Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free #1149

Closed
zer0min9 opened this issue May 29, 2018 · 3 comments
Closed

heap-use-after-free #1149

zer0min9 opened this issue May 29, 2018 · 3 comments

Comments

@zer0min9
Copy link

@zer0min9 zer0min9 commented May 29, 2018

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-36 Q16 x86_64 2018-05-29

Steps to Reproduce

# ./magick identify ./poc
=================================================================
==32001==ERROR: AddressSanitizer: heap-use-after-free on address 0x627000022d50 at pc 0x7f2a4381ee54 bp 0x7fff0be4ade0 sp 0x7fff0be4add0
READ of size 8 at 0x627000022d50 thread T0
    #0 0x7f2a4381ee53 in CloseBlob MagickCore/blob.c:605
    #1 0x7f2a43cd4d87 in ReadMATImage coders/mat.c:1088
    #2 0x7f2a438a67d7 in ReadImage MagickCore/constitute.c:500
    #3 0x7f2a43b6b33e in ReadStream MagickCore/stream.c:1043
    #4 0x7f2a438a57f5 in PingImage MagickCore/constitute.c:226
    #5 0x7f2a438a5de8 in PingImages MagickCore/constitute.c:327
    #6 0x7f2a4318d9fd in IdentifyImageCommand MagickWand/identify.c:319
    #7 0x7f2a4321b71a in MagickCommandGenesis MagickWand/mogrify.c:183
    #8 0x4017e1 in MagickMain utilities/magick.c:149
    #9 0x4019c2 in main utilities/magick.c:180
    #10 0x7f2a4298f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x627000022d50 is located 13392 bytes inside of 13504-byte region [0x62700001f900,0x627000022dc0)
freed by thread T0 here:
    #0 0x7f2a444522ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x7f2a43a58276 in RelinquishMagickMemory MagickCore/memory.c:1058
    #2 0x7f2a43a1d9f2 in DestroyImage MagickCore/image.c:1221
    #3 0x7f2a43a3e782 in DeleteImageFromList MagickCore/list.c:302
    #4 0x7f2a43cd4cfd in ReadMATImage coders/mat.c:1084
    #5 0x7f2a438a67d7 in ReadImage MagickCore/constitute.c:500
    #6 0x7f2a43b6b33e in ReadStream MagickCore/stream.c:1043
    #7 0x7f2a438a57f5 in PingImage MagickCore/constitute.c:226
    #8 0x7f2a438a5de8 in PingImages MagickCore/constitute.c:327
    #9 0x7f2a4318d9fd in IdentifyImageCommand MagickWand/identify.c:319
    #10 0x7f2a4321b71a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7f2a4298f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f2a44452602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f2a43a57360 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x7f2a43a15f90 in AcquireCriticalMemory MagickCore/memory-private.h:64
    #3 0x7f2a43a16541 in AcquireImage MagickCore/image.c:171
    #4 0x7f2a43cd3ebb in ReadMATImage coders/mat.c:895
    #5 0x7f2a438a67d7 in ReadImage MagickCore/constitute.c:500
    #6 0x7f2a43b6b33e in ReadStream MagickCore/stream.c:1043
    #7 0x7f2a438a57f5 in PingImage MagickCore/constitute.c:226
    #8 0x7f2a438a5de8 in PingImages MagickCore/constitute.c:327
    #9 0x7f2a4318d9fd in IdentifyImageCommand MagickWand/identify.c:319
    #10 0x7f2a4321b71a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7f2a4298f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/blob.c:605 CloseBlob
Shadow bytes around the buggy address:
  0x0c4e7fffc550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4e7fffc560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4e7fffc570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4e7fffc580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4e7fffc590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4e7fffc5a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c4e7fffc5b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c4e7fffc5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffc5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffc5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==32001==ABORTING

POC

poc.zip

System Configuration

  • ImageMagick version:7.0.7-36 Q16 x86_64
  • Environment (Operating system, version and so on):ubuntu 16.04
  • Additional information:
    Found by: Wang Zongming
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue May 30, 2018
@urban-warrior
Copy link
Contributor

@urban-warrior urban-warrior commented May 30, 2018

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

@nohmask nohmask commented Jun 1, 2018

This was assigned CVE-2018-11624.

@zer0min9
Copy link
Author

@zer0min9 zer0min9 commented Jun 1, 2018

Credit: Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

@zer0min9 zer0min9 closed this Jun 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants