Created attachment 13745 [details] PoC POC to trigger heap buffer overflow (gs) I found a crashing test case. Please confirm. Version 9.22 and Git Head: 0af88bdacdd8962244ac0a538c78b56bd5cc9376 Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER $FILE -c qui ASAN: ==25450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb01fef1c at pc 0x0a444993 bp 0xbf806c58 sp 0xbf806c48 WRITE of size 2 at 0xb01fef1c thread T0 #0 0xa444992 in gs_alloc_ref_array psi/ialloc.c:261 #1 0xa11b9c2 in scan_bos psi/iscanbin.c:246 #2 0xa11b9c2 in scan_binary_token psi/iscanbin.c:170 #3 0xa288b79 in gs_scan_token psi/iscan.c:957 #4 0xa256a66 in interp psi/interp.c:1364 #5 0xa263659 in gs_call_interp psi/interp.c:517 #6 0xa263659 in gs_interpret psi/interp.c:474 #7 0xa20a738 in gs_main_interpret psi/imain.c:235 #8 0xa20a738 in gs_main_run_string_end psi/imain.c:651 #9 0xa20a738 in gs_main_run_string_with_length psi/imain.c:609 #10 0xa20a738 in gs_main_run_string psi/imain.c:591 #11 0xa216404 in run_string psi/imainarg.c:983 #12 0xa216404 in runarg psi/imainarg.c:973 #13 0xa21e229 in argproc psi/imainarg.c:906 #14 0xa21e229 in gs_main_init_with_args psi/imainarg.c:238 #15 0x80d4f20 in main psi/gs.c:96 #16 0xb6f81636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #17 0x80e632b (/home/karas/asan_debug/ghostpdl/bin/gs+0x80e632b) 0xb01fef1c is located 0 bytes to the right of 182904604-byte region [0xa5390800,0xb01fef1c) allocated by thread T0 here: #0 0xb722cdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x990f4fd in gs_heap_alloc_bytes base/gsmalloc.c:193 SUMMARY: AddressSanitizer: heap-buffer-overflow psi/ialloc.c:261 gs_alloc_ref_array Shadow bytes around the buggy address: 0x3603fd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3603fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3603fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3603fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3603fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3603fde0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa 0x3603fdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3603fe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3603fe10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3603fe20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3603fe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==25450==ABORTING Thanks.
alloc_obj (and i_alloc_struct_array) uses a ulong to hold the number of bytes of memory to allocate, but in this case we break a 32-bit value. Either we need to limit the calls to alloc_obj so that only sizes < 2^32 are passed, or we need to have alloc_obj uses a uint64_t
I get a VMerror and no asan problems on 64 bit linux.
(In reply to Chris Liddell (chrisl) from comment #2) > I get a VMerror and no asan problems on 64 bit linux. Hi. I tested it on Ubuntu 32bit. Would you like to try it in a 32 bit os? I re-confirmed the Asan error log 10 minutes ago. Thanks. -- karas@karas-VirtualBox:~/gwanyeong/ghostpdl$ bin/gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_alloc_ref_array -c qui GPL Ghostscript GIT PRERELEASE 9.22 (2017-03-16) Copyright (C) 2017 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. ================================================================= ==14759==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb03fef1c at pc 0x08e446b7 bp 0xbfc46998 sp 0xbfc46988 WRITE of size 2 at 0xb03fef1c thread T0 #0 0x8e446b6 in gs_alloc_ref_array psi/ialloc.c:261 #1 0x8cfe8ce in scan_bos psi/iscanbin.c:246 #2 0x8cfe8ce in scan_binary_token psi/iscanbin.c:170 #3 0x8d97937 in gs_scan_token psi/iscan.c:957 #4 0x8d83329 in interp psi/interp.c:1364 #5 0x8d8902e in gs_call_interp psi/interp.c:517 #6 0x8d8902e in gs_interpret psi/interp.c:474 #7 0x8d61094 in gs_main_interpret psi/imain.c:235 #8 0x8d61094 in gs_main_run_string_end psi/imain.c:651 #9 0x8d61094 in gs_main_run_string_with_length psi/imain.c:609 #10 0x8d61134 in gs_main_run_string psi/imain.c:591 #11 0x8d66660 in run_string psi/imainarg.c:983 #12 0x8d66afb in runarg psi/imainarg.c:973 #13 0x8d66d06 in argproc psi/imainarg.c:906 #14 0x8d6a6d6 in gs_main_init_with_args psi/imainarg.c:238 #15 0x80b43f0 in main psi/gs.c:96 #16 0xb6fb9636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #17 0x80bad7f (/home/karas/gwanyeong/ghostpdl/bin/gs+0x80bad7f) 0xb03fef1c is located 0 bytes to the right of 182904604-byte region [0xa5590800,0xb03fef1c) allocated by thread T0 here: #0 0xb7264dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x89ee4b6 in gs_heap_alloc_bytes base/gsmalloc.c:193 #2 0x899190f in alloc_acquire_clump base/gsalloc.c:2434 #3 0x899376a in alloc_obj base/gsalloc.c:1896 #4 0x8e44092 in gs_alloc_ref_array psi/ialloc.c:226 #5 0x8cfe8ce in scan_bos psi/iscanbin.c:246 #6 0x8cfe8ce in scan_binary_token psi/iscanbin.c:170 #7 0x8d97937 in gs_scan_token psi/iscan.c:957 #8 0x8d83329 in interp psi/interp.c:1364 #9 0x8d8902e in gs_call_interp psi/interp.c:517 #10 0x8d8902e in gs_interpret psi/interp.c:474 #11 0x8d61094 in gs_main_interpret psi/imain.c:235 #12 0x8d61094 in gs_main_run_string_end psi/imain.c:651 #13 0x8d61094 in gs_main_run_string_with_length psi/imain.c:609 #14 0x8d61134 in gs_main_run_string psi/imain.c:591 #15 0x8d66660 in run_string psi/imainarg.c:983 #16 0x8d66afb in runarg psi/imainarg.c:973 #17 0x8d66d06 in argproc psi/imainarg.c:906 #18 0x8d6a6d6 in gs_main_init_with_args psi/imainarg.c:238 #19 0x80b43f0 in main psi/gs.c:96 #20 0xb6fb9636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) SUMMARY: AddressSanitizer: heap-buffer-overflow psi/ialloc.c:261 gs_alloc_ref_array Shadow bytes around the buggy address: 0x3607fd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3607fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3607fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3607fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3607fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3607fde0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fe10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fe20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3607fe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==14759==ABORTING
Fixed in: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cfde94be1
(In reply to Chris Liddell (chrisl) from comment #4) > Fixed in: > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cfde94be1 Hi. If you have been patched, can you unlock the posts? I do not seem to have the right to unlock it. When anonymous users access, the following error is displayed. "You are not authorized to access bug #697985. To see this bug, you must first log in to an account with the appropriate permissions" Thanks.
Use CVE-2017-9835.