Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free in MagickCore/resize.c and double-free in RelinquishAlignedMemory of MagickCore/memory.c #1589

Closed
3 tasks done
SuhwanSong opened this issue Jun 11, 2019 · 11 comments
Labels
Milestone

Comments

@SuhwanSong
Copy link

SuhwanSong commented Jun 11, 2019

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There are a heap-use-after-free(sometimes heap-buffer-overflow) vulnerability in MagickCore/resize.c:2604:28 in .omp_outlined.debug_.69 and a double-free bug in RelinquishAlignedMemory MagickCore/memory.c:1037:3 with the same input.

For each run, different bugs are triggered so please run the command for several times.

related: #1344

Steps to Reproduce

run cmd:
magick -seed 0 -black-point-compensation -units Undefined "(" magick:granite -opaque "rgb(224,28,104)" -gaussian-blur 2 -strip ")" "(" magick:rose -black-threshold 15 -preview Despeckle ")" -density 3x83 -stretch ExtraCondensed -copy "937x560ls" "-52-59" ""

This is about Heap-use-after-free in .omp_outlined.debug_.69 MagickCore/resize.c:2604:28

==26215==ERROR: AddressSanitizer: heap-use-after-free on address 0x62800000036c at pc 0x000000efe4dc bp 0x7f637b304e90 sp 0x7f637b304e88
READ of size 4 at 0x62800000036c thread T1
    #0 0xefe4db in .omp_outlined._debug__.69 MagickCore/resize.c:2604:28
    #1 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #2 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7f6383dcd1b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7f6383dcbb20  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
    #5 0x7f6383e0b417  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
    #6 0x7f63864476da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #7 0x7f63838af88e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x62800000036c is located 620 bytes inside of 14400-byte region [0x628000000100,0x628000003940)
freed by thread T2 here:
    #0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
    #1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
    #2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
    #3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7f6383dcd1b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

previously allocated by thread T1 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (install/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb24539 in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0xb0d587 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7f6383dcd1b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

Thread T1 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7f6383e09110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

Thread T2 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7f6383e09110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/resize.c:2604:28 in .omp_outlined._debug__.69

This is about the heap-buffer-overflow in .omp_outlined.debug_.69 MagickCore/resize.c:2604

==26841==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001d670 at pc 0x000000efe4dc bp 0x7f78c5104e90 sp 0x7f78c5104e88
READ of size 4 at 0x61d00001d670 thread T1
    #0 0xefe4db in .omp_outlined._debug__.69 MagickCore/resize.c:2604:28
    #1 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #2 0x7f78cdc28452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7f78cdbe21b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7f78cdbe0b20  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
    #5 0x7f78cdc20417  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
    #6 0x7f78d025c6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #7 0x7f78cd6c488e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

Address 0x61d00001d670 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/resize.c:2604:28 in .omp_outlined._debug__.69

This is about double-free bug in RelinquishAlignedMemory of MagickCore/memory.c:1037:3

==26601==ERROR: AddressSanitizer: attempting double-free on 0x61d00001fe80 in thread T1:
    #0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
    #1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
    #2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
    #3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7fed18c701b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #10 0x7fed18c6eb20  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
    #11 0x7fed18cae417  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
    #12 0x7fed1b2ea6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #13 0x7fed1875288e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x61d00001fe80 is located 0 bytes inside of 2240-byte region [0x61d00001fe80,0x61d000020740)
freed by thread T2 here:
    #0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
    #1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
    #2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
    #3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7fed18c701b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

previously allocated by thread T1 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (install/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb24539 in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0xb0d587 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
    #7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
    #8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7fed18c701b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

Thread T1 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7fed18cac110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

Thread T2 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7fed18cac110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

SUMMARY: AddressSanitizer: double-free (install/bin/magick+0x4ef768) in __interceptor_free
==26601==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-10

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information: CC=clang-7 CXX=clang++-7

@dlemstra
Copy link
Member

The issues that you have reported all seem to be related to omp. Maybe you could try upgrading that library to determine if that fixes the issue? I am really wondering if this is an ImageMagick issue.

@SuhwanSong
Copy link
Author

SuhwanSong commented Jun 11, 2019

The issues that you have reported all seem to be related to omp. Maybe you could try upgrading that library to determine if that fixes the issue? I am really wondering if this is an ImageMagick issue.

@dlemstra
I followed this command sudo apt-get install libomp-dev and libomp-dev 5.0.1-1 (latest version) is already installed. (and also I run apt-get update and upgrade) .
Then I recompiled ImageMagick with clang-7 and clang++-7 version and executed all commands that I reported and found there're still vulnerabilities in the program.

@urban-warrior
Copy link
Contributor

Build ImageMagick as follows:

./configure --disable-openmp
make install

Does that resolve the problem?

@SuhwanSong
Copy link
Author

SuhwanSong commented Jun 16, 2019

@urban-warrior
I followed your comment to reinstall it and re-ran.
I got this result from ASAN and all that I reported have memory vulnerabilities.

==27142==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 36976 byte(s) in 9 object(s) allocated from:
    #0 0x4e5397 in __interceptor_malloc (install/bin/magick+0x4e5397)
    #1 0x7f01aab3e376 in AcquireMagickMemory MagickCore/memory.c:478:10
    #2 0x7f01aab3e3df in AcquireQuantumMemory MagickCore/memory.c:551:10
    #3 0x7f01aaccee67 in AcquireString MagickCore/string.c:142:24
    #4 0x7f01aaccfa11 in CloneString MagickCore/string.c:300:20
    #5 0x7f01aa9d6e8a in CloneDrawInfo MagickCore/draw.c:310:12
    #6 0x7f01aa82b3db in AnnotateImage MagickCore/annotate.c:267:12
    #7 0x7f01aab4d17a in MontageImageList MagickCore/montage.c:842:22
    #8 0x7f01aab472e1 in MontageImages MagickCore/montage.c:316:17
    #9 0x7f01aaa383c4 in PreviewImage MagickCore/effect.c:2747:17
    #10 0x7f01aa2ad841 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x7f01aa29dc78 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x7f01aa2c3305 in CLIOption MagickWand/operation.c:5270:16
    #13 0x7f01aa104a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x7f01aa105d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x7f01aa14fba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x526f95 in MagickMain utilities/magick.c:149:10
    #17 0x5268e1 in main utilities/magick.c:180:10
    #18 0x7f01a4bc6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: 36976 byte(s) leaked in 9 allocation(s).

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jun 16, 2019
@urban-warrior
Copy link
Contributor

Can you check your magick-command-line? We're trying to reproduce the problem you reported but a copy/paste of your command returns an exception.

@SuhwanSong
Copy link
Author

SuhwanSong commented Jun 16, 2019

@urban-warrior
I copied/pasted my command and the program returns unrecognized option exception in my case too.
The reason I reported this issue is that it results memory leak with ASAN even though the program returns exception.

Is every issue I've reported impossible to produce memory bugs?

exception:
magick: unrecognized option -stretch' at CLI arg 23 @ error/operation.c/CLISimpleOperatorImage/3420.

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Jun 16, 2019
@nohmask
Copy link

nohmask commented Jul 8, 2019

This was assigned CVE-2019-13301.

@Kirill200889
Copy link

Hello, NVD says 7.0.8-50 is the vulnerable version but it seems like 7.0.8-50 already patched and contains the commit. Can you please clarify what is fixed version and what the vulnerable versions? Thanks.

@dlemstra
Copy link
Member

dlemstra commented Jul 9, 2019

This was fixed in 7.0.8-50. We have seen this happen with a lot of other CVE's. I suspect this is happening because we increase the version number before we do the release.

@jdelta-RBS
Copy link

Yeah what they're doing is looking at the researcher's "ImageMagick Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-10" and just plugging in 7.0.8-50, rather than verifying the current release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

6 participants