Bug 698025

Summary: heap-buffer-overflow in xps_load_sfnt_name(xps/xpsfont.c)
Product: GhostXPS Reporter: Kim Gwan Yeong <gy741.kim>
Component: GeneralAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: PoC

Description Kim Gwan Yeong 2017-06-12 04:33:26 UTC 
Created attachment 13774 [details]
PoC

POC to trigger heap buffer overflow (gxps)

I found a crashing test case.

Please confirm.

Version 9.22 and Git Head: f6507e828ddfe1f60645bc925bff9bedfdb306ce

OS: Ubuntu 16.04.2 x86_64

Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE


---------------
GDB out:
---------------
[────────────REGISTERS─────────────────]
*RAX  0x1629000
*RBX  0x15a19b0 -> 0xf3de80 (c_read_procs) -> 0x8b0dcc (c_param_read_typed) <- push   rbp
*RCX  0x656d616e
 RDX  0x0
*RDI  0x1629000
*RSI  0xfa0893 <- add    byte ptr [rbx + 0x61], ah
*R8   0x4fcfffff0ff8000
*R9   0x15e5b08 <- 0x6e656d75636f442f ('/Documen')
*R10  0xffff00000000
*R11  0x7ffff7478390 <- scasd  eax, dword ptr [rdi]
*R12  0x460ea0 (_start) <- xor    ebp, ebp
*R13  0x7fffffffdd30 <- 0x5
 R14  0x0
 R15  0x0
*RBP  0x7fffffffc260 -> 0x7fffffffc300 -> 0x7fffffffc330 -> 0x7fffffffc370 <- ...
*RSP  0x7fffffffc260 -> 0x7fffffffc300 -> 0x7fffffffc330 -> 0x7fffffffc370 <- ...
*RIP  0xa6e8a3 (u16+12) <- movzx  eax, byte ptr [rax]
[───────────DISASM─────────────────]
 ► 0xa6e8a3 <u16+12>    movzx  eax, byte ptr [rax]
   0xa6e8a6 <u16+15>    movzx  eax, al
   0xa6e8a9 <u16+18>    shl    eax, 8
   0xa6e8ac <u16+21>    mov    edx, eax
   0xa6e8ae <u16+23>    mov    rax, qword ptr [rbp - 8]
   0xa6e8b2 <u16+27>    add    rax, 1
   0xa6e8b6 <u16+31>    movzx  eax, byte ptr [rax]
   0xa6e8b9 <u16+34>    movzx  eax, al
   0xa6e8bc <u16+37>    or     eax, edx
   0xa6e8be <u16+39>    pop    rbp
   0xa6e8bf <u16+40>    ret    
[─────────────SOURCE─────────────────]
29	    return (signed short)( (p[0] << 8) | p[1] );
30	}
31	
32	static inline int u16(byte *p)
33	{
34	    return (p[0] << 8) | p[1];  <-- vulnerability
35	}
36	
37	static inline int u24(byte *p)
38	{
[─────────────────STACK─────────────]
00:0000│ rbp rsp  0x7fffffffc260 -> 0x7fffffffc300 -> 0x7fffffffc330 -> 0x7fffffffc370 <- ...
01:0008│          0x7fffffffc268 -> 0xa6ef65 (xps_load_sfnt_name+395) <- mov    dword ptr [rbp - 0x4c], eax
02:0010│          0x7fffffffc270 -> 0x15e5d24 <- 0x6e776f6e6b6e55 /* 'Unknown' */
03:0018│          0x7fffffffc278 -> 0x15e5b68 -> 0x15ec540 <- 0x80000d0000000100
04:0020│          0x7fffffffc280 -> 0x15a1898 -> 0x15ee928 -> 0x15e5e80 <- ...
05:0028│          0x7fffffffc288 -> 0x15ee938 -> 0x15e5e80 <- 0x0
06:0030│          0x7fffffffc290 <- 0x4ff100000000
07:0038│          0x7fffffffc298 -> 0x15a17a0 <- 0x15a17a0
[───────────────BACKTRACE─────────────]
 ► f 0           a6e8a3 u16+12
   f 1           a6ef65 xps_load_sfnt_name+395
   f 2           a70e02 xps_init_truetype_font+723
   f 3           a6ea82 xps_new_font+371
   f 4           a6df27 xps_parse_glyphs+1725
   f 5           a5ec25 xps_parse_element+135
   f 6           a5dd19 xps_parse_fixed_page+2524
   f 7           a5a81e xps_read_and_process_page_part+120
   f 8           a5b167 xps_process_file+2268
   f 9           461528 xps_imp_process_file+59
   f 10           a4603c pl_process_file+40
-----------------------------------------------------------
#0  0x0000000000a6e8a3 in u16 (p=0x1629000 <error: Cannot access memory at address 0x1629000>) at ./xps/xpsfont.c:34
#1  0x0000000000a6ef65 in xps_load_sfnt_name (font=0x15e5b68, namep=0x15e5d24 "Unknown") at ./xps/xpsfont.c:203
#2  0x0000000000a70e02 in xps_init_truetype_font (ctx=0x15a80f8, font=0x15e5b68) at ./xps/xpsttf.c:384
#3  0x0000000000a6ea82 in xps_new_font (ctx=0x15a80f8, buf=0x15ec540 "", buflen=9188, index=0) at ./xps/xpsfont.c:79
#4  0x0000000000a6df27 in xps_parse_glyphs (ctx=0x15a80f8, base_uri=0x7fffffffcaa0 "/Documents/1/Pa"..., dict=0x0, root=0x15e44d0) at ./xps/xpsglyphs.c:711
#5  0x0000000000a5ec25 in xps_parse_element (ctx=0x15a80f8, base_uri=0x7fffffffcaa0 "/Documents/1/Pa"..., dict=0x0, node=0x15e44d0) at ./xps/xpscommon.c:68
#6  0x0000000000a5dd19 in xps_parse_fixed_page (ctx=0x15a80f8, part=0x15e41b8) at ./xps/xpspage.c:279
#7  0x0000000000a5a81e in xps_read_and_process_page_part (ctx=0x15a80f8, name=0x15e40f8 "/Documents/1/Pa"...) at ./xps/xpszip.c:539
#8  0x0000000000a5b167 in xps_process_file (ctx=0x15a80f8, filename=0x15a1a20 "/home/karas/gwa"...) at ./xps/xpszip.c:688
#9  0x0000000000461528 in xps_imp_process_file (impl=0x15a7030, filename=0x15a1a20 "/home/karas/gwa"...) at ./xps/xpstop.c:228
#10 0x0000000000a4603c in pl_process_file (impl=0x15a7030, filename=0x15a1a20 "/home/karas/gwa"...) at ./pcl/pl/pltop.c:70
#11 0x0000000000aee33b in pl_main_run_file (minst=0x15a1930, filename=0x15a1a20 "/home/karas/gwa"...) at ./pcl/pl/plmain.c:377
#12 0x0000000000af0c66 in pl_main_process_options (pmi=0x15a1930, pal=0x15a19e8, pjl_instance=0x15a4bb8) at ./pcl/pl/plmain.c:1313
#13 0x0000000000aede21 in pl_main_init_with_args (inst=0x15a1930, argc=5, argv=0x7fffffffdd38) at ./pcl/pl/plmain.c:262
#14 0x0000000000a46571 in plapi_init_with_args (lib=0x15a11d0, argc=5, argv=0x7fffffffdd38) at ./pcl/pl/plapi.c:58
#15 0x0000000000aedac6 in main (argc=5, argv=0x7fffffffdd38) at ./pcl/pl/realmain.c:34
#16 0x00007ffff7304830 in __libc_start_main (main=0xaeda69 <main>, argc=5, argv=0x7fffffffdd38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd28) at ../csu/libc-start.c:291
#17 0x0000000000460ec9 in _start ()
---------------
ASan out:
---------------
==2462==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000060830 at pc 0x00000136b84f bp 0x7fff5ad59220 sp 0x7fff5ad59210
READ of size 1 at 0x631000060830 thread T0
    #0 0x136b84e in u16 xps/xpsfont.c:34
    #1 0x136c6c7 in xps_load_sfnt_name xps/xpsfont.c:205
    #2 0x137075f in xps_init_truetype_font xps/xpsttf.c:384
    #3 0x136bde5 in xps_new_font xps/xpsfont.c:79
    #4 0x136a949 in xps_parse_glyphs xps/xpsglyphs.c:711
    #5 0x134c41a in xps_parse_element xps/xpscommon.c:68
    #6 0x134aa98 in xps_parse_fixed_page xps/xpspage.c:279
    #7 0x1344729 in xps_read_and_process_page_part xps/xpszip.c:539
    #8 0x1345657 in xps_process_file xps/xpszip.c:688
    #9 0x462a2c in xps_imp_process_file xps/xpstop.c:228
    #10 0x1316a58 in pl_process_file pcl/pl/pltop.c:70
    #11 0x14a9f75 in pl_main_run_file pcl/pl/plmain.c:377
    #12 0x14aee24 in pl_main_process_options pcl/pl/plmain.c:1313
    #13 0x14a96c6 in pl_main_init_with_args pcl/pl/plmain.c:262
    #14 0x1317848 in plapi_init_with_args pcl/pl/plapi.c:58
    #15 0x14a8fd1 in main pcl/pl/realmain.c:34
    #16 0x7f44765ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x461a48 in _start (/home/karas/gwanyeong/ghostpdl/debugbin/gxps+0x461a48)

0x631000060830 is located 0 bytes to the right of 65584-byte region [0x631000050800,0x631000060830)
allocated by thread T0 here:
    #0 0x7f4477116602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xf63c86 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0xa15c7c in chunk_obj_alloc base/gsmchunk.c:909
    #3 0xa161d1 in chunk_alloc_struct base/gsmchunk.c:991
    #4 0xf07082 in c_param_add base/gscparam.c:235
    #5 0xf07465 in c_param_write base/gscparam.c:272
    #6 0xf07ec0 in c_param_write_typed base/gscparam.c:397
    #7 0xf7a306 in gs_param_write_items base/gsparam.c:153
    #8 0xbb678e in gdev_pdf_get_params devices/vector/gdevpdfp.c:272
    #9 0xf22d09 in gs_get_device_or_hw_params base/gsdparam.c:64
    #10 0x4625f7 in xps_imp_set_device xps/xpstop.c:174
    #11 0x13169c5 in pl_set_device pcl/pl/pltop.c:51
    #12 0x14aadb7 in pl_main_universe_select pcl/pl/plmain.c:593
    #13 0x14a9cf2 in pl_main_run_file pcl/pl/plmain.c:341
    #14 0x14aee24 in pl_main_process_options pcl/pl/plmain.c:1313
    #15 0x14a96c6 in pl_main_init_with_args pcl/pl/plmain.c:262
    #16 0x1317848 in plapi_init_with_args pcl/pl/plapi.c:58
    #17 0x14a8fd1 in main pcl/pl/realmain.c:34
    #18 0x7f44765ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow xps/xpsfont.c:34 u16
Shadow bytes around the buggy address:
  0x0c62800040b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800040c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800040d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800040e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800040f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c6280004100: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c6280004110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280004120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280004130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280004140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280004150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==2462==ABORTING
Comment 1 Chris Liddell (chrisl) 2017-06-13 07:52:30 UTC 
Fixed:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d2ab8473
Comment 2 Kim Gwan Yeong 2017-06-15 16:48:23 UTC 
This was assigned  CVE-2017-9610.