Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CPU and Memory exhaustion #908

Closed
henices opened this issue Dec 22, 2017 · 2 comments
Closed

CPU and Memory exhaustion #908

henices opened this issue Dec 22, 2017 · 2 comments
Labels
bug

Comments

@henices
Copy link
Contributor

henices commented Dec 22, 2017
edited
Loading

INFO

Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 , which can cause huge CPU and Memory consumption. (CPU 100%, Memory 100%)

magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib

The policy.xml is as following

<policymap>
  <policy domain="resource" name="temporary-path" value="/tmp"/>
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="map" value="512MiB"/>
  <policy domain="resource" name="width" value="8KP"/>
  <policy domain="resource" name="height" value="8KP"/>
  <policy domain="resource" name="area" value="16KP"/>
  <policy domain="resource" name="disk" value="1GiB"/>
  <policy domain="resource" name="file" value="768"/>
  <policy domain="resource" name="thread" value="2"/>
  <policy domain="resource" name="throttle" value="0"/>
  <policy domain="resource" name="time" value="120"/>
  <policy domain="system" name="precision" value="6"/>
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="filter" rights="none" pattern="*" />
  <policy domain="delegate" rights="none" pattern="HTTPS" />  
  <policy domain="path" rights="none" pattern="@*"/>  
</policymap>

Trigger Command: magick convert ./cpu-memory-exhaustion-mng /dev/null

Be careful, please monitor the memory percentage, I had to reboot my computer a few minutes ago.

Debug

When debug we found the program is always in a while loop coders/png.c:7408

(gdb) b coders/png.c:7408                      
No source file named coders/png.c.             
Make breakpoint pending on future shared library load? (y or [n]) y                            
Breakpoint 1 (coders/png.c:7408) pending.      
(gdb) r                                        
Starting program: /usr/local/bin/magick convert timeout-id:000016,src:004300,op:havoc,rep:4 /dev/null                                                                                         
                                     
[Thread debugging using libthread_db enabled]  
Using host libthread_db library "/lib64/libthread_db.so.1".                                    

Breakpoint 1, ReadOneMNGImage (mng_info=0x62a000000200, image_info=0x62700000a900, exception=0x606000001040) at coders/png.c:7408                                                             
7408      } while (LocaleCompare(image_info->magick,"MNG") == 0);                              
     
(gdb) c                                        
Continuing.                                    

Breakpoint 1, ReadOneMNGImage (mng_info=0x62a000000200, image_info=0x62700000a900, exception=0x606000001040) at coders/png.c:7408                                                             
7408      } while (LocaleCompare(image_info->magick,"MNG") == 0);    

(gdb) c
Continuing.

Breakpoint 1, ReadOneMNGImage (mng_info=0x62a000000200, image_info=0x62700000a900, exception=0x606000001040) at coders/png.c:7408
7408      } while (LocaleCompare(image_info->magick,"MNG") == 0);

(gdb) 
Continuing.

Breakpoint 1, ReadOneMNGImage (mng_info=0x62a000000200, image_info=0x62700000a900, exception=0x606000001040) at coders/png.c:7408
7408      } while (LocaleCompare(image_info->magick,"MNG") == 0);

(gdb) c 10
Will ignore next 9 crossings of breakpoint 1.  Continuing.

Breakpoint 1, ReadOneMNGImage (mng_info=0x62a000000200, image_info=0x62700000a900, exception=0x606000001040) at coders/png.c:7408
7408      } while (LocaleCompare(image_info->magick,"MNG") == 0);

(gdb) c 20
Will ignore next 19 crossings of breakpoint 1.  Continuing.

Breakpoint 1, ReadOneMNGImage (mng_info=0x62a000000200, image_info=0x62700000a900, exception=0x606000001040) at coders/png.c:7408
7408      } while (LocaleCompare(image_info->magick,"MNG") == 0);
                          
(gdb) c 10000000
Will ignore next 9999999 crossings of breakpoint 1.  Continuing.

testcase: https://github.com/henices/pocs/raw/master/cpu-memory-exhaustion-mng

Credit: Nsfocus Security Team
urban-warrior pushed a commit that referenced this issue Dec 22, 2017
https://github.com/ImageMagick/ImageMagick/issues/908
650ec57
urban-warrior pushed a commit that referenced this issue Dec 22, 2017
https://github.com/ImageMagick/ImageMagick/issues/908
42781ee
@urban-warrior
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@henices henices closed this as completed Dec 22, 2017
@dlemstra dlemstra added the bug label Dec 22, 2017
@nohmask
Copy link

nohmask commented Jan 5, 2018

This was assigned CVE-2017-17914.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@henices @dlemstra @nohmask @urban-warrior