Created attachment 13774 [details] PoC POC to trigger heap buffer overflow (gxps) I found a crashing test case. Please confirm. Version 9.22 and Git Head: f6507e828ddfe1f60645bc925bff9bedfdb306ce OS: Ubuntu 16.04.2 x86_64 Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE --------------- GDB out: --------------- [────────────REGISTERS─────────────────] *RAX 0x1629000 *RBX 0x15a19b0 -> 0xf3de80 (c_read_procs) -> 0x8b0dcc (c_param_read_typed) <- push rbp *RCX 0x656d616e RDX 0x0 *RDI 0x1629000 *RSI 0xfa0893 <- add byte ptr [rbx + 0x61], ah *R8 0x4fcfffff0ff8000 *R9 0x15e5b08 <- 0x6e656d75636f442f ('/Documen') *R10 0xffff00000000 *R11 0x7ffff7478390 <- scasd eax, dword ptr [rdi] *R12 0x460ea0 (_start) <- xor ebp, ebp *R13 0x7fffffffdd30 <- 0x5 R14 0x0 R15 0x0 *RBP 0x7fffffffc260 -> 0x7fffffffc300 -> 0x7fffffffc330 -> 0x7fffffffc370 <- ... *RSP 0x7fffffffc260 -> 0x7fffffffc300 -> 0x7fffffffc330 -> 0x7fffffffc370 <- ... *RIP 0xa6e8a3 (u16+12) <- movzx eax, byte ptr [rax] [───────────DISASM─────────────────] ► 0xa6e8a3 <u16+12> movzx eax, byte ptr [rax] 0xa6e8a6 <u16+15> movzx eax, al 0xa6e8a9 <u16+18> shl eax, 8 0xa6e8ac <u16+21> mov edx, eax 0xa6e8ae <u16+23> mov rax, qword ptr [rbp - 8] 0xa6e8b2 <u16+27> add rax, 1 0xa6e8b6 <u16+31> movzx eax, byte ptr [rax] 0xa6e8b9 <u16+34> movzx eax, al 0xa6e8bc <u16+37> or eax, edx 0xa6e8be <u16+39> pop rbp 0xa6e8bf <u16+40> ret [─────────────SOURCE─────────────────] 29 return (signed short)( (p[0] << 8) | p[1] ); 30 } 31 32 static inline int u16(byte *p) 33 { 34 return (p[0] << 8) | p[1]; <-- vulnerability 35 } 36 37 static inline int u24(byte *p) 38 { [─────────────────STACK─────────────] 00:0000│ rbp rsp 0x7fffffffc260 -> 0x7fffffffc300 -> 0x7fffffffc330 -> 0x7fffffffc370 <- ... 01:0008│ 0x7fffffffc268 -> 0xa6ef65 (xps_load_sfnt_name+395) <- mov dword ptr [rbp - 0x4c], eax 02:0010│ 0x7fffffffc270 -> 0x15e5d24 <- 0x6e776f6e6b6e55 /* 'Unknown' */ 03:0018│ 0x7fffffffc278 -> 0x15e5b68 -> 0x15ec540 <- 0x80000d0000000100 04:0020│ 0x7fffffffc280 -> 0x15a1898 -> 0x15ee928 -> 0x15e5e80 <- ... 05:0028│ 0x7fffffffc288 -> 0x15ee938 -> 0x15e5e80 <- 0x0 06:0030│ 0x7fffffffc290 <- 0x4ff100000000 07:0038│ 0x7fffffffc298 -> 0x15a17a0 <- 0x15a17a0 [───────────────BACKTRACE─────────────] ► f 0 a6e8a3 u16+12 f 1 a6ef65 xps_load_sfnt_name+395 f 2 a70e02 xps_init_truetype_font+723 f 3 a6ea82 xps_new_font+371 f 4 a6df27 xps_parse_glyphs+1725 f 5 a5ec25 xps_parse_element+135 f 6 a5dd19 xps_parse_fixed_page+2524 f 7 a5a81e xps_read_and_process_page_part+120 f 8 a5b167 xps_process_file+2268 f 9 461528 xps_imp_process_file+59 f 10 a4603c pl_process_file+40 ----------------------------------------------------------- #0 0x0000000000a6e8a3 in u16 (p=0x1629000 <error: Cannot access memory at address 0x1629000>) at ./xps/xpsfont.c:34 #1 0x0000000000a6ef65 in xps_load_sfnt_name (font=0x15e5b68, namep=0x15e5d24 "Unknown") at ./xps/xpsfont.c:203 #2 0x0000000000a70e02 in xps_init_truetype_font (ctx=0x15a80f8, font=0x15e5b68) at ./xps/xpsttf.c:384 #3 0x0000000000a6ea82 in xps_new_font (ctx=0x15a80f8, buf=0x15ec540 "", buflen=9188, index=0) at ./xps/xpsfont.c:79 #4 0x0000000000a6df27 in xps_parse_glyphs (ctx=0x15a80f8, base_uri=0x7fffffffcaa0 "/Documents/1/Pa"..., dict=0x0, root=0x15e44d0) at ./xps/xpsglyphs.c:711 #5 0x0000000000a5ec25 in xps_parse_element (ctx=0x15a80f8, base_uri=0x7fffffffcaa0 "/Documents/1/Pa"..., dict=0x0, node=0x15e44d0) at ./xps/xpscommon.c:68 #6 0x0000000000a5dd19 in xps_parse_fixed_page (ctx=0x15a80f8, part=0x15e41b8) at ./xps/xpspage.c:279 #7 0x0000000000a5a81e in xps_read_and_process_page_part (ctx=0x15a80f8, name=0x15e40f8 "/Documents/1/Pa"...) at ./xps/xpszip.c:539 #8 0x0000000000a5b167 in xps_process_file (ctx=0x15a80f8, filename=0x15a1a20 "/home/karas/gwa"...) at ./xps/xpszip.c:688 #9 0x0000000000461528 in xps_imp_process_file (impl=0x15a7030, filename=0x15a1a20 "/home/karas/gwa"...) at ./xps/xpstop.c:228 #10 0x0000000000a4603c in pl_process_file (impl=0x15a7030, filename=0x15a1a20 "/home/karas/gwa"...) at ./pcl/pl/pltop.c:70 #11 0x0000000000aee33b in pl_main_run_file (minst=0x15a1930, filename=0x15a1a20 "/home/karas/gwa"...) at ./pcl/pl/plmain.c:377 #12 0x0000000000af0c66 in pl_main_process_options (pmi=0x15a1930, pal=0x15a19e8, pjl_instance=0x15a4bb8) at ./pcl/pl/plmain.c:1313 #13 0x0000000000aede21 in pl_main_init_with_args (inst=0x15a1930, argc=5, argv=0x7fffffffdd38) at ./pcl/pl/plmain.c:262 #14 0x0000000000a46571 in plapi_init_with_args (lib=0x15a11d0, argc=5, argv=0x7fffffffdd38) at ./pcl/pl/plapi.c:58 #15 0x0000000000aedac6 in main (argc=5, argv=0x7fffffffdd38) at ./pcl/pl/realmain.c:34 #16 0x00007ffff7304830 in __libc_start_main (main=0xaeda69 <main>, argc=5, argv=0x7fffffffdd38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd28) at ../csu/libc-start.c:291 #17 0x0000000000460ec9 in _start () --------------- ASan out: --------------- ==2462==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000060830 at pc 0x00000136b84f bp 0x7fff5ad59220 sp 0x7fff5ad59210 READ of size 1 at 0x631000060830 thread T0 #0 0x136b84e in u16 xps/xpsfont.c:34 #1 0x136c6c7 in xps_load_sfnt_name xps/xpsfont.c:205 #2 0x137075f in xps_init_truetype_font xps/xpsttf.c:384 #3 0x136bde5 in xps_new_font xps/xpsfont.c:79 #4 0x136a949 in xps_parse_glyphs xps/xpsglyphs.c:711 #5 0x134c41a in xps_parse_element xps/xpscommon.c:68 #6 0x134aa98 in xps_parse_fixed_page xps/xpspage.c:279 #7 0x1344729 in xps_read_and_process_page_part xps/xpszip.c:539 #8 0x1345657 in xps_process_file xps/xpszip.c:688 #9 0x462a2c in xps_imp_process_file xps/xpstop.c:228 #10 0x1316a58 in pl_process_file pcl/pl/pltop.c:70 #11 0x14a9f75 in pl_main_run_file pcl/pl/plmain.c:377 #12 0x14aee24 in pl_main_process_options pcl/pl/plmain.c:1313 #13 0x14a96c6 in pl_main_init_with_args pcl/pl/plmain.c:262 #14 0x1317848 in plapi_init_with_args pcl/pl/plapi.c:58 #15 0x14a8fd1 in main pcl/pl/realmain.c:34 #16 0x7f44765ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #17 0x461a48 in _start (/home/karas/gwanyeong/ghostpdl/debugbin/gxps+0x461a48) 0x631000060830 is located 0 bytes to the right of 65584-byte region [0x631000050800,0x631000060830) allocated by thread T0 here: #0 0x7f4477116602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0xf63c86 in gs_heap_alloc_bytes base/gsmalloc.c:193 #2 0xa15c7c in chunk_obj_alloc base/gsmchunk.c:909 #3 0xa161d1 in chunk_alloc_struct base/gsmchunk.c:991 #4 0xf07082 in c_param_add base/gscparam.c:235 #5 0xf07465 in c_param_write base/gscparam.c:272 #6 0xf07ec0 in c_param_write_typed base/gscparam.c:397 #7 0xf7a306 in gs_param_write_items base/gsparam.c:153 #8 0xbb678e in gdev_pdf_get_params devices/vector/gdevpdfp.c:272 #9 0xf22d09 in gs_get_device_or_hw_params base/gsdparam.c:64 #10 0x4625f7 in xps_imp_set_device xps/xpstop.c:174 #11 0x13169c5 in pl_set_device pcl/pl/pltop.c:51 #12 0x14aadb7 in pl_main_universe_select pcl/pl/plmain.c:593 #13 0x14a9cf2 in pl_main_run_file pcl/pl/plmain.c:341 #14 0x14aee24 in pl_main_process_options pcl/pl/plmain.c:1313 #15 0x14a96c6 in pl_main_init_with_args pcl/pl/plmain.c:262 #16 0x1317848 in plapi_init_with_args pcl/pl/plapi.c:58 #17 0x14a8fd1 in main pcl/pl/realmain.c:34 #18 0x7f44765ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow xps/xpsfont.c:34 u16 Shadow bytes around the buggy address: 0x0c62800040b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c62800040c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c62800040d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c62800040e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c62800040f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c6280004100: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa 0x0c6280004110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c6280004120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c6280004130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c6280004140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c6280004150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==2462==ABORTING
Fixed: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d2ab8473
This was assigned CVE-2017-9610.