New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free in MngInfoDiscardObject #918

Closed
henices opened this Issue Dec 26, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@henices
Copy link
Contributor

henices commented Dec 26, 2017

INFO

Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-25 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI
Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png tiff webp wmf x xml zlib

Trigger Command: /usr/local/bin/magick identify -verbose use-after-free-ReadMNGImage

ASAN OUTPUT

=================================================================
==32000==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a0000042f9 at pc 0x7fd0115ea851 bp 0x7fffa15ca970 sp 0x7fffa15ca968
READ of size 1 at 0x62a0000042f9 thread T0
    #0 0x7fd0115ea850 in MngInfoDiscardObject /home/henices/tests/ImageMagick/coders/png.c:1565:7
    #1 0x7fd0115e8cfa in MngInfoFreeStruct /home/henices/tests/ImageMagick/coders/png.c:1605:5
    #2 0x7fd01158a5e8 in ReadMNGImage /home/henices/tests/ImageMagick/coders/png.c:7702:12
    #3 0x7fd0102b6fea in ReadImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:497:13
    #4 0x7fd0102bee17 in ReadImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:866:9
    #5 0x7fd00e8eb24a in IdentifyImageCommand /home/henices/tests/ImageMagick/MagickWand/identify.c:321:18
    #6 0x7fd00eae09a5 in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #7 0x50a313 in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #8 0x5096b1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #9 0x7fd007e7a009 in __libc_start_main /usr/src/debug/glibc-2.26-107-g73a9236361/csu/../csu/libc-start.c:308
    #10 0x41a1a9 in _start (/usr/local/bin/magick+0x41a1a9)

0x62a0000042f9 is located 16633 bytes inside of 20688-byte region [0x62a000000200,0x62a0000052d0)
freed by thread T0 here:
    #0 0x4cf638 in __interceptor_free.localalias.0 (/usr/local/bin/magick+0x4cf638)
    #1 0x7fd0107d0e15 in RelinquishMagickMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:1043:3
    #2 0x7fd0115e8ef7 in MngInfoFreeStruct /home/henices/tests/ImageMagick/coders/png.c:1610:22
    #3 0x7fd0115bc158 in ReadOneMNGImage /home/henices/tests/ImageMagick/coders/png.c:5613:26
    #4 0x7fd01158a5db in ReadMNGImage /home/henices/tests/ImageMagick/coders/png.c:7701:9
    #5 0x7fd0102b6fea in ReadImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:497:13
    #6 0x7fd0102bee17 in ReadImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:866:9
    #7 0x7fd00e8eb24a in IdentifyImageCommand /home/henices/tests/ImageMagick/MagickWand/identify.c:321:18
    #8 0x7fd00eae09a5 in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #9 0x50a313 in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #10 0x5096b1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #11 0x7fd007e7a009 in __libc_start_main /usr/src/debug/glibc-2.26-107-g73a9236361/csu/../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x4cf7f0 in __interceptor_malloc (/usr/local/bin/magick+0x4cf7f0)
    #1 0x7fd0107cd586 in AcquireMagickMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:464:10
    #2 0x7fd01158a3d1 in ReadMNGImage /home/henices/tests/ImageMagick/coders/png.c:7692:24
    #3 0x7fd0102b6fea in ReadImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:497:13
    #4 0x7fd0102bee17 in ReadImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:866:9
    #5 0x7fd00e8eb24a in IdentifyImageCommand /home/henices/tests/ImageMagick/MagickWand/identify.c:321:18
    #6 0x7fd00eae09a5 in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #7 0x50a313 in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #8 0x5096b1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #9 0x7fd007e7a009 in __libc_start_main /usr/src/debug/glibc-2.26-107-g73a9236361/csu/../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/henices/tests/ImageMagick/coders/png.c:1565:7 in MngInfoDiscardObject
Shadow bytes around the buggy address:
  0x0c547fff8800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c547fff8810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c547fff8820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c547fff8830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c547fff8840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c547fff8850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c547fff8860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c547fff8870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c547fff8880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c547fff8890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c547fff88a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32000==ABORTING

testcase: https://github.com/henices/pocs/raw/master/use-after-free-ReadMNGImage

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

urban-warrior pushed a commit that referenced this issue Dec 26, 2017

urban-warrior pushed a commit that referenced this issue Dec 26, 2017

Cristy

urban-warrior pushed a commit that referenced this issue Dec 26, 2017

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

urban-warrior commented Dec 26, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@henices henices closed this Dec 26, 2017

@dlemstra dlemstra added the bug label Dec 26, 2017

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jan 8, 2018

he
Updated ImageMagick to 7.0.7.21.
2018-01-06  7.0.7-21 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.0-21, GIT revision 22168:a91afc45b:20180106.

2018-01-06  7.0.7-21 Dirk Lemstra <dirk@lem.....org>
  * Fix some enum values in the OpenCL code.

2018-01-06  7.0.7-20 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-20, GIT revision 22161:33a04d3e5:20180105.

2018-01-05  7.0.7-20 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    https://github.com/ImageMagick/ImageMagick/issues).

2018-01-01  7.0.7-19 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-19, GIT revision 22133:977fe08bf:20180101.

2017-12-29  7.0.7-19 Cristy  <quetzlzacatenango@image...>
  * Check for webpmux library version 0.4.4 (reference
    ImageMagick/ImageMagick#896).

2017-12-26  7.0.7-18 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-18, GIT revision 22096:ad4bdeb40:20171228.

2017-12-28  7.0.7-18 Cristy  <quetzlzacatenango@image...>
  * Fix error reading from pipe under Windows (reference
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=33288).

2017-12-26  7.0.7-17 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-17, GIT revision 22093:9caea323b:20171227.

2017-12-26  7.0.7-17 Cristy  <quetzlzacatenango@image...>
  * Fix heap use after free error (reference
    ImageMagick/ImageMagick#918).

2017-12-24  7.0.7-16 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-16, GIT revision 22038:e55dc7626:20171225.

2017-12-18  7.0.7-16 Cristy  <quetzlzacatenango@image...>
  * Fix error reading multi-layer XCF image file.
  * Fix possible stack overflow in WEBP reader (reference
    ImageMagick/ImageMagick#907)
  * Fixed numerous memory leaks (reference
    https://github.com/ImageMagick/ImageMagick/issues).

2017-12-16  7.0.7-15 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-15, GIT revision 21924:30cb31746:20171216.

2017-12-08  7.0.7-15 Cristy  <quetzlzacatenango@image...>
  * Overall standard deviation is the average of each pixel channel (reference
    https://www.imagemagick.org/discourse-server/viewforum.php?f=3).
  * Update to the latest ImageMagick documentation.

2017-12-05  7.0.7-14 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-14, GIT revision 21855:dc73b2aba:20171205.

2017-11-30  7.0.7-14 Cristy  <quetzlzacatenango@image...>
  * Support Stereo composite operator.
  * Fix build failure with --without-modules (reference
    ImageMagick/ImageMagick#890).

2017-11-30  7.0.7-13 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-13, GIT revision 21823:72cb0fd0c:20171130.

2017-11-30  7.0.7-13 Cristy  <quetzlzacatenango@image...>
  * Fix build failure with libraw 0.14.8 (reference
    ImageMagick/ImageMagick#888).

2017-11-29  7.0.7-12 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-12, GIT revision 21814:5ef2c5a67:20171129.

2017-11-12  7.0.7-12 Cristy  <quetzlzacatenango@image...>
  * The -tint option no longer munges the alpha channel (reference
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=33070).
  * Don't delete in-memory blob when reading an image (reference
    ImageMagick/ImageMagick#886).
  * Support HDRI color profile management.
@nohmask

This comment has been minimized.

Copy link

nohmask commented May 21, 2018

This was assigned CVE-2017-18272.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment