| Summary: | heap-buffer-overflow in gs_alloc_ref_array(ialloc.c) | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | Kim Gwan Yeong <gy741.kim> |
| Component: | Fuzzing | Assignee: | Chris Liddell (chrisl) <chris.liddell> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | P4 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | Word Size: | --- | |
| Attachments: | PoC | ||
|
Description
Kim Gwan Yeong
2017-06-06 18:57:34 UTC
alloc_obj (and i_alloc_struct_array) uses a ulong to hold the number of bytes of memory to allocate, but in this case we break a 32-bit value. Either we need to limit the calls to alloc_obj so that only sizes < 2^32 are passed, or we need to have alloc_obj uses a uint64_t I get a VMerror and no asan problems on 64 bit linux. (In reply to Chris Liddell (chrisl) from comment #2) > I get a VMerror and no asan problems on 64 bit linux. Hi. I tested it on Ubuntu 32bit. Would you like to try it in a 32 bit os? I re-confirmed the Asan error log 10 minutes ago. Thanks. -- karas@karas-VirtualBox:~/gwanyeong/ghostpdl$ bin/gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_alloc_ref_array -c qui GPL Ghostscript GIT PRERELEASE 9.22 (2017-03-16) Copyright (C) 2017 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. ================================================================= ==14759==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb03fef1c at pc 0x08e446b7 bp 0xbfc46998 sp 0xbfc46988 WRITE of size 2 at 0xb03fef1c thread T0 #0 0x8e446b6 in gs_alloc_ref_array psi/ialloc.c:261 #1 0x8cfe8ce in scan_bos psi/iscanbin.c:246 #2 0x8cfe8ce in scan_binary_token psi/iscanbin.c:170 #3 0x8d97937 in gs_scan_token psi/iscan.c:957 #4 0x8d83329 in interp psi/interp.c:1364 #5 0x8d8902e in gs_call_interp psi/interp.c:517 #6 0x8d8902e in gs_interpret psi/interp.c:474 #7 0x8d61094 in gs_main_interpret psi/imain.c:235 #8 0x8d61094 in gs_main_run_string_end psi/imain.c:651 #9 0x8d61094 in gs_main_run_string_with_length psi/imain.c:609 #10 0x8d61134 in gs_main_run_string psi/imain.c:591 #11 0x8d66660 in run_string psi/imainarg.c:983 #12 0x8d66afb in runarg psi/imainarg.c:973 #13 0x8d66d06 in argproc psi/imainarg.c:906 #14 0x8d6a6d6 in gs_main_init_with_args psi/imainarg.c:238 #15 0x80b43f0 in main psi/gs.c:96 #16 0xb6fb9636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #17 0x80bad7f (/home/karas/gwanyeong/ghostpdl/bin/gs+0x80bad7f) 0xb03fef1c is located 0 bytes to the right of 182904604-byte region [0xa5590800,0xb03fef1c) allocated by thread T0 here: #0 0xb7264dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x89ee4b6 in gs_heap_alloc_bytes base/gsmalloc.c:193 #2 0x899190f in alloc_acquire_clump base/gsalloc.c:2434 #3 0x899376a in alloc_obj base/gsalloc.c:1896 #4 0x8e44092 in gs_alloc_ref_array psi/ialloc.c:226 #5 0x8cfe8ce in scan_bos psi/iscanbin.c:246 #6 0x8cfe8ce in scan_binary_token psi/iscanbin.c:170 #7 0x8d97937 in gs_scan_token psi/iscan.c:957 #8 0x8d83329 in interp psi/interp.c:1364 #9 0x8d8902e in gs_call_interp psi/interp.c:517 #10 0x8d8902e in gs_interpret psi/interp.c:474 #11 0x8d61094 in gs_main_interpret psi/imain.c:235 #12 0x8d61094 in gs_main_run_string_end psi/imain.c:651 #13 0x8d61094 in gs_main_run_string_with_length psi/imain.c:609 #14 0x8d61134 in gs_main_run_string psi/imain.c:591 #15 0x8d66660 in run_string psi/imainarg.c:983 #16 0x8d66afb in runarg psi/imainarg.c:973 #17 0x8d66d06 in argproc psi/imainarg.c:906 #18 0x8d6a6d6 in gs_main_init_with_args psi/imainarg.c:238 #19 0x80b43f0 in main psi/gs.c:96 #20 0xb6fb9636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) SUMMARY: AddressSanitizer: heap-buffer-overflow psi/ialloc.c:261 gs_alloc_ref_array Shadow bytes around the buggy address: 0x3607fd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3607fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3607fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3607fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3607fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3607fde0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fe10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fe20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==14759==ABORTING (In reply to Chris Liddell (chrisl) from comment #4) > Fixed in: > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cfde94be1 Hi. If you have been patched, can you unlock the posts? I do not seem to have the right to unlock it. When anonymous users access, the following error is displayed. "You are not authorized to access bug #697985. To see this bug, you must first log in to an account with the appropriate permissions" Thanks. Use CVE-2017-9835. |