Created attachment 14417 [details] POC file of the vulnerability I discovered several heap overflow vulnerabilities in mutool version 1.11. Attackers may exploit this vulnerabilities to cause denial of service attack or other further attacks such as remote code execution. These issues seems different because calltracks are various. So I will create different bugs. **My Enviroment: ctf@ubuntu:/home/g$ uname -a Linux ubuntu 4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:37:59 UTC 2017 i686 i686 i686 GNU/Linux ctf@ubuntu:/home/g$ cat /etc/*lease DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.10 DISTRIB_CODENAME=yakkety DISTRIB_DESCRIPTION="Ubuntu 16.10" NAME="Ubuntu Kylin" VERSION="16.10 (Yakkety Yak)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu Kylin 16.10" VERSION_ID="16.10" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=yakkety UBUNTU_CODENAME=yakkety **Build Information: ctf@ubuntu:/home/g$ /home/g/mupdf/bin/mutool -v mutool version 1.11 **ASAN report on heap overflow: ctf@ubuntu:/home/g$ /home/g/mupdf/bin/mutool clean -gggg -l -a -d -z -f -i heapoverflow/heap-overflow-poc-1 error: expected object number warning: repairing PDF document warning: ignoring object with invalid object number (0 0 R) warning: object missing 'endobj' token ================================================================= ==12789==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3803260 at pc 0x0850fc4e bp 0xbfe1d328 sp 0xbfe1d318 READ of size 4 at 0xb3803260 thread T0 #0 0x850fc4d (/home/g/mupdf/bin/mutool+0x850fc4d) #1 0x853700d (/home/g/mupdf/bin/mutool+0x853700d) #2 0x853ac7d (/home/g/mupdf/bin/mutool+0x853ac7d) #3 0x843a7c4 (/home/g/mupdf/bin/mutool+0x843a7c4) #4 0x80d0653 (/home/g/mupdf/bin/mutool+0x80d0653) #5 0x806b76e (/home/g/mupdf/bin/mutool+0x806b76e) #6 0xb6f32275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275) #7 0x8074650 (/home/g/mupdf/bin/mutool+0x8074650) 0xb3803260 is located 0 bytes to the right of 144-byte region [0xb38031d0,0xb3803260) allocated by thread T0 here: #0 0xb720aae4 in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xc3ae4) #1 0x82ef71f (/home/g/mupdf/bin/mutool+0x82ef71f) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/g/mupdf/bin/mutool+0x850fc4d) Shadow bytes around the buggy address: 0x367005f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa 0x36700600: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x36700610: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x36700620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36700630: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00 =>0x36700640: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa 0x36700650: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x36700660: 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fd fd 0x36700670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x36700680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36700690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==12789==ABORTING ctf@ubuntu:/home/g$
For future reference, it would be helpful if you ran ASAN's output through the symbolizer so we can see file names and line numbers rather than random hex addresses. Putting something like the following in your .bashrc will do it automatically: export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5 export ASAN_OPTIONS=symbolize=1
With mutool clean -gg I get: WRITE of size 4 at 0x60d00000ce60 thread T0 #0 0xe724e6 in dowriteobject /home/tor/src/mupdf/source/pdf/pdf-write.c:2162:3 #1 0xe4ef64 in writeobjects /home/tor/src/mupdf/source/pdf/pdf-write.c:2218:3 #2 0xe39c3d in do_pdf_save_document /home/tor/src/mupdf/source/pdf/pdf-write.c:2937:4 #3 0xe3c8bd in pdf_save_document /home/tor/src/mupdf/source/pdf/pdf-write.c:3078:3 #4 0xc6743d in pdf_clean_file /home/tor/src/mupdf/source/pdf/pdf-clean-file.c:336:3 #5 0x5a6526 in pdfclean_main /home/tor/src/mupdf/source/tools/pdfclean.c:94:3 #6 0x4f6865 in main /home/tor/src/mupdf/source/tools/mutool.c:127:12 With mutool clean -ggg I get: READ of size 4 at 0x60d00000cf30 thread T0 #0 0xe462ae in removeduplicateobjs /home/tor/src/mupdf/source/pdf/pdf-write.c:647:8 #1 0xe37e52 in do_pdf_save_document /home/tor/src/mupdf/source/pdf/pdf-write.c:2879:4 #2 0xe3c8bd in pdf_save_document /home/tor/src/mupdf/source/pdf/pdf-write.c:3078:3 #3 0xc6743d in pdf_clean_file /home/tor/src/mupdf/source/pdf/pdf-clean-file.c:336:3 #4 0x5a6526 in pdfclean_main /home/tor/src/mupdf/source/tools/pdfclean.c:94:3 #5 0x4f6865 in main /home/tor/src/mupdf/source/tools/mutool.c:127:12
I have a fix awaiting review.
Fixed in: commit 520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 (golden/master) Author: Robin Watts <robin.watts@artifex.com> Date: Tue Nov 7 19:21:58 2017 +0000 Bug 689699: Avoid buffer overrun. When cleaning a pdf file, various lists (of pdf_xref_len length) are defined early on. If we trigger a repair during the clean, this can cause pdf_xref_len to increase causing an overrun. Fix this by watching for changes in the length, and checking accesses to the list for validity. This also appears to fix bugs 698700-698703. Thanks for the report!