Reachable assertions in jpc_firstone

[YourButterfly]

Description of problem:

There is a reachable assertion abort in function jpc_firstone of JasPer that will lead to remote denial of service attack.

Version-Release number of selected component (if applicable):

<= latest version

The output information is as follows:

$ ../../../../jasper/jasper-debug/bin/jasper --input poc --input-format jpc --output out.jp2 --output-format jp2
jasper: /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_math.c:113: jpc_firstone: Assertion `x >= 0' failed.
Aborted (core dumped)

The gdb debugging information is listed below:

Program received signal SIGABRT
pwndbg> bt
#0  0x00007ffff7760428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff776202a in __GI_abort () at abort.c:89
#2  0x00007ffff7758bd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x7ffff7b99858 "x >= 0", file=file@entry=0x7ffff7b99818 "/home/pwd/fuzz_"..., line=line@entry=113, function=function@entry=0x7ffff7b99870 <__PRETTY_FUNCTION__.4038> "jpc_firstone") at assert.c:92
#3  0x00007ffff7758c82 in __GI___assert_fail (assertion=0x7ffff7b99858 "x >= 0", file=0x7ffff7b99818 "/home/pwd/fuzz_"..., line=113, function=0x7ffff7b99870 <__PRETTY_FUNCTION__.4038> "jpc_firstone") at assert.c:101
#4  0x00007ffff7b57a7e in jpc_firstone (x=-2147483648) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_math.c:113
#5  0x00007ffff7b6df31 in jpc_enc_enccblks (enc=0x61a8d0) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_t1enc.c:160
#6  0x00007ffff7b52151 in jpc_enc_encodemainbody (enc=0x61a8d0) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:1401
#7  0x00007ffff7b4ce14 in jpc_encode (image=0x61b590, out=0x60d580, optstr=0x7fffffffc900 "\n_jp2overhead=9"...) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jpc/jpc_enc.c:308
#8  0x00007ffff7b3a86f in jp2_encode (image=0x61b590, out=0x60d580, optstr=0x0) at /home/pwd/fuzz_jasper/jasper/src/libjasper/jp2/jp2_enc.c:397
#9  0x00007ffff7b1fc00 in jas_image_encode (image=0x61b590, out=0x60d580, fmt=4, optstr=0x0) at /home/pwd/fuzz_jasper/jasper/src/libjasper/base/jas_image.c:469
#10 0x000000000040252c in main (argc=9, argv=0x7fffffffdb08) at /home/pwd/fuzz_jasper/jasper/src/appl/jasper.c:277
#11 0x00007ffff774b830 in __libc_start_main (main=0x401c76 <main>, argc=9, argv=0x7fffffffdb08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdaf8) at ../csu/libc-start.c:291
#12 0x0000000000401ba9 in _start ()

jpc_firstone in jpc_math.c

int jpc_firstone(int x)
{
	int n;

	/* The argument must be nonnegative. */
	assert(x >= 0);

	n = -1;
	while (x > 0) {
		x >>= 1;
		++n;
	}
	return n;
}

Additional info:

Credits:

pwd @360TeamSerious

poc https://github.com/TeamSeri0us/pocs/blob/master/jasper/poc

[fridrich]

The problem is basically integer width one. The assertion will be triggered by an overflowing int_fast32_t that will be passed to the jpc_firstone(int). The problem is that the calling function will assure always that the parameter is positive, but int_fast32_t is a 64-bit integer on 64-bit systems. Hence the overflow and the parameter can become negative.

[fridrich]

http://paste.opensuse.org/view/raw/330751ce fixes the problem by using parameter int_fast32_t that is guaranteed to be AT LEAST 32-bit in the two functions in jpc_math.{c,h}. This avoids the overflow and the assert should not be triggered by a file.

[thoger]

Why was this closed? AFAICS, no patch was applied address this. This repo had no change since Dec 2017.

[YourButterfly]

it is opening

[jridky]

Any progress?

[jubalh]

This issue was assigned CVE-2018-9055

[jubalh]

@jridky I just proposed a fix that we use since some time. Do you have some fixes from RH for this or other issues as well?

[jridky]

Hi, thanks for the fix. Unfortunately, I am not aware of any fix to jasper from RH site.

[MaxKellermann]

Fixed by jasper-maint/jasper@e6c8d5a in our fork

[jubalh]

Merged as e6c8d5a