Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid free in ReadImage (in input-bmp.ci:469) #29

Closed
fantasy7082 opened this issue Feb 23, 2018 · 2 comments
Closed

invalid free in ReadImage (in input-bmp.ci:469) #29

fantasy7082 opened this issue Feb 23, 2018 · 2 comments

Comments

@fantasy7082
Copy link

There is an invalid free in ReadImage that leads to a Segmentation fault at sam2p 0.49.4. A crafted input will lead to denial of service attack.
Steps to Reproduce:

./sam2p 013-freenomalloc-readimage EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
=================================================================
==20953==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x6020000082d0 in thread T0
    #0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x425f03 in ReadImage /root/sam2p_ASAN2/sam2p/input-bmp.ci:469
    #2 0x425f03 in bmp_load_image(_IO_FILE*) /root/sam2p_ASAN2/sam2p/input-bmp.ci:215
    #3 0x426859 in in_bmp_reader /root/sam2p_ASAN2/sam2p/in_bmp.cpp:23
    #4 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
    #5 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
    #6 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
    #7 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)

0x6020000082d0 is located 0 bytes inside of 808597299-byte region [0x6020000082d0,0x60203032ba03)
==20953==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:186 "((res.trace)) != (0)" (0x0, 0x0)
    #0 0x7ffff6f0a631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7ffff6f0f5e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7ffff6e8776c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d76c)
    #3 0x7ffff6e8861e  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1e61e)
    #4 0x7ffff6f07380  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9d380)
    #5 0x7ffff6f08727  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9e727)
    #6 0x7ffff6e8b617  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x21617)
    #7 0x7ffff6f0229d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
    #8 0x425f03 in ReadImage /root/sam2p_ASAN2/sam2p/input-bmp.ci:469
    #9 0x425f03 in bmp_load_image(_IO_FILE*) /root/sam2p_ASAN2/sam2p/input-bmp.ci:215
    #10 0x426859 in in_bmp_reader /root/sam2p_ASAN2/sam2p/in_bmp.cpp:23
    #11 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
    #12 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
    #13 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
    #14 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)

POC FILE:https://github.com/fantasy7082/image_test/blob/master/013-freenomalloc-readimage

@pts
Copy link
Owner

pts commented Feb 27, 2018

Thank you for reporting this! I'm not able to reproduce this bug as of a6621e9. Valgrind doesn't print any errors:

==6210== 
==6210== HEAP SUMMARY:
==6210==     in use at exit: 0 bytes in 0 blocks
==6210==   total heap usage: 2,967 allocs, 2,967 frees, 218,171 bytes allocated
==6210== 
==6210== All heap blocks were freed -- no leaks are possible
==6210== 
==6210== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)
--6210-- 
--6210-- used_suppression:      2 glibc-2.5.x-on-SUSE-10.2-(PPC)-2a
==6210== 
==6210== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)

If you can reproduce this bug with the latest sam2p commit and Valgrind, please reopen this issue.

@pts pts closed this as completed Feb 27, 2018
@fantasy7082
Copy link
Author

fantasy7082 commented Feb 28, 2018

@pts
Well, i also find the problem later, you should disable ASAN when you compile with gcc7.x (but no problem in gcc 5.x). That means you can't compile the project with flag "-ggdb -fsanitize=address" :

cat /etc/issue
Ubuntu 17.10 \n \l

root@ubuntu:~/sam2p-asan2/sam2p-test/sam2p# gcc --version
gcc (Ubuntu 7.2.0-8ubuntu3.2) 7.2.0
Copyright (C) 2017 Free Software Foundation, Inc.
./configure --enable-gif --enable-lzw --prefix=/usr/local/sam2p-test/
....
make
....

./sam2p 013-freenomalloc-readimage EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 013-freenomalloc-readimage
sam2p: Notice: writeTTT: using template: l1op
sam2p: Notice: applyProfile: applied OutputRule #0 using applier P-TrOpBb
*** Error in `./sam2p': free(): invalid next size (normal): 0x000055b792a2f540 ***
Aborted (core dumped)
gdb -q ./sam2p
Reading symbols from ./sam2p...done.
(gdb) r 013-freenomalloc-readimage EPS: /dev/null
Starting program: /root/sam2p-asan2/sam2p-test/sam2p/sam2p 013-freenomalloc-readimage EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 013-freenomalloc-readimage
sam2p: Notice: writeTTT: using template: l1op
sam2p: Notice: applyProfile: applied OutputRule #0 using applier P-TrOpBb
*** Error in `/root/sam2p-asan2/sam2p-test/sam2p/sam2p': free(): invalid next size (normal): 0x0000555555805540 ***

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff76a7f5d in __GI_abort () at abort.c:90
#2  0x00007ffff76f028d in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7817528 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff76f764a in malloc_printerr (action=<optimized out>, str=0x7ffff7817888 "free(): invalid next size (normal)", 
    ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5426
#4  0x00007ffff76f973e in _int_free (av=0x7ffff7a49c20 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4175
#5  0x00007ffff76fe44e in __GI___libc_free (mem=<optimized out>) at malloc.c:3145
#6  0x00007ffff76f4b6b in __GI__IO_setb (f=f@entry=0x5555557d4ee0, b=b@entry=0x0, eb=eb@entry=0x0, a=a@entry=0) at genops.c:382
#7  0x00007ffff76f2bce in _IO_new_file_close_it (fp=fp@entry=0x5555557d4ee0) at fileops.c:193
#8  0x00007ffff76e508f in _IO_new_fclose (fp=0x5555557d4ee0) at iofclose.c:58
#9  0x000055555555bd41 in run_sam2p_engine (sout=..., serr=..., argv1=<optimized out>, helpp=<optimized out>)
    at sam2p_main.cpp:1089
#10 0x000055555555b029 in main (argv=0x7fffffffe478) at sam2p_main.cpp:1148
(gdb)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants