Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free in magick at dcm.c RelinquishDCMMemory #4446

Closed
fa1lr4in opened this issue Nov 6, 2021 · 5 comments
Closed

heap-use-after-free in magick at dcm.c RelinquishDCMMemory #4446

fa1lr4in opened this issue Nov 6, 2021 · 5 comments

Comments

@fa1lr4in
Copy link

fa1lr4in commented Nov 6, 2021

ImageMagick version

7.1.0-14

Operating system

Linux

Operating system, version and so on

OS: Ubuntu 18.04.6 LTS Version: ImageMagick 7.1.0-14 Q16-HDRI x86_64 2021-10-28 https://imagemagick.org Copyright: (C) 1999-2021 ImageMagick Studio Delegates (built-in): fontconfig freetype jng jpeg lzma pangocairo png x xml zlib Compiler: gcc (4.2)

Description

Hello,
We are currently working on fuzz testing feature, and we found a heap-use-after-free on magick.

Steps to Reproduce

build it
./configure --disable-shared && make && make install
run it
./magick convert -adjoin -alpha copy -antialias -append -auto-gamma -auto-level -auto-orient poc /dev/null
output

free(): double free detected in tcache 2

When I compile in ASAN mode
./magick convert -adjoin -alpha copy -antialias -append -auto-gamma -auto-level -auto-orient poc /dev/null

=================================================================
==11927==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000580 at pc 0x000000f0f98c bp 0x7ffe3d8a7fd0 sp 0x7ffe3d8a7fc8
READ of size 8 at 0x60f000000580 thread T0
#0 0xf0f98b in RelinquishDCMMemory /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3039:20
#1 0xf08eb8 in ReadDCMImage /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:4002:11
#2 0x65b638 in ReadImage /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:563:15
#3 0x6602d3 in ReadImages /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:955:9
#4 0x15bd745 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:611:18
#5 0x177d150 in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14
#6 0x5f9924 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10
#7 0x5f9924 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10
#8 0x7f35dfd66bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x549e99 in _start (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x549e99)

0x60f000000580 is located 144 bytes inside of 168-byte region [0x60f0000004f0,0x60f000000598)
freed by thread T0 here:
#0 0x5c4af2 in free (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x5c4af2)
#1 0xf0f82c in RelinquishMagickMemory /root/fuzz/target/imagemagick/ImageMagick/MagickCore/memory.c:1167:3
#2 0xf0f82c in RelinquishDCMMemory /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3043:35
#3 0xf08e0b in ReadDCMImage /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3999:9
#4 0x65b638 in ReadImage /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:563:15
#5 0x6602d3 in ReadImages /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:955:9
#6 0x15bd745 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:611:18
#7 0x177d150 in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14
#8 0x5f9924 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10
#9 0x5f9924 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10
#10 0x7f35dfd66bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 here:
#0 0x5c4d5d in malloc (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x5c4d5d)
#1 0xefb803 in AcquireMagickMemory /root/fuzz/target/imagemagick/ImageMagick/MagickCore/memory.c:558:10
#2 0xefb803 in ReadDCMImage /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3142:33
#3 0x65b638 in ReadImage /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:563:15
#4 0x6602d3 in ReadImages /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:955:9
#5 0x15bd745 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:611:18
#6 0x177d150 in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14
#7 0x5f9924 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10
#8 0x5f9924 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10
#9 0x7f35dfd66bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3039:20 in RelinquishDCMMemory
Shadow bytes around the buggy address:
0x0c1e7fff8060: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1e7fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff8090: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fd fd
0x0c1e7fff80a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e7fff80b0:[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==11927==ABORTING

Images

poc.zip

@dlemstra
Copy link
Member

dlemstra commented Nov 6, 2021

Thanks for reporting this. This will be resolved in the next release of ImageMagick.

@bhaskarvilles
Copy link

how can i compile this in ASAN mode ?

@fa1lr4in
Copy link
Author

how can i compile this in ASAN mode ?

You can use the "-fsanitize=address" option to enable it

@ByteHackr
Copy link

@fa1lr4in

CVE Assigned: CVE-2021-3962
https://bugzilla.redhat.com/show_bug.cgi?id=2023196

@fa1lr4in
Copy link
Author

fa1lr4in commented Nov 23, 2021

@fa1lr4in

CVE 分配:https ://bugzilla.redhat.com/show_bug.cgi?id CVE-2021-3962 =2023196

Thank you for your notification!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants