Critical memory corruption vulnerability found in graphite2::Segment::~Segment()

[gsharpsh00ter]

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a critical memory corruption vulnerability was found in graphite2::Segment::~Segment(), which may allow attackers to cause a denial of service or possibly execute arbitrary code via a crafted font type file.

0x02 How to reproduce

This issue can be reproduced by the following command:
gr2fonttest $POC -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003

0x03 Debugging Information

gzq@ubuntu:~/tmp/graphite/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...done.
(gdb) r libgraphite2-corrupted-size-or-prev_size-0x0x3bded-2.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest libgraphite2-corrupted-size-or-prev_size-0x0x3bded-2.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	
*** Error in `/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest': corrupted size vs. prev_size: 0x00005555557d0d30 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7ffff74cf0cb]
/lib/x86_64-linux-gnu/libc.so.6(+0x83752)[0x7ffff74d9752]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff74dcd8c]
/home/gzq/tmp/graphite/build/src/libgraphite2.so.3(+0x2046d)[0x7ffff7bc546d]
/home/gzq/tmp/graphite/build/src/libgraphite2.so.3(gr_seg_destroy+0xe)[0x7ffff7bab35e]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(_ZNK10Parameters12testFileFontEv+0x194)[0x555555556a64]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(main+0x268)[0x555555555f98]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff74763f1]
/home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest(_start+0x2a)[0x555555555fea]
======= Memory map: ========
555555554000-555555559000 r-xp 00000000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
555555758000-555555759000 r--p 00004000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
555555759000-55555575a000 rw-p 00005000 08:01 1049652                    /home/gzq/tmp/graphite/build/gr2fonttest/gr2fonttest
55555575a000-5555557f3000 rw-p 00000000 00:00 0                          [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff6f36000-7ffff703e000 r-xp 00000000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff703e000-7ffff723d000 ---p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723d000-7ffff723e000 r--p 00107000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723e000-7ffff723f000 rw-p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723f000-7ffff7255000 r-xp 00000000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7255000-7ffff7454000 ---p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7454000-7ffff7455000 r--p 00015000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7455000-7ffff7456000 rw-p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7456000-7ffff7614000 r-xp 00000000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7614000-7ffff7813000 ---p 001be000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7813000-7ffff7817000 r--p 001bd000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7817000-7ffff7819000 rw-p 001c1000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7819000-7ffff781d000 rw-p 00000000 00:00 0 
7ffff781d000-7ffff7995000 r-xp 00000000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7995000-7ffff7b95000 ---p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b95000-7ffff7b9f000 r--p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b9f000-7ffff7ba1000 rw-p 00182000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7ba1000-7ffff7ba5000 rw-p 00000000 00:00 0 
7ffff7ba5000-7ffff7bd5000 r-xp 00000000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7bd5000-7ffff7dd4000 ---p 00030000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd4000-7ffff7dd6000 r--p 0002f000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd6000-7ffff7dd7000 rw-p 00031000 08:01 1049485                    /home/gzq/tmp/graphite/build/src/libgraphite2.so.3.0.1
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7fd2000-7ffff7fd7000 rw-p 00000000 00:00 0 
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007ffff748d3ea in __GI_abort () at abort.c:89
#2  0x00007ffff74cf0d0 in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff75e4f80 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff74d9752 in malloc_printerr (ar_ptr=0x7ffff7817b00 <main_arena>, ptr=0x5555557d0d30, str=0x7ffff75e1ade "corrupted size vs. prev_size", action=<optimized out>) at malloc.c:5048
#4  _int_free (av=0x7ffff7817b00 <main_arena>, p=0x5555557d0a80, have_lock=0) at malloc.c:4051
#5  0x00007ffff74dcd8c in __GI___libc_free (mem=<optimized out>) at malloc.c:2984
#6  0x00007ffff7bc546d in graphite2::Segment::~Segment (this=0x555555780770, __in_chrg=<optimized out>) at /home/gzq/tmp/graphite/src/Segment.cpp:71
#7  0x00007ffff7bab35e in gr_seg_destroy (p=0x555555780770) at /home/gzq/tmp/graphite/src/gr_segment.cpp:114
#8  0x0000555555556a64 in Parameters::testFileFont (this=0x7fffffffe210) at /home/gzq/tmp/graphite/gr2fonttest/gr2FontTest.cpp:763
#9  0x0000555555555f98 in main (argc=29, argv=0x7fffffffe388) at /home/gzq/tmp/graphite/gr2fonttest/gr2FontTest.cpp:810

For security consideration, the poc file attached is encrypted with a password which I have sent to you.

0x04 Author

This issue is reported by Ziqiang Gu from WeiRan Labs.

0x05 POC

libgraphite2-corrupted-size-or-prev_size-0x0x3bded-2.zip

[mhosken]

The segcache has been removed, thus -cache is no longer valid. Please retest without -cache and reopen this bug if there is still a problem.