Skip to content

heap-use-after-free in MagickCore/resize.c and double-free in RelinquishAlignedMemory of MagickCore/memory.c #1589

Closed
@SuhwanSong

Description

@SuhwanSong

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There are a heap-use-after-free(sometimes heap-buffer-overflow) vulnerability in MagickCore/resize.c:2604:28 in .omp_outlined.debug_.69 and a double-free bug in RelinquishAlignedMemory MagickCore/memory.c:1037:3 with the same input.

For each run, different bugs are triggered so please run the command for several times.

related: #1344

Steps to Reproduce

run cmd:
magick -seed 0 -black-point-compensation -units Undefined "(" magick:granite -opaque "rgb(224,28,104)" -gaussian-blur 2 -strip ")" "(" magick:rose -black-threshold 15 -preview Despeckle ")" -density 3x83 -stretch ExtraCondensed -copy "937x560ls" "-52-59" ""

This is about Heap-use-after-free in .omp_outlined.debug_.69 MagickCore/resize.c:2604:28

==26215==ERROR: AddressSanitizer: heap-use-after-free on address 0x62800000036c at pc 0x000000efe4dc bp 0x7f637b304e90 sp 0x7f637b304e88
READ of size 4 at 0x62800000036c thread T1
    #0 0xefe4db in .omp_outlined._debug__.69 MagickCore/resize.c:2604:28
    #1 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #2 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7f6383dcd1b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7f6383dcbb20  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
    #5 0x7f6383e0b417  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
    #6 0x7f63864476da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #7 0x7f63838af88e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x62800000036c is located 620 bytes inside of 14400-byte region [0x628000000100,0x628000003940)
freed by thread T2 here:
    #0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
    #1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
    #2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
    #3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7f6383dcd1b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

previously allocated by thread T1 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (install/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb24539 in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0xb0d587 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7f6383dcd1b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

Thread T1 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7f6383e09110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

Thread T2 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7f6383e09110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/resize.c:2604:28 in .omp_outlined._debug__.69

This is about the heap-buffer-overflow in .omp_outlined.debug_.69 MagickCore/resize.c:2604

==26841==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001d670 at pc 0x000000efe4dc bp 0x7f78c5104e90 sp 0x7f78c5104e88
READ of size 4 at 0x61d00001d670 thread T1
    #0 0xefe4db in .omp_outlined._debug__.69 MagickCore/resize.c:2604:28
    #1 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #2 0x7f78cdc28452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7f78cdbe21b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7f78cdbe0b20  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
    #5 0x7f78cdc20417  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
    #6 0x7f78d025c6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #7 0x7f78cd6c488e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

Address 0x61d00001d670 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/resize.c:2604:28 in .omp_outlined._debug__.69

This is about double-free bug in RelinquishAlignedMemory of MagickCore/memory.c:1037:3

==26601==ERROR: AddressSanitizer: attempting double-free on 0x61d00001fe80 in thread T1:
    #0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
    #1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
    #2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
    #3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7fed18c701b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #10 0x7fed18c6eb20  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
    #11 0x7fed18cae417  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
    #12 0x7fed1b2ea6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #13 0x7fed1875288e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x61d00001fe80 is located 0 bytes inside of 2240-byte region [0x61d00001fe80,0x61d000020740)
freed by thread T2 here:
    #0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
    #1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
    #2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
    #3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7fed18c701b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

previously allocated by thread T1 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (install/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb24539 in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0xb0d587 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7fed18c701b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

Thread T1 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7fed18cac110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

Thread T2 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7fed18cac110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

SUMMARY: AddressSanitizer: double-free (install/bin/magick+0x4ef768) in __interceptor_free
==26601==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-10

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information: CC=clang-7 CXX=clang++-7

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions