Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ImageMagick-7.0.8-11]A hang in convert #1255

Closed
merc1995 opened this issue Aug 21, 2018 · 3 comments
Closed

[ImageMagick-7.0.8-11]A hang in convert #1255

merc1995 opened this issue Aug 21, 2018 · 3 comments

Comments

@merc1995
Copy link

Prerequisites

  • [√ ] I have written a descriptive issue title
  • [ √] I have verified that I am using the latest version of ImageMagick
  • [ √] I have searched open and closed issues to ensure it has not already been reported

Description

I use the fuzz tool test the newest version of ImageMagick,and I found a crash that will cause the program hang(more than ten minutes),and the CPU and memory will be exhausted.Note that the poc only have 19 bytes.

Steps to Reproduce

Download the pod poc.zip
and just use magick convert poc out ,and the program will hang,the CPU and memory will be exhausted.

here is the information that ASan output:

==29950== ERROR: AddressSanitizer failed to allocate 0xa3b70000 (2746679296) bytes of LargeMmapAllocator: unable to allocate memory
==29950== Process memory map follows:
	0x000000400000-0x000000403000	/home/mikowoo/ImageMagick/utilities/.libs/magick
	0x000000602000-0x000000603000	/home/mikowoo/ImageMagick/utilities/.libs/magick
	0x000000603000-0x000000604000	/home/mikowoo/ImageMagick/utilities/.libs/magick
	0x00007fff7000-0x00008fff7000
	0x00008fff7000-0x02008fff7000
	0x02008fff7000-0x10007fff8000
	0x600000000000-0x600400000000
	0x600400000000-0x600400010000
	0x600400010000-0x600600000000
	0x600600000000-0x600600010000
	0x600600010000-0x600800000000
	0x600800000000-0x600800020000
	0x600800020000-0x600c00000000
	0x600c00000000-0x600c00010000
	0x600c00010000-0x600e00000000
	0x600e00000000-0x600e00010000
	0x600e00010000-0x601000000000
	0x601000000000-0x601000010000
	0x601000010000-0x601400000000
	0x601400000000-0x601400010000
	0x601400010000-0x601600000000
	0x601600000000-0x601600010000
	0x601600010000-0x601800000000
	0x601800000000-0x601800010000
	0x601800010000-0x601c00000000
	0x601c00000000-0x601c00010000
	0x601c00010000-0x601e00000000
	0x601e00000000-0x601e00010000
	0x601e00010000-0x602000000000
	0x602000000000-0x602000020000
	0x602000020000-0x602200000000
	0x602200000000-0x602200020000
	0x602200020000-0x602400000000
	0x602400000000-0x602400020000
	0x602400020000-0x602600000000
	0x602600000000-0x602600020000
	0x602600020000-0x603000000000
	0x603000000000-0x603000020000
	0x603000020000-0x603400000000
	0x603400000000-0x603400020000
	0x603400020000-0x603600000000
	0x603600000000-0x603600020000
	0x603600020000-0x603a00000000
	0x603a00000000-0x603a00020000
	0x603a00020000-0x603e00000000
	0x603e00000000-0x603e00020000
	0x603e00020000-0x604200000000
	0x604200000000-0x604200020000
	0x604200020000-0x604c00000000
	0x604c00000000-0x604c00020000
	0x604c00020000-0x605200000000
	0x605200000000-0x605200020000
	0x605200020000-0x606200000000
	0x606200000000-0x6062000e0000
	0x6062000e0000-0x606400000000
	0x606400000000-0x606400020000
	0x606400020000-0x606600000000
	0x606600000000-0x606600020000
	0x606600020000-0x606800000000
	0x606800000000-0x606800020000
	0x606800020000-0x606a00000000
	0x606a00000000-0x606a00020000
	0x606a00020000-0x606c00000000
	0x606c00000000-0x606c00050000
	0x606c00050000-0x606e00000000
	0x606e00000000-0x606e00050000
	0x606e00050000-0x607000000000
	0x607000000000-0x607000040000
	0x607000040000-0x607200000000
	0x607200000000-0x607200020000
	0x607200020000-0x607400000000
	0x607400000000-0x607400020000
	0x607400020000-0x607a00000000
	0x607a00000000-0x607a00040000
	0x607a00040000-0x607c00000000
	0x607c00000000-0x607c00020000
	0x607c00020000-0x609200000000
	0x609200000000-0x609200020000
	0x609200020000-0x609c00000000
	0x609c00000000-0x609c00030000
	0x609c00030000-0x610000000000
	0x610000000000-0x610000005000
	0x7f65d21ba000-0x7f69a865a000
	0x7f69a865a000-0x7f69a8ae5000	/usr/lib/locale/locale-archive
	0x7f69a8ae5000-0x7f69a8aea000	/usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
	0x7f69a8aea000-0x7f69a8ce9000	/usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
	0x7f69a8ce9000-0x7f69a8cea000	/usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
	0x7f69a8cea000-0x7f69a8ceb000	/usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
	0x7f69a8ceb000-0x7f69a8ced000	/usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
	0x7f69a8ced000-0x7f69a8eed000	/usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
	0x7f69a8eed000-0x7f69a8eee000	/usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
	0x7f69a8eee000-0x7f69a8eef000	/usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
	0x7f69a8eef000-0x7f69a8ef3000	/lib/x86_64-linux-gnu/libuuid.so.1.3.0
	0x7f69a8ef3000-0x7f69a90f2000	/lib/x86_64-linux-gnu/libuuid.so.1.3.0
	0x7f69a90f2000-0x7f69a90f3000	/lib/x86_64-linux-gnu/libuuid.so.1.3.0
	0x7f69a90f3000-0x7f69a90f4000	/lib/x86_64-linux-gnu/libuuid.so.1.3.0
	0x7f69a90f4000-0x7f69a9115000	/usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
	0x7f69a9115000-0x7f69a9314000	/usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
	0x7f69a9314000-0x7f69a9315000	/usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
	0x7f69a9315000-0x7f69a9316000	/usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
	0x7f69a9316000-0x7f69a932c000	/usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
	0x7f69a932c000-0x7f69a952b000	/usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
	0x7f69a952b000-0x7f69a952c000	/usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
	0x7f69a952c000-0x7f69a952d000	/usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
	0x7f69a952d000-0x7f69a9530000
	0x7f69a9530000-0x7f69a9537000	/usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
	0x7f69a9537000-0x7f69a9736000	/usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
	0x7f69a9736000-0x7f69a9737000	/usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
	0x7f69a9737000-0x7f69a9738000	/usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
	0x7f69a9738000-0x7f69a979a000	/usr/lib/x86_64-linux-gnu/libXt.so.6.0.0
	0x7f69a979a000-0x7f69a999a000	/usr/lib/x86_64-linux-gnu/libXt.so.6.0.0
	0x7f69a999a000-0x7f69a999b000	/usr/lib/x86_64-linux-gnu/libXt.so.6.0.0
	0x7f69a999b000-0x7f69a99a0000	/usr/lib/x86_64-linux-gnu/libXt.so.6.0.0
	0x7f69a99a0000-0x7f69a99a1000
	0x7f69a99a1000-0x7f69a99c0000	/usr/local/lib64/libgomp.so.1.0.0
	0x7f69a99c0000-0x7f69a9bbf000	/usr/local/lib64/libgomp.so.1.0.0
	0x7f69a9bbf000-0x7f69a9bc0000	/usr/local/lib64/libgomp.so.1.0.0
	0x7f69a9bc0000-0x7f69a9cc8000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7f69a9cc8000-0x7f69a9ec7000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7f69a9ec7000-0x7f69a9ec8000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7f69a9ec8000-0x7f69a9ec9000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7f69a9ec9000-0x7f69a9ee2000	/lib/x86_64-linux-gnu/libz.so.1.2.8
	0x7f69a9ee2000-0x7f69aa0e1000	/lib/x86_64-linux-gnu/libz.so.1.2.8
	0x7f69aa0e1000-0x7f69aa0e2000	/lib/x86_64-linux-gnu/libz.so.1.2.8
	0x7f69aa0e2000-0x7f69aa0e3000	/lib/x86_64-linux-gnu/libz.so.1.2.8
	0x7f69aa0e3000-0x7f69aa104000	/lib/x86_64-linux-gnu/liblzma.so.5.0.0
	0x7f69aa104000-0x7f69aa303000	/lib/x86_64-linux-gnu/liblzma.so.5.0.0
	0x7f69aa303000-0x7f69aa304000	/lib/x86_64-linux-gnu/liblzma.so.5.0.0
	0x7f69aa304000-0x7f69aa305000	/lib/x86_64-linux-gnu/liblzma.so.5.0.0
	0x7f69aa305000-0x7f69aa43a000	/usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
	0x7f69aa43a000-0x7f69aa63a000	/usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
	0x7f69aa63a000-0x7f69aa63b000	/usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
	0x7f69aa63b000-0x7f69aa63f000	/usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
	0x7f69aa63f000-0x7f69aa742000	/usr/local/lib/libpng16.so.16.35.0
	0x7f69aa742000-0x7f69aa941000	/usr/local/lib/libpng16.so.16.35.0
	0x7f69aa941000-0x7f69aa942000	/usr/local/lib/libpng16.so.16.35.0
	0x7f69aa942000-0x7f69aa999000	/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
	0x7f69aa999000-0x7f69aab99000	/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
	0x7f69aab99000-0x7f69aab9a000	/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
	0x7f69aab9a000-0x7f69aab9b000	/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
	0x7f69aab9b000-0x7f69aac0c000	/usr/lib/x86_64-linux-gnu/libtiff.so.5.2.4
	0x7f69aac0c000-0x7f69aae0b000	/usr/lib/x86_64-linux-gnu/libtiff.so.5.2.4
	0x7f69aae0b000-0x7f69aae0c000	/usr/lib/x86_64-linux-gnu/libtiff.so.5.2.4
	0x7f69aae0c000-0x7f69aae0f000	/usr/lib/x86_64-linux-gnu/libtiff.so.5.2.4
	0x7f69aae0f000-0x7f69aae1a000	/usr/lib/x86_64-linux-gnu/libjbig.so.0
	0x7f69aae1a000-0x7f69ab019000	/usr/lib/x86_64-linux-gnu/libjbig.so.0
	0x7f69ab019000-0x7f69ab01a000	/usr/lib/x86_64-linux-gnu/libjbig.so.0
	0x7f69ab01a000-0x7f69ab01d000	/usr/lib/x86_64-linux-gnu/libjbig.so.0
	0x7f69ab01d000-0x7f69ab033000	/usr/local/lib64/libgcc_s.so.1
	0x7f69ab033000-0x7f69ab232000	/usr/local/lib64/libgcc_s.so.1
	0x7f69ab232000-0x7f69ab233000	/usr/local/lib64/libgcc_s.so.1
	0x7f69ab233000-0x7f69ab236000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7f69ab236000-0x7f69ab435000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7f69ab435000-0x7f69ab436000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7f69ab436000-0x7f69ab437000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7f69ab437000-0x7f69ab5f7000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7f69ab5f7000-0x7f69ab7f7000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7f69ab7f7000-0x7f69ab7fb000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7f69ab7fb000-0x7f69ab7fd000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7f69ab7fd000-0x7f69ab801000
	0x7f69ab801000-0x7f69ab819000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7f69ab819000-0x7f69aba18000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7f69aba18000-0x7f69aba19000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7f69aba19000-0x7f69aba1a000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7f69aba1a000-0x7f69aba1e000
	0x7f69aba1e000-0x7f69abed8000	/usr/local/lib/libMagickWand-7.Q16HDRI.so.6.0.0
	0x7f69abed8000-0x7f69ac0d8000	/usr/local/lib/libMagickWand-7.Q16HDRI.so.6.0.0
	0x7f69ac0d8000-0x7f69ac110000	/usr/local/lib/libMagickWand-7.Q16HDRI.so.6.0.0
	0x7f69ac110000-0x7f69ac8df000	/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0
	0x7f69ac8df000-0x7f69acade000	/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0
	0x7f69acade000-0x7f69acb81000	/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0
	0x7f69acb81000-0x7f69acc39000	/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0
	0x7f69acc39000-0x7f69acc59000
	0x7f69acc59000-0x7f69acc81000	/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
	0x7f69acc81000-0x7f69ace81000	/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
	0x7f69ace81000-0x7f69ace82000	/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
	0x7f69ace82000-0x7f69ace83000	/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
	0x7f69ace83000-0x7f69afbe8000
	0x7f69afbe8000-0x7f69afc0e000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7f69afd77000-0x7f69afd7f000
	0x7f69afd7f000-0x7f69afd86000	/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
	0x7f69afd86000-0x7f69afda7000	/usr/share/locale-langpack/zh_CN/LC_MESSAGES/libc.mo
	0x7f69afda7000-0x7f69afdee000
	0x7f69afdee000-0x7f69afe0d000
	0x7f69afe0d000-0x7f69afe0e000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7f69afe0e000-0x7f69afe0f000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7f69afe0f000-0x7f69afe10000
	0x7ffdc5b3b000-0x7ffdc5b5c000	[stack]
	0x7ffdc5bea000-0x7ffdc5bed000	[vvar]
	0x7ffdc5bed000-0x7ffdc5bef000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==29950== End of process memory map.
==29950== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:70 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x7f69acc6b10d (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1210d)
    #1 0x7f69acc71ef3 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18ef3)
    #2 0x7f69acc74493 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1b493)
    #3 0x7f69acc61e68 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x8e68)
    #4 0x7f69acc6286f (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x986f)
    #5 0x7f69acc6e51b (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1551b)
    #6 0x7f69ac39bb8f (/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0+0x28bb8f)
    #7 0x7f69ac39be3e (/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0+0x28be3e)
    #8 0x7f69ac3e6434 (/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0+0x2d6434)
    #9 0x7f69ac3e65ca (/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0+0x2d65ca)
    #10 0x7f69ac5ff1cd (/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0+0x4ef1cd)
    #11 0x7f69ac27564e (/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0+0x16564e)
    #12 0x7f69ac27665e (/usr/local/lib/libMagickCore-7.Q16HDRI.so.6.0.0+0x16665e)
    #13 0x7f69abb339f0 (/usr/local/lib/libMagickWand-7.Q16HDRI.so.6.0.0+0x1159f0)
    #14 0x7f69abcd7d05 (/usr/local/lib/libMagickWand-7.Q16HDRI.so.6.0.0+0x2b9d05)
    #15 0x40163c (/home/mikowoo/ImageMagick/utilities/.libs/magick+0x40163c)
    #16 0x4017d1 (/home/mikowoo/ImageMagick/utilities/.libs/magick+0x4017d1)
    #17 0x7f69ab45782f (/lib/x86_64-linux-gnu/libc-2.23.so+0x2082f)
    #18 0x401188 (/home/mikowoo/ImageMagick/utilities/.libs/magick+0x401188)

System Configuration

Inter(R) Core(TM) i7-3770 CPU @ 3.40GHz
9.7G RAM
100G Disk

  • ImageMagick version: 7.0.8-11 Q16 x86_64
  • Environment (Operating system, version and so on): Linux 4.15.0-30-generic Segfault in ReadRLEImage (coders/rle.c:334) #32~16.04.1-Ubuntu SMP Thu Jul 26 20:25:39 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  • Additional information:
    looking forward to hearing from you soon:)
@urban-warrior
Copy link
Member

This is likely a Schrödinger's cat problem. In this case the observer is interfering with the observed. Try the command without ASN. The command should complete without complaint. We request a large memory allocation from the system and the system rejects it. ImageMagick gracefully handles the exception. Another solution is to add this to your security policy:

  <policy domain="resource" name="width" value="10KP"/>
  <policy domain="resource" name="height" value="10KP"/>

We then get:

$ magick convert poc null:
convert: width or height exceeds limit `poc' @ error/cache.c/Openconvert: memory allocation failed `poc' @ error/cache.c/OpenPixelCache/3699.
convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3288.

See https://www.imagemagick.org/script/security-policy.php.

@nohmask
Copy link

nohmask commented Aug 22, 2018

This was assigned CVE-2018-15607.

@Krace
Copy link

Krace commented Aug 22, 2018

Thanks for your reply.
I've tried the command without the ASan,but it's still hanged.
However the policy is effective.;)
I'll open the security policy and test again.

@tianxiaogu tianxiaogu mentioned this issue Aug 31, 2018
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dlemstra @nohmask @urban-warrior @merc1995 @Krace