We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello all. We found a denial of service (DoS) issue in ImageMagick 7.0.7-12 Q16 x86_64 , which can cause huge CPU consumption. (cpu 100%)
The policy.xml is as following
<policymap> <policy domain="resource" name="temporary-path" value="/tmp"/> <policy domain="resource" name="memory" value="256MiB"/> <policy domain="resource" name="map" value="512MiB"/> <policy domain="resource" name="width" value="8KP"/> <policy domain="resource" name="height" value="8KP"/> <policy domain="resource" name="area" value="16KP"/> <policy domain="resource" name="disk" value="1GiB"/> <policy domain="resource" name="file" value="768"/> <policy domain="resource" name="thread" value="2"/> <policy domain="resource" name="throttle" value="0"/> <policy domain="resource" name="time" value="120"/> <policy domain="system" name="precision" value="6"/> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="filter" rights="none" pattern="*" /> <policy domain="delegate" rights="none" pattern="HTTPS" /> <policy domain="path" rights="none" pattern="@*"/> </policymap>
convert SeekBlob-cpu-exhaustion /dev/null
gdb backtrace
(gdb) bt #0 0x00007ffff6ef1330 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:81 #1 0x00007ffff6e7abe9 in _IO_new_file_seekoff (fp=0x63ff40, offset=238935896, dir=<optimized out>, mode=3) at fileops.c:1079 #2 0x00007ffff6e748c7 in fseeko (fp=0x63ff40, offset=offset@entry=8, whence=whence@entry=1) at fseeko.c:39 #3 0x00007ffff779b1d2 in SeekBlob (image=image@entry=0x6366b0, offset=offset@entry=8, whence=whence@entry=1) at MagickCore/blob.c:4627 #4 0x00007ffff794e964 in SkipDXTMipmaps (image=0x6366b0, dds_info=0x7fffffff45e0, texel_size=8, exception=<optimized out>) at coders/dds.c:2552 #5 0x00007ffff794de03 in ReadDDSImage (image_info=0x61fe10, exception=0x612c90) at coders/dds.c:1830 #6 0x00007ffff77c962f in ReadImage (image_info=image_info@entry=0x61cb20, exception=exception@entry=0x612c90) at MagickCore/constitute.c:555 #7 0x00007ffff77ca64f in ReadImages (image_info=image_info@entry=0x619830, filename=filename@entry=0x611c10 "/tmp/cpu-poc2", exception=exception@entry=0x612c90) at MagickCore/constitute.c:866 #8 0x00007ffff742dbb3 in ConvertImageCommand (image_info=0x619830, argc=3, argv=0x611b50, metadata=0x7fffffffc180, exception=0x612c90) at MagickWand/convert.c:641 #9 0x00007ffff7499764 in MagickCommandGenesis (image_info=image_info@entry=0x616540, command=command@entry=0x400f50 <ConvertImageCommand@plt>, argc=argc@entry=3, argv=argv@entry=0x7fffffffe4d8, metadata=0x0, exception=exception@entry=0x612c90) at MagickWand/mogrify.c:183 #10 0x00000000004011cf in MagickMain (argc=3, argv=0x7fffffffe4d8) at utilities/magick.c:149 #11 0x00007ffff6e23f45 in __libc_start_main (main=0x400fd0 <main>, argc=3, argv=0x7fffffffe4d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4c8) at libc-start.c:287 #12 0x0000000000400ffe in _start ()
when debug found dds_info->mipmapcount is very large
2549 for (i = 1; (i < (ssize_t) dds_info->mipmapcount) && w && h; i++) [67/733] (gdb) 2551 offset=(MagickOffsetType)((w+3)/4)*((h+3)/4)*texel_size; (gdb) 2552 if (SeekBlob(image,offset,SEEK_CUR) < 0) (gdb) 2551 offset=(MagickOffsetType)((w+3)/4)*((h+3)/4)*texel_size; (gdb) 2552 if (SeekBlob(image,offset,SEEK_CUR) < 0) (gdb) 2551 offset=(MagickOffsetType)((w+3)/4)*((h+3)/4)*texel_size; (gdb) 2552 if (SeekBlob(image,offset,SEEK_CUR) < 0) (gdb) 2554 w=DIV2(w); (gdb) 2555 h=DIV2(h); (gdb) 2549 for (i = 1; (i < (ssize_t) dds_info->mipmapcount) && w && h; i++) (gdb) 2551 offset=(MagickOffsetType)((w+3)/4)*((h+3)/4)*texel_size; (gdb) 2552 if (SeekBlob(image,offset,SEEK_CUR) < 0) (gdb) 2551 offset=(MagickOffsetType)((w+3)/4)*((h+3)/4)*texel_size; (gdb) 2552 if (SeekBlob(image,offset,SEEK_CUR) < 0) (gdb) 2551 offset=(MagickOffsetType)((w+3)/4)*((h+3)/4)*texel_size; (gdb) 2552 if (SeekBlob(image,offset,SEEK_CUR) < 0) (gdb) 2554 w=DIV2(w); (gdb) 2555 h=DIV2(h); (gdb) 2549 for (i = 1; (i < (ssize_t) dds_info->mipmapcount) && w && h; i++) (gdb) 2551 offset=(MagickOffsetType)((w+3)/4)*((h+3)/4)*texel_size; (gdb) 2552 if (SeekBlob(image,offset,SEEK_CUR) < 0) (gdb) 2551 offset=(MagickOffsetType)((w+3)/4)*((h+3)/4)*texel_size; (gdb) p dds_info->mipmapcount $1 = 4289331201
testcase: https://github.com/henices/pocs/raw/master/SeekBlob--cpu-exhaustion
Credit: NSFocus Security Team <security (at) nsfocus (dot) com>
The text was updated successfully, but these errors were encountered:
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
Sorry, something went wrong.
https://github.com/ImageMagick/ImageMagick/issues/867
9da3b39
f685e1e
e5dae18
This issue was assigned CVE-2017-1000476
No branches or pull requests
Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-12 Q16 x86_64 , which can cause huge CPU consumption. (cpu 100%)
The policy.xml is as following
convert SeekBlob-cpu-exhaustion /dev/null
gdb backtrace
when debug found dds_info->mipmapcount is very large
testcase:
https://github.com/henices/pocs/raw/master/SeekBlob--cpu-exhaustion
Credit: NSFocus Security Team <security (at) nsfocus (dot) com>
The text was updated successfully, but these errors were encountered: