Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segmentation fault to al_load_bitmap #1251

Closed
NigelX opened this issue Jun 8, 2021 · 10 comments · Fixed by #1253
Closed

segmentation fault to al_load_bitmap #1251

NigelX opened this issue Jun 8, 2021 · 10 comments · Fixed by #1253

Comments

@NigelX
Copy link

NigelX commented Jun 8, 2021

Hi ,
I found an error while learning the exmple example.
system info:
ubuntu 20.02 TLS
clang 11
comit:03ab10df438860c7c17cf427e3282027d913d93f

$ ./ex_bitmap crash

crash.zip

gdb info

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xff82ff82ff82ff82 
RBX: 0x0 
RCX: 0x15d5 
RDX: 0x1 
RSI: 0x7fffffffdc7f --> 0x10ff 
RDI: 0x61de50 --> 0xff82ff82ff82ff82 
RBP: 0x61ddf0 --> 0xff82ff8200000000 
RSP: 0x7fffffffdc70 --> 0x61f8b0 --> 0x0 
RIP: 0x7ffff7e70fda (<al_fgetc+170>:	call   QWORD PTR [rax+0x10])
R8 : 0x7d ('}')
R9 : 0x61ddf0 --> 0xff82ff8200000000 
R10: 0x0 
R11: 0x7ffff766cbe0 --> 0x620270 --> 0x0 
R12: 0x61de50 --> 0xff82ff82ff82ff82 
R13: 0x40a180 --> 0x40a210 --> 0x100000102000100 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7e70fd0 <al_fgetc+160>:	mov    edx,0x1
   0x7ffff7e70fd5 <al_fgetc+165>:	xor    ebx,ebx
   0x7ffff7e70fd7 <al_fgetc+167>:	mov    rax,QWORD PTR [rdi]
=> 0x7ffff7e70fda <al_fgetc+170>:	call   QWORD PTR [rax+0x10]
   0x7ffff7e70fdd <al_fgetc+173>:	add    rax,rbx
   0x7ffff7e70fe0 <al_fgetc+176>:	cmp    rax,0x1
   0x7ffff7e70fe4 <al_fgetc+180>:	movzx  ecx,BYTE PTR [rsp+0xf]
   0x7ffff7e70fe9 <al_fgetc+185>:	mov    eax,0xffffffff
Guessed arguments:
arg[0]: 0x61de50 --> 0xff82ff82ff82ff82 
arg[1]: 0x7fffffffdc7f --> 0x10ff 
arg[2]: 0x1 
arg[3]: 0x15d5 
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdc70 --> 0x61f8b0 --> 0x0 
0008| 0x7fffffffdc78 --> 0xff82000000000002 
0016| 0x7fffffffdc80 --> 0x10 
0024| 0x7fffffffdc88 --> 0x7ffff7fb98e8 (<_al_load_tga_f+3784>:	mov    ebx,eax)
0032| 0x7fffffffdc90 --> 0x7fff00100958 
0040| 0x7fffffffdc98 --> 0x61ddf0 --> 0xff82ff8200000000 
0048| 0x7fffffffdca0 --> 0xf0040a180 
0056| 0x7fffffffdca8 --> 0x10 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7e70fda in al_fread (f=0x61de50, ptr=0x7fffffffdc7f, size=<optimized out>) at /home/hh/Downloads/allegro5/src/file.c:116
116	      return bytes_ungetc + f->vtable->fi_fread(f, cptr, size);
#0  0x00007ffff7e70fda in al_fread (f=0x61de50, ptr=0x7fffffffdc7f, size=<optimized out>) at /home/hh/Downloads/allegro5/src/file.c:116
#1  al_fgetc (f=f@entry=0x61de50) at /home/hh/Downloads/allegro5/src/file.c:229
#2  0x00007ffff7fb98e8 in rle_tga_read16 (b=0x61ddf0, w=<optimized out>, f=<optimized out>) at /home/hh/Downloads/allegro5/addons/image/tga.c:212
#3  _al_load_tga_f (f=f@entry=0x61de50, flags=flags@entry=0x0) at /home/hh/Downloads/allegro5/addons/image/tga.c:467
#4  0x00007ffff7fba51f in _al_load_tga (filename=0x7fffffffe595 "crash", 
    flags=0x0) at /home/hh/Downloads/allegro5/addons/image/tga.c:565
#5  0x00007ffff7e22753 in al_load_bitmap_flags (
    filename=filename@entry=0x7fffffffe595 "crash", flags=0xffffdc7f)
    at /home/hh/Downloads/allegro5/src/bitmap_io.c:207
#6  0x00007ffff7e22622 in al_load_bitmap (
    filename=filename@entry=0x7fffffffe595 "crash")
    at /home/hh/Downloads/allegro5/src/bitmap_io.c:184
#7  0x0000000000403688 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe2d8) at /home/hh/Downloads/allegro5/examples/ex_bitmap.c:77
#8  0x00007ffff74a80b3 in __libc_start_main (main=0x4035a0 <main>, argc=0x2, argv=0x7fffffffe2d8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:308
#9  0x00000000004032fe in _start ()
@pedro-w
Copy link
Contributor

pedro-w commented Jun 8, 2021

what is that file crash, is it supposed to be an image or is it just random data? (are you expecting allegro to be able to open it?)

@NigelX
Copy link
Author

NigelX commented Jun 8, 2021

Refer to CVSS3.0 Denial of Service

@pedro-w
Copy link
Contributor

pedro-w commented Jun 8, 2021

Still, it is useful to include "Expected behavior" in the bug report.

AFAICS the file crash is a (corrupt) TGA file, hence we should be looking at the tga loader.

Ran this with -fsanitize=address, looks interesting:

=================================================================
==24770==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000176a0 at pc 0x7ffff71cbf9f bp 0x7fffffffd820 sp 0x7fffffffd818
WRITE of size 2 at 0x6030000176a0 thread T0
    #0 0x7ffff71cbf9e in raw_tga_read16 /home/peter/Projects/allegro5/addons/image/tga.c:197
    #1 0x7ffff71cc088 in rle_tga_read16 /home/peter/Projects/allegro5/addons/image/tga.c:225
    #2 0x7ffff71cd846 in _al_load_tga_f /home/peter/Projects/allegro5/addons/image/tga.c:467
    #3 0x7ffff71ce4fd in _al_load_tga /home/peter/Projects/allegro5/addons/image/tga.c:565
    #4 0x7ffff6e181b7 in al_load_bitmap_flags /home/peter/Projects/allegro5/src/bitmap_io.c:207
    #5 0x7ffff6e180bb in al_load_bitmap /home/peter/Projects/allegro5/src/bitmap_io.c:184
    #6 0x555555556850 in main /home/peter/Projects/allegro5/examples/ex_bitmap.c:76
    #7 0x7ffff581009a in __libc_start_main ../csu/libc-start.c:308
    #8 0x5555555562e9 in _start (/home/peter/Projects/allegro5/build/examples/ex_bitmap+0x22e9)

0x6030000176a0 is located 0 bytes to the right of 32-byte region [0x603000017680,0x6030000176a0)
allocated by thread T0 here:
    #0 0x7ffff72d1330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7ffff6e7eaf3 in al_malloc_with_context /home/peter/Projects/allegro5/src/memory.c:44
    #2 0x7ffff71ccb9a in _al_load_tga_f /home/peter/Projects/allegro5/addons/image/tga.c:377
    #3 0x7ffff71ce4fd in _al_load_tga /home/peter/Projects/allegro5/addons/image/tga.c:565
    #4 0x7ffff6e181b7 in al_load_bitmap_flags /home/peter/Projects/allegro5/src/bitmap_io.c:207
    #5 0x7ffff6e180bb in al_load_bitmap /home/peter/Projects/allegro5/src/bitmap_io.c:184
    #6 0x555555556850 in main /home/peter/Projects/allegro5/examples/ex_bitmap.c:76
    #7 0x7ffff581009a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/peter/Projects/allegro5/addons/image/tga.c:197 in raw_tga_read16
Shadow bytes around the buggy address:
  0x0c067fffae80: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c067fffae90: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fffaea0: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffaeb0: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
  0x0c067fffaec0: fd fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
=>0x0c067fffaed0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24770==ABORTING

@pedro-w
Copy link
Contributor

pedro-w commented Jun 9, 2021

Just to be clear: the PR above will make al_load_bitmap return NULL, as it would for any un-loadable bitmap. I assume, unless @NigelX tells me otherwise, that the provided file crash is not a valid bitmap.

@NigelX
Copy link
Author

NigelX commented Jun 11, 2021

Hi,@pedro-w
I sent other samples via email to allegro-security@lists.liballeg.org, but no response was received.

@pedro-w
Copy link
Contributor

pedro-w commented Jun 11, 2021

Alright. I don't have access to that list, so I can't comment. Maybe @allefant does have access?

@SiegeLord
Copy link
Member

@pedro-w If you send me your email (e.g. by sending it to that list), I can add you to the list. Sadly, it doesn't appear to have archives, but we can arrange for something here.

@pedro-w
Copy link
Contributor

pedro-w commented Jun 11, 2021

On the case.

@pedro-w
Copy link
Contributor

pedro-w commented Jun 15, 2021

Current status: fixes applied, but automated tests are now failing and I need to understand why.

@pedro-w
Copy link
Contributor

pedro-w commented Jun 15, 2021

automated tests are now failing and I need to understand why.

Oops, my fault. Tests now passing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants