Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack over-read in MagickCore/accelerate.c due to type mismatch #967

Closed
tunz opened this issue Jan 31, 2018 · 2 comments

Comments

Projects
None yet
4 participants
@tunz
Copy link

commented Jan 31, 2018

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

I found that magick reads a buffer over the buffer size at the following line.

cubicCoefficientsBuffer=CreateOpenCLBuffer(device,CL_MEM_COPY_HOST_PTR |
CL_MEM_READ_ONLY,7*sizeof(*resizeFilterCoefficient),&coefficientBuffer);

The above line reads coefficientBuffer as much as 7*sizeof(*resizeFilterCoefficient) that is 7*8 because resizeFilterCoefficient is declared as a double type, on the other hand, the size of coefficientBuffer is 7*4 because it's a float array.

const double
*resizeFilterCoefficient;
float
coefficientBuffer[7],

I can reproduce this crash only in 32-bit machine, I'm not sure why. also, this requires openCL support.

Steps to Reproduce

Compile ImageMagick with address sanitizer in 32-bit mode, and use this test.pict to run magick. this crash is triggered when it's zooming, so I added -resize 200% option.

$ ./build/bin/magick convert test.pict -resize 200% output.png                                                                                                            =================================================================
==38459==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffa58f4c at pc 0x08092d00 bp 0xffa58df8 sp 0xffa589d0
READ of size 56 at 0xffa58f4c thread T0
    #0 0x8092cff in memcpy (/home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/build/bin/magick+0x8092cff)
    #1 0xefa5ad15  (/usr/lib32/libnvidia-opencl.so.1+0xc6d15)
    #2 0xefa5ae36  (/usr/lib32/libnvidia-opencl.so.1+0xc6e36)
    #3 0x81f156c in CreateOpenCLBuffer /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:470:10
    #4 0x8ad64f7 in ComputeResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:4327:27
    #5 0x8ad5d16 in AccelerateResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:4458:17
    #6 0x82efd01 in ResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/resize.c:2920:16
    #7 0x820c761 in RunOpenCLBenchmark /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:1072:18
    #8 0x820c2c4 in RunDeviceBenckmark /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:1109:17
    #9 0x8208b2a in BenchmarkOpenCLDevices /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:1198:7
    #10 0x8200095 in AutoSelectOpenCLDevices /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:996:5
    #11 0x81fa59c in InitializeOpenCL /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:2407:9
    #12 0x8aa6cb1 in getOpenCLEnvironment /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:224:7
    #13 0x8ad5ca6 in AccelerateResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:4454:9
    #14 0x82efd01 in ResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/resize.c:2920:16
    #15 0x9611ff1 in MogrifyImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickWand/mogrify.c:2677:27
    #16 0x971c478 in MogrifyImages /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickWand/mogrify.c:8933:13
    #17 0x9473027 in ConvertImageCommand /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickWand/convert.c:3273:3
    #18 0x95edd7d in MagickCommandGenesis /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickWand/mogrify.c:183:14
    #19 0x81766cd in MagickMain /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/utilities/magick.c:149:10
    #20 0x8175d68 in main /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/utilities/magick.c:180:10
    #21 0xf777c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #22 0x8077a77 in _start (/home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/build/bin/magick+0x8077a77)

Address 0xffa58f4c is located in stack of thread T0 at offset 44 in frame
    #0 0x8ad5ecf in ComputeResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:4266

  This frame has 1 object(s):
    [16, 44) 'coefficientBuffer' (line 4282) <== Memory access at offset 44 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/build/bin/magick+0x8092cff) in memcpy
Shadow bytes around the buggy address:
  0x3ff4b190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff4b1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff4b1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff4b1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff4b1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3ff4b1e0: 00 00 00 00 f1 f1 00 00 00[04]f3 f3 f3 f3 00 00
  0x3ff4b1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff4b200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff4b210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff4b220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff4b230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==38459==ABORTING

System Configuration

  • ImageMagick version: 7.0.7-22 32bit
  • Environment (Operating system, version and so on): Ubuntu 16.04
  • Additional information:

Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team

urban-warrior pushed a commit that referenced this issue Feb 11, 2018

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Feb 11, 2018

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra added a commit that referenced this issue Feb 13, 2018

@dlemstra dlemstra added the bug label Feb 13, 2018

@dlemstra dlemstra closed this Feb 13, 2018

@nohmask

This comment has been minimized.

Copy link

commented Feb 15, 2018

This was assigned CVE-2018-6930.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.