Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ImageMagick 7.0.11-14 Memory Leak Vulnerability #3767

Closed
3 tasks done
x00x00x00x00 opened this issue Jun 1, 2021 · 9 comments
Closed
3 tasks done

ImageMagick 7.0.11-14 Memory Leak Vulnerability #3767

x00x00x00x00 opened this issue Jun 1, 2021 · 9 comments

Comments

@x00x00x00x00
Copy link

x00x00x00x00 commented Jun 1, 2021
edited
Loading

Prerequisites

  • I have written a descriptive issue title
  • I have searched open and closed issues to ensure it has not already been reported
  • I have verified that I am using the latest version of ImageMagick

ImageMagick version

7.0.11-14

Operating system

Linux

Operating system, version and so on

Ubuntu 20.04.1 LTS x86_64

Description

Hi Team
Memory leak vulnerability is observed in ImageMagick 7.0.11-14 in AcquireSemaphoreMemory and AcquireMagickMemory

HEAP SUMMARY:
in use at exit: 224 bytes in 4 blocks
total heap usage: 1,840 allocs, 1,836 frees, 2,069,964 bytes allocated

64 bytes in 1 blocks are still reachable in loss record 2 of 4
at 0x483E0F0: memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x483E212: posix_memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x182E6C: AcquireSemaphoreMemory (semaphore.c:154)
by 0x182E6C: AcquireSemaphoreInfo (semaphore.c:200)
by 0x182FB4: ActivateSemaphoreInfo (semaphore.c:105)
by 0x476823: AcquireWandId (wand.c:83)
by 0x45B460: AcquireMagickCLI (wandcli.c:94)
by 0x404734: MagickImageCommand (magick-cli.c:703)
by 0x407BCB: MagickCommandGenesis (mogrify.c:191)
by 0x14652E: MagickMain (magick.c:149)
by 0x565E0B2: (below main) (libc-start.c:308)

64 bytes in 1 blocks are still reachable in loss record 3 of 4
at 0x483E0F0: memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x483E212: posix_memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x182E6C: AcquireSemaphoreMemory (semaphore.c:154)
by 0x182E6C: AcquireSemaphoreInfo (semaphore.c:200)
by 0x18508A: NewSplayTree (splay-tree.c:1159)
by 0x476838: AcquireWandId (wand.c:86)
by 0x45B460: AcquireMagickCLI (wandcli.c:94)
by 0x404734: MagickImageCommand (magick-cli.c:703)
by 0x407BCB: MagickCommandGenesis (mogrify.c:191)
by 0x14652E: MagickMain (magick.c:149)
by 0x565E0B2: (below main) (libc-start.c:308)

88 bytes in 1 blocks are still reachable in loss record 4 of 4
at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x15A91C: AcquireMagickMemory (memory.c:558)
by 0x15A91C: AcquireCriticalMemory (memory.c:634)
by 0x185050: NewSplayTree (splay-tree.c:1148)
by 0x476838: AcquireWandId (wand.c:86)
by 0x45B460: AcquireMagickCLI (wandcli.c:94)
by 0x404734: MagickImageCommand (magick-cli.c:703)
by 0x407BCB: MagickCommandGenesis (mogrify.c:191)
by 0x14652E: MagickMain (magick.c:149)
by 0x565E0B2: (below main) (libc-start.c:308)

8 bytes in 1 blocks are still reachable in loss record 1 of 4
at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x549524C: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
by 0x54A5B9A: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
by 0x5493679: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
by 0x4011B89: call_init.part.0 (dl-init.c:72)
by 0x4011C90: call_init (dl-init.c:30)
by 0x4011C90: _dl_init (dl-init.c:119)
by 0x4001139: ??? (in /usr/lib/x86_64-linux-gnu/ld-2.31.so)
by 0x2: ???
by 0x1FFF0002AA: ???
by 0x1FFF0002B3: ???
by 0x1FFF0002CD: ???

LEAK SUMMARY:
definitely lost: 0 bytes in 0 blocks
indirectly lost: 0 bytes in 0 blocks
possibly lost: 0 bytes in 0 blocks
still reachable: 224 bytes in 4 blocks
suppressed: 0 bytes in 0 blocks

Steps to Reproduce

Step 1: touch lol.png
Step 2: ./magick POC lol.png

Download POC

Output: -----

Error: /undefined in 9
Operand stack:

Execution stack:
%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 1990 1 3 %oparray_pop 1989 1 3 %oparray_pop 1977 1 3 %oparray_pop 1833 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval--
Dictionary stack:
--dict:734/1123(ro)(G)-- --dict:0/20(G)-- --dict:76/200(L)--
Current allocation mode is local
Current file position is 42
GPL Ghostscript 9.50: Unrecoverable error, exit code 1
Error: /undefined in 9
Operand stack:

Execution stack:
%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 1990 1 3 %oparray_pop 1989 1 3 %oparray_pop 1977 1 3 %oparray_pop 1833 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval--
Dictionary stack:
--dict:734/1123(ro)(G)-- --dict:0/20(G)-- --dict:76/200(L)--
Current allocation mode is local
Current file position is 42
GPL Ghostscript 9.50: Unrecoverable error, exit code 1
magick: UnableToOpenConfigureFile delegates.xml' @ warning/configure.c/GetConfigureOptions/702. magick: FailedToExecuteCommand 'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-ONcQKce9diFSZu5z0zZ7zZ85585GAsFR%d' '-f/tmp/magick-3VuKl5XdeVHlc4cJyacxRK5c2a76iFIT' '-f/tmp/magick-2mbiNvl-JBnTKcgiVWGrdbXKUq3UMPQR'' (256) @ error/ghostscript-private.h/ExecuteGhostscriptCommand/74.
magick: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-ONcQKce9diFSZu5z0zZ7zZ85585GAsFR%d' '-f/tmp/magick-3VuKl5XdeVHlc4cJyacxRK5c2a76iFIT' '-f/tmp/magick-2mbiNvl-JBnTKcgiVWGrdbXKUq3UMPQR' -c showpage' (256) @ error/ghostscript-private.h/ExecuteGhostscriptCommand/74.

To analyse and verify the issue use following command with valgrind --

valgrind --leak-check=full --show-leak-kinds=all ./magick POC lol.png

Images

Screenshot_300
Screenshot_299
@urban-warrior
Copy link
Member

urban-warrior commented Jun 2, 2021
edited
Loading

We fix memory leaks when valgrind reports definitely lost bytes. In general, we're not concerned about possibly lost unless you have a PoC that shows that the leak graduates from possibly to definitely by looping the PoC.

@x00x00x00x00
Copy link
Author

x00x00x00x00 commented Jun 2, 2021
edited
Loading

Hi
I have attached detailed POC along with screenshots and steps to reproduce.
Running the command will display the leaked memory

touch lol.png
./magick POC lol.png

POC file can be downloaded through attached link

Although, valgrind reveals definitely lost and possibly lost bytes and blocks as 0
and still reachable 224 bytes in 4 blocks.
Memory leak can be definitely reproduced with the highlighted commands.

Please confirm if you're able to reproduce the issue or if need further assistance.

Regards

@urban-warrior
Copy link
Member

We reproduced the issue before we commented. Again, definitely lost is a high priority and you can expect a fix within 48 hours. Probably lost is a lower priority and we'll fix the issue someday, maybe.

@OS-WS
Copy link

OS-WS commented Jun 27, 2021

Hi,
This issue was assigned with CVE-2021-34183
Was this issue fixed?

@dlemstra
Copy link
Member

As stated before we will fix the issue someday, maybe. And when/if we do that we will update this issue.

@tcullum-rh
Copy link

tcullum-rh commented Jun 30, 2021
edited
Loading

@dlemstra @urban-warrior does ImageMagick team consider this to be a security vulnerability? I'm not clear on the actual attack vector here. Someone submits a empty file to magick-cli, and it eventually exits without freeing memory... How would this be exploited by a bad actor?

@dlemstra
Copy link
Member

We would treat this differently if we would consider this a security vulnerability.

@StayPirate
Copy link

Since this is not a security issue I asked MITRE to review it and in case they agree, they will withdraw CVE-2021-34183.

@tcullum-rh
Copy link

tcullum-rh commented Jun 30, 2021
edited
Loading

Since this is not a security issue I asked MITRE to review it and in case they agree, they will withdraw CVE-2021-34183.

Thanks. I was going to do the same. CVEs are supposed to be for actual vulnerabilities. Memory leaks can be a component of a vulnerability in certain circumstances, but that doesn't mean "hey I found a memory leak, it's automatically an exploitable vuln." I wish the community was more aware of this at times, but better safe than sorry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dlemstra @urban-warrior @StayPirate @x00x00x00x00 @tcullum-rh @OS-WS