Menu
▾
▴
1 Attachments
#445 allocation failure in ReadWMFImage
On GraphicsMagick 1.3.26 2017-07-04 Q8
An allocation failure vulnerability was found in function ReadWMFImage ,which allow attackers to cause a denial of service via a crafted file.
==26240==ERROR: AddressSanitizer failed to allocate 0xfe609000 (4267741184) bytes of LargeMmapAllocator (error code: 12)
==26240==Process memory map follows:
0x000000400000-0x0000012e3000 /home/test/Downloads/GM-afl-build/bin/gm
0x0000014e2000-0x0000014e5000 /home/test/Downloads/GM-afl-build/bin/gm
0x0000014e5000-0x000001608000 /home/test/Downloads/GM-afl-build/bin/gm
0x000001608000-0x00000228f000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x602e00000000
0x602e00000000-0x602e00010000
0x602e00010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x603e00000000
0x603e00000000-0x603e00010000
0x603e00010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x604e00000000
0x604e00000000-0x604e00010000
0x604e00010000-0x606000000000
0x606000000000-0x606000010000
0x606000010000-0x606e00000000
0x606e00000000-0x606e00010000
0x606e00010000-0x607000000000
0x607000000000-0x607000010000
0x607000010000-0x607e00000000
0x607e00000000-0x607e00010000
0x607e00010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x608e00000000
0x608e00000000-0x608e00010000
0x608e00010000-0x60a000000000
0x60a000000000-0x60a000010000
0x60a000010000-0x60ae00000000
0x60ae00000000-0x60ae00010000
0x60ae00010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60be00000000
0x60be00000000-0x60be00010000
0x60be00010000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x60ce00000000
0x60ce00000000-0x60ce00010000
0x60ce00010000-0x60f000000000
0x60f000000000-0x60f000010000
0x60f000010000-0x60fe00000000
0x60fe00000000-0x60fe00010000
0x60fe00010000-0x610000000000
0x610000000000-0x610000010000
0x610000010000-0x610e00000000
0x610e00000000-0x610e00010000
0x610e00010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x611e00000000
0x611e00000000-0x611e00010000
0x611e00010000-0x612000000000
0x612000000000-0x612000010000
0x612000010000-0x612e00000000
0x612e00000000-0x612e00010000
0x612e00010000-0x614000000000
0x614000000000-0x614000010000
0x614000010000-0x614e00000000
0x614e00000000-0x614e00010000
0x614e00010000-0x616000000000
0x616000000000-0x616000010000
0x616000010000-0x616e00000000
0x616e00000000-0x616e00010000
0x616e00010000-0x618000000000
0x618000000000-0x618000010000
0x618000010000-0x618e00000000
0x618e00000000-0x618e00010000
0x618e00010000-0x619000000000
0x619000000000-0x619000010000
0x619000010000-0x619e00000000
0x619e00000000-0x619e00010000
0x619e00010000-0x61e000000000
0x61e000000000-0x61e000010000
0x61e000010000-0x61ee00000000
0x61ee00000000-0x61ee00010000
0x61ee00010000-0x621000000000
0x621000000000-0x621000010000
0x621000010000-0x621e00000000
0x621e00000000-0x621e00010000
0x621e00010000-0x623000000000
0x623000000000-0x623000010000
0x623000010000-0x623e00000000
0x623e00000000-0x623e00010000
0x623e00010000-0x624000000000
0x624000000000-0x624000010000
0x624000010000-0x624e00000000
0x624e00000000-0x624e00010000
0x624e00010000-0x625000000000
0x625000000000-0x625000010000
0x625000010000-0x625e00000000
0x625e00000000-0x625e00010000
0x625e00010000-0x640000000000
0x640000000000-0x640000003000
0x7fb9759d7000-0x7fb97bf00000 /usr/lib/locale/locale-archive
0x7fb97bf00000-0x7fb97c000000
0x7fb97c100000-0x7fb97c200000
0x7fb97c300000-0x7fb97c400000
0x7fb97c46d000-0x7fb97c600000
0x7fb97c61a000-0x7fb97e96c000
0x7fb97e96c000-0x7fb97e96e000 /usr/lib64/libXau.so.6.0.0
0x7fb97e96e000-0x7fb97eb6e000 /usr/lib64/libXau.so.6.0.0
0x7fb97eb6e000-0x7fb97eb6f000 /usr/lib64/libXau.so.6.0.0
0x7fb97eb6f000-0x7fb97eb70000 /usr/lib64/libXau.so.6.0.0
0x7fb97eb70000-0x7fb97eb91000 /usr/lib64/libxcb.so.1.1.0
0x7fb97eb91000-0x7fb97ed90000 /usr/lib64/libxcb.so.1.1.0
0x7fb97ed90000-0x7fb97ed91000 /usr/lib64/libxcb.so.1.1.0
0x7fb97ed91000-0x7fb97ed92000 /usr/lib64/libxcb.so.1.1.0
0x7fb97ed92000-0x7fb97ed96000 /usr/lib64/libuuid.so.1.3.0
0x7fb97ed96000-0x7fb97ef95000 /usr/lib64/libuuid.so.1.3.0
0x7fb97ef95000-0x7fb97ef96000 /usr/lib64/libuuid.so.1.3.0
0x7fb97ef96000-0x7fb97ef97000 /usr/lib64/libuuid.so.1.3.0
0x7fb97ef97000-0x7fb97efda000 /usr/lib64/libjpeg.so.62.1.0
0x7fb97efda000-0x7fb97f1da000 /usr/lib64/libjpeg.so.62.1.0
0x7fb97f1da000-0x7fb97f1db000 /usr/lib64/libjpeg.so.62.1.0
0x7fb97f1db000-0x7fb97f1dc000 /usr/lib64/libjpeg.so.62.1.0
0x7fb97f1dc000-0x7fb97f1ec000
0x7fb97f1ec000-0x7fb97f3a2000 /usr/lib64/libc-2.17.so
0x7fb97f3a2000-0x7fb97f5a2000 /usr/lib64/libc-2.17.so
0x7fb97f5a2000-0x7fb97f5a6000 /usr/lib64/libc-2.17.so
0x7fb97f5a6000-0x7fb97f5a8000 /usr/lib64/libc-2.17.so
0x7fb97f5a8000-0x7fb97f5ad000
0x7fb97f5ad000-0x7fb97f5c2000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7fb97f5c2000-0x7fb97f7c1000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7fb97f7c1000-0x7fb97f7c2000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7fb97f7c2000-0x7fb97f7c3000 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
0x7fb97f7c3000-0x7fb97f7c5000 /usr/lib64/libdl-2.17.so
0x7fb97f7c5000-0x7fb97f9c5000 /usr/lib64/libdl-2.17.so
0x7fb97f9c5000-0x7fb97f9c6000 /usr/lib64/libdl-2.17.so
0x7fb97f9c6000-0x7fb97f9c7000 /usr/lib64/libdl-2.17.so
0x7fb97f9c7000-0x7fb97f9ce000 /usr/lib64/librt-2.17.so
0x7fb97f9ce000-0x7fb97fbcd000 /usr/lib64/librt-2.17.so
0x7fb97fbcd000-0x7fb97fbce000 /usr/lib64/librt-2.17.so
0x7fb97fbce000-0x7fb97fbcf000 /usr/lib64/librt-2.17.so
0x7fb97fbcf000-0x7fb97fbe6000 /usr/lib64/libpthread-2.17.so
0x7fb97fbe6000-0x7fb97fde5000 /usr/lib64/libpthread-2.17.so
0x7fb97fde5000-0x7fb97fde6000 /usr/lib64/libpthread-2.17.so
0x7fb97fde6000-0x7fb97fde7000 /usr/lib64/libpthread-2.17.so
0x7fb97fde7000-0x7fb97fdeb000
0x7fb97fdeb000-0x7fb97feeb000 /usr/lib64/libm-2.17.so
0x7fb97feeb000-0x7fb9800eb000 /usr/lib64/libm-2.17.so
0x7fb9800eb000-0x7fb9800ec000 /usr/lib64/libm-2.17.so
0x7fb9800ec000-0x7fb9800ed000 /usr/lib64/libm-2.17.so
0x7fb9800ed000-0x7fb980102000 /usr/lib64/libz.so.1.2.7
0x7fb980102000-0x7fb980301000 /usr/lib64/libz.so.1.2.7
0x7fb980301000-0x7fb980302000 /usr/lib64/libz.so.1.2.7
0x7fb980302000-0x7fb980303000 /usr/lib64/libz.so.1.2.7
0x7fb980303000-0x7fb980462000 /usr/lib64/libxml2.so.2.9.1
0x7fb980462000-0x7fb980661000 /usr/lib64/libxml2.so.2.9.1
0x7fb980661000-0x7fb980669000 /usr/lib64/libxml2.so.2.9.1
0x7fb980669000-0x7fb98066b000 /usr/lib64/libxml2.so.2.9.1
0x7fb98066b000-0x7fb98066d000
0x7fb98066d000-0x7fb98067c000 /usr/lib64/libbz2.so.1.0.6
0x7fb98067c000-0x7fb98087b000 /usr/lib64/libbz2.so.1.0.6
0x7fb98087b000-0x7fb98087c000 /usr/lib64/libbz2.so.1.0.6
0x7fb98087c000-0x7fb98087d000 /usr/lib64/libbz2.so.1.0.6
0x7fb98087d000-0x7fb9808a2000 /usr/lib64/liblzma.so.5.2.2
0x7fb9808a2000-0x7fb980aa1000 /usr/lib64/liblzma.so.5.2.2
0x7fb980aa1000-0x7fb980aa2000 /usr/lib64/liblzma.so.5.2.2
0x7fb980aa2000-0x7fb980aa3000 /usr/lib64/liblzma.so.5.2.2
0x7fb980aa3000-0x7fb980bdb000 /usr/lib64/libX11.so.6.3.0
0x7fb980bdb000-0x7fb980ddb000 /usr/lib64/libX11.so.6.3.0
0x7fb980ddb000-0x7fb980ddc000 /usr/lib64/libX11.so.6.3.0
0x7fb980ddc000-0x7fb980de1000 /usr/lib64/libX11.so.6.3.0
0x7fb980de1000-0x7fb980df8000 /usr/lib64/libICE.so.6.3.0
0x7fb980df8000-0x7fb980ff7000 /usr/lib64/libICE.so.6.3.0
0x7fb980ff7000-0x7fb980ff8000 /usr/lib64/libICE.so.6.3.0
0x7fb980ff8000-0x7fb980ff9000 /usr/lib64/libICE.so.6.3.0
0x7fb980ff9000-0x7fb980ffd000
0x7fb980ffd000-0x7fb981004000 /usr/lib64/libSM.so.6.0.1
0x7fb981004000-0x7fb981203000 /usr/lib64/libSM.so.6.0.1
0x7fb981203000-0x7fb981204000 /usr/lib64/libSM.so.6.0.1
0x7fb981204000-0x7fb981205000 /usr/lib64/libSM.so.6.0.1
0x7fb981205000-0x7fb981216000 /usr/lib64/libXext.so.6.4.0
0x7fb981216000-0x7fb981415000 /usr/lib64/libXext.so.6.4.0
0x7fb981415000-0x7fb981416000 /usr/lib64/libXext.so.6.4.0
0x7fb981416000-0x7fb981417000 /usr/lib64/libXext.so.6.4.0
0x7fb981417000-0x7fb981433000 /usr/lib64/libwmflite-0.2.so.7.0.1
0x7fb981433000-0x7fb981632000 /usr/lib64/libwmflite-0.2.so.7.0.1
0x7fb981632000-0x7fb981633000 /usr/lib64/libwmflite-0.2.so.7.0.1
0x7fb981633000-0x7fb981634000 /usr/lib64/libwmflite-0.2.so.7.0.1
0x7fb981634000-0x7fb98165d000 /usr/lib64/libpng15.so.15.13.0
0x7fb98165d000-0x7fb98185d000 /usr/lib64/libpng15.so.15.13.0
0x7fb98185d000-0x7fb98185e000 /usr/lib64/libpng15.so.15.13.0
0x7fb98185e000-0x7fb98185f000 /usr/lib64/libpng15.so.15.13.0
0x7fb98185f000-0x7fb981898000 /usr/lib64/libjpeg.so.9.2.0
0x7fb981898000-0x7fb981a98000 /usr/lib64/libjpeg.so.9.2.0
0x7fb981a98000-0x7fb981a99000 /usr/lib64/libjpeg.so.9.2.0
0x7fb981a99000-0x7fb981a9a000 /usr/lib64/libjpeg.so.9.2.0
0x7fb981a9a000-0x7fb981ae9000 /usr/lib64/libjasper.so.1.0.0
0x7fb981ae9000-0x7fb981ce8000 /usr/lib64/libjasper.so.1.0.0
0x7fb981ce8000-0x7fb981ce9000 /usr/lib64/libjasper.so.1.0.0
0x7fb981ce9000-0x7fb981ced000 /usr/lib64/libjasper.so.1.0.0
0x7fb981ced000-0x7fb981cf4000
0x7fb981cf4000-0x7fb981d94000 /usr/lib64/libfreetype.so.6.10.0
0x7fb981d94000-0x7fb981f93000 /usr/lib64/libfreetype.so.6.10.0
0x7fb981f93000-0x7fb981f99000 /usr/lib64/libfreetype.so.6.10.0
0x7fb981f99000-0x7fb981f9a000 /usr/lib64/libfreetype.so.6.10.0
0x7fb981f9a000-0x7fb982009000 /usr/lib64/libtiff.so.5.2.0
0x7fb982009000-0x7fb982209000 /usr/lib64/libtiff.so.5.2.0
0x7fb982209000-0x7fb98220a000 /usr/lib64/libtiff.so.5.2.0
0x7fb98220a000-0x7fb98220d000 /usr/lib64/libtiff.so.5.2.0
0x7fb98220d000-0x7fb98220e000
0x7fb98220e000-0x7fb982263000 /usr/lib64/liblcms2.so.2.0.6
0x7fb982263000-0x7fb982462000 /usr/lib64/liblcms2.so.2.0.6
0x7fb982462000-0x7fb982463000 /usr/lib64/liblcms2.so.2.0.6
0x7fb982463000-0x7fb982468000 /usr/lib64/liblcms2.so.2.0.6
0x7fb982468000-0x7fb9824b4000 /usr/lib64/libwebp.so.4.0.2
0x7fb9824b4000-0x7fb9826b3000 /usr/lib64/libwebp.so.4.0.2
0x7fb9826b3000-0x7fb9826b4000 /usr/lib64/libwebp.so.4.0.2
0x7fb9826b4000-0x7fb9826b5000 /usr/lib64/libwebp.so.4.0.2
0x7fb9826b5000-0x7fb9826b8000
0x7fb9826b8000-0x7fb9826c1000 /usr/lib64/libjbig.so.2.0
0x7fb9826c1000-0x7fb9828c0000 /usr/lib64/libjbig.so.2.0
0x7fb9828c0000-0x7fb9828c1000 /usr/lib64/libjbig.so.2.0
0x7fb9828c1000-0x7fb9828c4000 /usr/lib64/libjbig.so.2.0
0x7fb9828c4000-0x7fb9828e4000 /usr/lib64/ld-2.17.so
0x7fb98290e000-0x7fb982ae3000
0x7fb982ae3000-0x7fb982ae4000 /usr/lib64/ld-2.17.so
0x7fb982ae4000-0x7fb982ae5000 /usr/lib64/ld-2.17.so
0x7fb982ae5000-0x7fb982ae6000
0x7ffe5f54f000-0x7ffe5f570000 [stack]
0x7ffe5f5d8000-0x7ffe5f5da000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==26240==End of process memory map.
==26240==AddressSanitizer CHECK failed: /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
#0 0x4f3dbf in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:69
#1 0x50b6e5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
#2 0x4fc380 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
#3 0x504b5e in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132
#4 0x42fe0f in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41
#5 0x42fe0f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70
#6 0x42fe0f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:407
#7 0x4e9789 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67
#8 0x7fb98141b077 in wmf_malloc api.c:482
#9 0x7fb98142b5dd in wmf_scan player.c:143
#10 0xde5766 in ReadWMFImage /home/test/Downloads/GraphicsMagick-1.3.26/coders/wmf.c:2473:20
#11 0x640fbd in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
#12 0x6404f0 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
#13 0x5aa668 in IdentifyImageCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8379:17
#14 0x5af409 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17
#15 0x5f6472 in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10
#16 0x5f4daa in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16
#17 0x7fb97f20db34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
#18 0x4247fb in _start (/home/test/Downloads/GM-afl-build/bin/gm+0x4247fb)
The poc file is in the attachment.
Credit:ADLab of Venustech
This problem is in in libwmf itself and not within GraphicsMagick code. In the libwmf I am using, the problematic allocation occurs at line 136 of src/player.c:
P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
It is obvious that several parsed values have huge sizes:
(gdb) p *API
$2 = {err = wmf_E_None, Head = {FileType = 1, HeaderSize = 9, Version = 12336, FileSize = 808464432, NumOfObjects = 12336, MaxRecordSize = 2133864496, NumOfParams = 12336},
PlaceableMetaHeader = {Key = 0, Handle = 0, Left = 0, Top = 0, Right = 0, Bottom = 0, Inch = 0, Reserved = 0, Checksum = 0}, MetaHeader = {wmfheader = 0x22bcc44,
pmh = 0x22bcc5c, filein = 0x0, pos = 18, placeable = 0}, File = 0x22bcc78, debug_out = 0x7fc15ed23620 <IO_2_1_stdout>, error_out = 0x7fc15ed23540 <IO_2_1_stderr>,
store = {attrlist = 0x0, count = 0, max = 0}, write_data = 0x0, user_data = 0x0, device_data = 0x22bcd70, player_data = 0x22bcdf0, buffer_data = 0x21ba800,
memory_data = 0x21bc7f0, function_reference = 0x21b9e10, font_data = 0x21b2890, fonts = 0x0, color_data = 0x21bc2e0, bbuf = {read = 0x5336bc <ipa_blob_read>,
seek = 0x5336b2 <ipa_blob_seek>, tell = 0x5336ad <ipa_blob_tell>}, status = {context = 0x623314, function = 0x5336c1 <magick_progress_callback>}, string_buffer = {
length = 64, buffer = 0x21bc730 "\270+\322^\301\177"}, flags = 17408}</magick_progress_callback></ipa_blob_tell></ipa_blob_seek></ipa_blob_read>
Closed due to the problem being in libwmf's WMF validation (under 'wmf_scan()' function call) and not in GraphicsMagick.