New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

10 bugs found by AFLSmart (heap buffer overflows, Null pointer dereference and assertion failures) #182

Open
thuanpv opened this Issue Jul 13, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@thuanpv

thuanpv commented Jul 13, 2018

Hi all,

These bugs were found with AFLSmart, an input-structure aware extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu.

These bugs were found on Ubuntu 16.04 64-bit -- Jasper revision 573a6e4 (HEAD)

To reproduce:

jasper --input <bug_triggering_file>.jp2 --input-format jp2 --output /dev/null --output-format bmp

Bug triggering files are attached.

Bug-1: Heap Buffer Overflow - Read of size 8 (jasper_bug_1.jp2)

ASAN says:

==58581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e9c8 at pc 0x7f888adebb63 bp 0x7ffefa1c9e70 sp 0x7ffefa1c9e60
READ of size 8 at 0x60200000e9c8 thread T0
#0 0x7f888adebb62 in jas_image_depalettize /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:994
#1 0x7f888ae0e0ee in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:375
#2 0x7f888ade799c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#3 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#4 0x7f888aa0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

0x60200000e9c8 is located 8 bytes to the left of 1-byte region [0x60200000e9d0,0x60200000e9d1)
allocated by thread T0 here:
#0 0x7f888b1adec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7f888adf17d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7f888adf19df in jas_alloc2 /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:274
#3 0x7f888ae0dd61 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:370
#4 0x7f888ade799c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#5 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#6 0x7f888aa0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:994 in jas_image_depalettize

Bug-2: Access Violation (jasper_bug_2.jp2)

ASAN says:

ASAN:DEADLYSIGNAL

==183299==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f2b29efed79 bp 0x7ffd5330cb50 sp 0x7ffd5330cac0 T0)
#0 0x7f2b29efed78 in jas_image_readcmpt /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:505
#1 0x7f2b29f1b21e in bmp_putdata /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/bmp/bmp_enc.c:324
#2 0x7f2b29f19f71 in bmp_encode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/bmp/bmp_enc.c:217
#3 0x7f2b29efeb5c in jas_image_encode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:469
#4 0x4024b4 in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:277
#5 0x7f2b29b1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:505 in jas_image_readcmpt

Bug-3: Heap Buffer Overflow - Write of size 1 (jasper_bug_3.jp2)

ASAN says:

=================================================================
==58646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000decf at pc 0x7f1939ddb26b bp 0x7ffe58ab9ee0 sp 0x7ffe58ab9ed0
WRITE of size 1 at 0x60200000decf thread T0
#0 0x7f1939ddb26a in jas_icctxtdesc_input /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1107
#1 0x7f1939dd6523 in jas_iccprof_load /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:340
#2 0x7f1939de21f3 in jas_iccprof_createfrombuf /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1727
#3 0x7f1939e0a213 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:298
#4 0x7f1939de499c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#5 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#6 0x7f1939a0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

0x60200000decf is located 1 bytes to the left of 1-byte region [0x60200000ded0,0x60200000ded1)
allocated by thread T0 here:
#0 0x7f193a1aaec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7f1939dee7d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7f1939ddb0ff in jas_icctxtdesc_input /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1102
#3 0x7f1939dd6523 in jas_iccprof_load /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:340
#4 0x7f1939de21f3 in jas_iccprof_createfrombuf /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1727
#5 0x7f1939e0a213 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:298
#6 0x7f1939de499c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#7 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#8 0x7f1939a0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1107 in jas_icctxtdesc_input

Bug-4: Null pointer dereference (jasper_bug_4.jp2)

ASAN says:

warning: trailing garbage in marker segment (3 bytes)
warning: trailing garbage in marker segment (32 bytes)
warning: not enough tile data (109 bytes)
warning: number of components mismatch
warning: component data type mismatch

ASAN:DEADLYSIGNAL

==13140==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb64d6cc802 bp 0x7ffce5a16ee0 sp 0x7ffce5a16d40 T0)
#0 0x7fb64d6cc801 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:417
#1 0x7fb64d6a599c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#2 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#3 0x7fb64d2c382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:417 in jp2_decode

Bug-5: Heap Buffer Overflow -- Read of size 8 (jasper_bug_5.jp2)
ASAN says:

warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: component data type mismatch

==152291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed70 at pc 0x7fc92f7873c3 bp 0x7ffe0ef9d3c0 sp 0x7ffe0ef9d3b0
READ of size 8 at 0x60200000ed70 thread T0
#0 0x7fc92f7873c2 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:405
#1 0x7fc92f76099c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#2 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#3 0x7fc92f37e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

0x60200000ed71 is located 0 bytes to the right of 1-byte region [0x60200000ed70,0x60200000ed71)
allocated by thread T0 here:
#0 0x7fc92fb26ec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7fc92f76a7d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7fc92f76a9df in jas_alloc2 /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:274
#3 0x7fc92f78090d in jp2_cdef_getdata /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_cod.c:479
#4 0x7fc92f77f93c in jp2_box_get /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_cod.c:312
#5 0x7fc92f785495 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:159
#6 0x7fc92f76099c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#7 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#8 0x7fc92f37e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:405 in jp2_decode

Bug-6: Assertion Failure (japer_bug_6.jp2)

jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed.
==16546==
==16546== Process terminating with default action of signal 6 (SIGABRT)
==16546== at 0x523D428: raise (raise.c:54)
==16546== by 0x523F029: abort (abort.c:89)
==16546== by 0x5235BD6: __assert_fail_base (assert.c:92)
==16546== by 0x5235C81: __assert_fail (assert.c:101)
==16546== by 0x4F441EE: jpc_floorlog2 (jpc_math.c:94)
==16546== by 0x4FADB17: jpc_dec_decodepkt (jpc_t2dec.c:314)
==16546== by 0x4FADB17: jpc_dec_decodepkts (jpc_t2dec.c:454)
==16546== by 0x4F21745: jpc_dec_process_sod (jpc_dec.c:627)
==16546== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==16546== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==16546== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==16546== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==16546== by 0x401C34: main (jasper.c:236)

Bug-7: SIGABRT - Aborted (jasper_bug_7.jp2)

==28280== Process terminating with default action of signal 6 (SIGABRT)
==28280== at 0x523D428: raise (raise.c:54)
==28280== by 0x523F029: abort (abort.c:89)
==28280== by 0x4F262E8: jpc_dec_process_sot (jpc_dec.c:488)
==28280== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==28280== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==28280== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==28280== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==28280== by 0x401C34: main (jasper.c:236)

Bug-8: Assertion failure (jasper_bug_8.jp2)
Error message:

warning: not enough tile data (394 bytes)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
ICC Profile CS 47524159
jasper: /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:308: jp2_decode: Assertion `dec->image->cmprof_' failed.
Aborted

Stack trace:
==33135== Process terminating with default action of signal 6 (SIGABRT)
==33135== at 0x523D428: raise (raise.c:54)
==33135== by 0x523F029: abort (abort.c:89)
==33135== by 0x5235BD6: __assert_fail_base (assert.c:92)
==33135== by 0x5235C81: __assert_fail (assert.c:101)
==33135== by 0x4EFC8E6: jp2_decode (jp2_dec.c:308)
==33135== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==33135== by 0x401C34: main (jasper.c:236)

Bug-9: Assertion failure (japser_bug_9.jp2)

Valgrind says:
warning: trailing garbage in marker segment (30 bytes)
warning: ignoring unknown marker segment (0xff68)
type = 0xff68 (UNKNOWN); len = 37;00 01 43 ff 5f 61 74 80 00 00 00 79 28 00 10 65 88 4a 50 45 47 20 5e 65 72 73 51 6f 6e 20 32 2e 33 2e 30 jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_dec.c:1703: calcstepsizes: Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))' failed.
==109382==
==109382== Process terminating with default action of signal 6 (SIGABRT)
==109382== at 0x523D428: raise (raise.c:54)
==109382== by 0x523F029: abort (abort.c:89)
==109382== by 0x5235BD6: __assert_fail_base (assert.c:92)
==109382== by 0x5235C81: __assert_fail (assert.c:101)
==109382== by 0x4F24B2A: calcstepsizes (jpc_dec.c:1702)
==109382== by 0x4F24B2A: jpc_dec_cp_prepare (jpc_dec.c:1721)
==109382== by 0x4F24B2A: jpc_dec_process_sod (jpc_dec.c:592)
==109382== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==109382== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==109382== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==109382== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==109382== by 0x401C34: main (jasper.c:236)

Bug-10: Assertion Failure (jasper_bug_10.jp2)

warning: ignoring unknown marker segment (0xff68)
type = 0xff68 (UNKNOWN); len = 37;00 01 43 72 65 61 74 10 64 20 62 79 20 00 10 65 6e 4a 50 45 47 20 5e 65 72 73 69 6f 6e 20 32 2e 33 2e 30 warning: not enough tile data (5 bytes)

warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)

jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_dec.c:1883: jpc_dequantize: Assertion `absstepsize >= 0' failed.
==135670==
==135670== Process terminating with default action of signal 6 (SIGABRT)
==135670== at 0x523D428: raise (raise.c:54)
==135670== by 0x523F029: abort (abort.c:89)
==135670== by 0x5235BD6: __assert_fail_base (assert.c:92)
==135670== by 0x5235C81: __assert_fail (assert.c:101)
==135670== by 0x4F12FBE: jpc_dequantize (jpc_dec.c:1883)
==135670== by 0x4F12FBE: jpc_dec_tiledecode (jpc_dec.c:1107)
==135670== by 0x4F22B34: jpc_dec_process_sod (jpc_dec.c:657)
==135670== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==135670== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==135670== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==135670== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==135670== by 0x401C34: main (jasper.c:236)

Regards,

Thuan

jasper_bugs.zip

@asarubbo

This comment has been minimized.

asarubbo commented Nov 8, 2018

@thuanpv is AFLSmart publicly available?

@thuanpv

This comment has been minimized.

thuanpv commented Nov 10, 2018

Thanks @asarubbo for your interest in AFLSmart. It is not publicly available yet. We would make it open source soon and I will keep you posted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment