Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FLIF aborted caused by longjmp causes uninitialized stack frame #520

Open
EnchantedJohn opened this Issue Jul 25, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@EnchantedJohn
Copy link

EnchantedJohn commented Jul 25, 2018

Hello,guys,I use my company fuzzing tools .I found FLIF aborted.I think it caused by longjmp causes uninitialized stack frame.I search some information abort it. In google,the curl meet same situation.So I think it is a BUG.
So,I want to show you more information about it.

@EnchantedJohn

This comment has been minimized.

Copy link
Author

EnchantedJohn commented Jul 25, 2018

there is abort information:

gdb) set args -d /home/lx/DIVE_github/secdive/bin/hfl/output/3066771E5C592B1C72695C17AA24193689A625/hfl-libc-abort-1-\{reta_libc.so.6.0x732a4\} output.png --overwrite
(gdb) r
Starting program: /home/lx/github/7_25/flif/HFL/flif -d /home/lx/DIVE_github/secdive/bin/hfl/output/3066771E5C592B1C72695C17AA24193689A625/hfl-libc-abort-1-\{reta_libc.so.6.0x732a4\} output.png --overwrite
Warning: expected file name extension ".flif" for input file, trying anyway...
Invalid tree. Aborting tree decoding.
File ended prematurely or decoding was interrupted.
libpng warning: Image width exceeds user limit in IHDR
libpng error: Invalid IHDR data
*** longjmp causes uninitialized stack frame ***: /home/lx/github/7_25/flif/HFL/flif terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7329f)[0x7ffff7a8429f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1f87c]
/lib/x86_64-linux-gnu/libc.so.6(+0x10e78d)[0x7ffff7b1f78d]
/lib/x86_64-linux-gnu/libc.so.6(__longjmp_chk+0x29)[0x7ffff7b1f6e9]
/lib/x86_64-linux-gnu/libpng12.so.0(png_error+0x91)[0x7ffff7806311]
/lib/x86_64-linux-gnu/libpng12.so.0(png_set_IHDR+0x80)[0x7ffff77f04b0]
/home/lx/github/7_25/flif/HFL/flif[0x441e40]
/home/lx/github/7_25/flif/HFL/flif[0x420f2b]
/home/lx/github/7_25/flif/HFL/flif[0x407d3e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a32f45]
/home/lx/github/7_25/flif/HFL/flif[0x41fb19]
======= Memory map: ========
00400000-00501000 r-xp 00000000 08:01 25185630                           /home/lx/github/7_25/flif/HFL/flif
00700000-00703000 r--p 00100000 08:01 25185630                           /home/lx/github/7_25/flif/HFL/flif
00703000-00705000 rw-p 00103000 08:01 25185630                           /home/lx/github/7_25/flif/HFL/flif
00705000-0073d000 rw-p 00000000 00:00 0                                  [heap]
7ffff6082000-7ffff6da2000 rw-p 00000000 00:00 0 
7ffff6da2000-7ffff6ea7000 r-xp 00000000 08:01 61349090                   /lib/x86_64-linux-gnu/libm-2.19.so
7ffff6ea7000-7ffff70a6000 ---p 00105000 08:01 61349090                   /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a6000-7ffff70a7000 r--p 00104000 08:01 61349090                   /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a7000-7ffff70a8000 rw-p 00105000 08:01 61349090                   /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a8000-7ffff70c0000 r-xp 00000000 08:01 61341903                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff70c0000-7ffff72bf000 ---p 00018000 08:01 61341903                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72bf000-7ffff72c0000 r--p 00017000 08:01 61341903                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72c0000-7ffff72c1000 rw-p 00018000 08:01 61341903                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72c1000-7ffff72d7000 r-xp 00000000 08:01 61342814                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72d7000-7ffff74d6000 ---p 00016000 08:01 61342814                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d6000-7ffff74d7000 r--p 00015000 08:01 61342814                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d7000-7ffff74d8000 rw-p 00016000 08:01 61342814                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d8000-7ffff75df000 r-xp 00000000 08:01 60689024                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff75df000-7ffff77de000 ---p 00107000 08:01 60689024                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77de000-7ffff77e6000 r--p 00106000 08:01 60689024                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77e6000-7ffff77e8000 rw-p 0010e000 08:01 60689024                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77e8000-7ffff77eb000 rw-p 00000000 00:00 0 
7ffff77eb000-7ffff7810000 r-xp 00000000 08:01 61346095                   /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7810000-7ffff7a0f000 ---p 00025000 08:01 61346095                   /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a0f000-7ffff7a10000 r--p 00024000 08:01 61346095                   /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a10000-7ffff7a11000 rw-p 00025000 08:01 61346095                   /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a11000-7ffff7bcf000 r-xp 00000000 08:01 61349104                   /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7bcf000-7ffff7dcf000 ---p 001be000 08:01 61349104                   /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dcf000-7ffff7dd3000 r--p 001be000 08:01 61349104                   /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd3000-7ffff7dd5000 rw-p 001c2000 08:01 61349104                   /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0 
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 61349093                   /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fbb000-7ffff7fc2000 rw-p 00000000 00:00 0 
7ffff7ff6000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 61349093                   /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 61349093                   /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
@EnchantedJohn

This comment has been minimized.

Copy link
Author

EnchantedJohn commented Jul 25, 2018

then,it is gdb informaiton:

(gdb) bt
#0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
#2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7b93db0 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7b1f87c in __GI___fortify_fail (msg=<optimized out>) at fortify_fail.c:38
#4  0x00007ffff7b1f78d in ____longjmp_chk () at ../sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S:100
#5  0x00007ffff7b1f6e9 in __longjmp_chk (env=0x1, val=1) at ../setjmp/longjmp.c:38
#6  0x00007ffff7806311 in png_error () from /lib/x86_64-linux-gnu/libpng12.so.0
#7  0x00007ffff77f04b0 in png_set_IHDR () from /lib/x86_64-linux-gnu/libpng12.so.0
#8  0x0000000000441e40 in image_save_png(char const*, Image const&) [clone .part.23] [clone .lto_priv.316] ()
#9  0x0000000000420f2b in Image::save(char const*) const ()
#10 0x0000000000407d3e in main ()
(gdb) i r
rax            0x0	0
rbx            0x60	96
rcx            0x7ffff7a47c37	140737348140087
rdx            0x6	6
rsi            0x36b4b	224075
rdi            0x36b4b	224075
rbp            0x7fffffffdbb0	0x7fffffffdbb0
rsp            0x7fffffffd898	0x7fffffffd898
r8             0x7ffff7b8b640	140737349465664
r9             0x4028f0	4204784
r10            0x8	8
r11            0x246	582
r12            0x7fffffffda20	140737488345632
r13            0x5	5
r14            0x60	96
r15            0x5	5
rip            0x7ffff7a47c37	0x7ffff7a47c37 <__GI_raise+55>
eflags         0x246	[ PF ZF IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/10i $pc
=> 0x7ffff7a47c37 <__GI_raise+55>:	cmp    $0xfffffffffffff000,%rax
   0x7ffff7a47c3d <__GI_raise+61>:	ja     0x7ffff7a47c5d <__GI_raise+93>
   0x7ffff7a47c3f <__GI_raise+63>:	repz retq 
   0x7ffff7a47c41 <__GI_raise+65>:	nopl   0x0(%rax)
   0x7ffff7a47c48 <__GI_raise+72>:	test   %ecx,%ecx
   0x7ffff7a47c4a <__GI_raise+74>:	jg     0x7ffff7a47c27 <__GI_raise+39>
   0x7ffff7a47c4c <__GI_raise+76>:	mov    %ecx,%eax
   0x7ffff7a47c4e <__GI_raise+78>:	neg    %eax
   0x7ffff7a47c50 <__GI_raise+80>:	and    $0x7fffffff,%ecx
   0x7ffff7a47c56 <__GI_raise+86>:	cmove  %esi,%eax
@fgeek

This comment has been minimized.

Copy link

fgeek commented Aug 3, 2018

@EnchantedJohn Include the file causing this as a zip file to this issue report.

@fgeek

This comment has been minimized.

Copy link

fgeek commented Aug 3, 2018

Someone (probably @EnchantedJohn) requested CVE identifier for this issue http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14876

An issue was discovered in image_save_png in image/image-png.cpp in Free Lossless Image Format (FLIF) 0.3. Attackers can trigger a longjmp that leads to an uninitialized stack frame after a libpng error concerning the IHDR image width. 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.