imainarg.c:238
    #15 0x80d4f20 in main psi/gs.c:96
    #16 0xb6f81636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #17 0x80e632b  (/home/karas/asan_debug/ghostpdl/bin/gs+0x80e632b)

0xb01fef1c is located 0 bytes to the right of 182904604-byte region [0xa5390800,0xb01fef1c)
allocated by thread T0 here:
    #0 0xb722cdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x990f4fd in gs_heap_alloc_bytes base/gsmalloc.c:193

SUMMARY: AddressSanitizer: heap-buffer-overflow psi/ialloc.c:261 gs_alloc_ref_array
Shadow bytes around the buggy address:
  0x3603fd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3603fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3603fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3603fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3603fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3603fde0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x3603fdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3603fe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3603fe10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3603fe20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3603fe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25450==ABORTING

Thanks.
Comment 1 Ken Sharp 2017-06-07 02:18:07 UTC
alloc_obj (and i_alloc_struct_array) uses a ulong to hold the number of bytes of memory to allocate, but in this case we break a 32-bit value.

Either we need to limit the calls to alloc_obj so that only sizes < 2^32 are passed, or we need to have alloc_obj uses a uint64_t
Comment 2 Chris Liddell (chrisl) 2017-06-07 02:36:29 UTC
I get a VMerror and no asan problems on 64 bit linux.
Comment 3 Kim Gwan Yeong 2017-06-07 04:38:46 UTC
(In reply to Chris Liddell (chrisl) from comment #2)
> I get a VMerror and no asan problems on 64 bit linux.

Hi.

I tested it on Ubuntu 32bit.

Would you like to try it in a 32 bit os?

I re-confirmed the Asan error log 10 minutes ago.

Thanks.

--
karas@karas-VirtualBox:~/gwanyeong/ghostpdl$ bin/gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_alloc_ref_array -c qui
GPL Ghostscript GIT PRERELEASE 9.22 (2017-03-16)
Copyright (C) 2017 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
=================================================================
==14759==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb03fef1c at pc 0x08e446b7 bp 0xbfc46998 sp 0xbfc46988
WRITE of size 2 at 0xb03fef1c thread T0
    #0 0x8e446b6 in gs_alloc_ref_array psi/ialloc.c:261
    #1 0x8cfe8ce in scan_bos psi/iscanbin.c:246
    #2 0x8cfe8ce in scan_binary_token psi/iscanbin.c:170
    #3 0x8d97937 in gs_scan_token psi/iscan.c:957
    #4 0x8d83329 in interp psi/interp.c:1364
    #5 0x8d8902e in gs_call_interp psi/interp.c:517
    #6 0x8d8902e in gs_interpret psi/interp.c:474
    #7 0x8d61094 in gs_main_interpret psi/imain.c:235
    #8 0x8d61094 in gs_main_run_string_end psi/imain.c:651
    #9 0x8d61094 in gs_main_run_string_with_length psi/imain.c:609
    #10 0x8d61134 in gs_main_run_string psi/imain.c:591
    #11 0x8d66660 in run_string psi/imainarg.c:983
    #12 0x8d66afb in runarg psi/imainarg.c:973
    #13 0x8d66d06 in argproc psi/imainarg.c:906
    #14 0x8d6a6d6 in gs_main_init_with_args psi/imainarg.c:238
    #15 0x80b43f0 in main psi/gs.c:96
    #16 0xb6fb9636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #17 0x80bad7f  (/home/karas/gwanyeong/ghostpdl/bin/gs+0x80bad7f)

0xb03fef1c is located 0 bytes to the right of 182904604-byte region [0xa5590800,0xb03fef1c)
allocated by thread T0 here:
    #0 0xb7264dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x89ee4b6 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x899190f in alloc_acquire_clump base/gsalloc.c:2434
    #3 0x899376a in alloc_obj base/gsalloc.c:1896
    #4 0x8e44092 in gs_alloc_ref_array psi/ialloc.c:226
    #5 0x8cfe8ce in scan_bos psi/iscanbin.c:246
    #6 0x8cfe8ce in scan_binary_token psi/iscanbin.c:170
    #7 0x8d97937 in gs_scan_token psi/iscan.c:957
    #8 0x8d83329 in interp psi/interp.c:1364
    #9 0x8d8902e in gs_call_interp psi/interp.c:517
    #10 0x8d8902e in gs_interpret psi/interp.c:474
    #11 0x8d61094 in gs_main_interpret psi/imain.c:235
    #12 0x8d61094 in gs_main_run_string_end psi/imain.c:651
    #13 0x8d61094 in gs_main_run_string_with_length psi/imain.c:609
    #14 0x8d61134 in gs_main_run_string psi/imain.c:591
    #15 0x8d66660 in run_string psi/imainarg.c:983
    #16 0x8d66afb in runarg psi/imainarg.c:973
    #17 0x8d66d06 in argproc psi/imainarg.c:906
    #18 0x8d6a6d6 in gs_main_init_with_args psi/imainarg.c:238
    #19 0x80b43f0 in main psi/gs.c:96
    #20 0xb6fb9636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow psi/ialloc.c:261 gs_alloc_ref_array
Shadow bytes around the buggy address:
  0x3607fd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3607fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3607fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3607fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3607fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3607fde0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x3607fdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3607fe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3607fe10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3607fe20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3607fe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==14759==ABORTING
Comment 4 Chris Liddell (chrisl) 2017-06-08 08:27:04 UTC
Fixed in:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cfde94be1
Comment 5 Kim Gwan Yeong 2017-06-08 15:51:28 UTC
(In reply to Chris Liddell (chrisl) from comment #4)
> Fixed in:
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cfde94be1

Hi.

If you have been patched, can you unlock the posts?

I do not seem to have the right to unlock it.

When anonymous users access, the following error is displayed.

"You are not authorized to access bug #697985. To see this bug, you must first log in to an account with the appropriate permissions"

Thanks.
Comment 6 Kim Gwan Yeong 2017-06-24 07:09:03 UTC
Use CVE-2017-9835.