Menu

#446 allocation failure in ReadMNGImage

v1.0_(example)
closed-fixed
None
5
2017-08-22
2017-08-21
bestshow
No

On GraphicsMagick 1.3.26 2017-07-04 Q8.

An allocation failure vulnerability was found in function ReadMNGImage.

==124737==ERROR: AddressSanitizer failed to allocate 0xff002000 (4278198272) bytes of LargeMmapAllocator (error code: 12)
==124737==Process memory map follows:
    0x000000400000-0x0000012e3000    /home/test/Downloads/GM-afl-build/bin/gm
    0x0000014e2000-0x0000014e5000    /home/test/Downloads/GM-afl-build/bin/gm
    0x0000014e5000-0x000001608000    /home/test/Downloads/GM-afl-build/bin/gm
    0x000001608000-0x00000228f000   
    0x00007fff7000-0x00008fff7000   
    0x00008fff7000-0x02008fff7000   
    0x02008fff7000-0x10007fff8000   
    0x600000000000-0x602000000000   
    0x602000000000-0x602000010000   
    0x602000010000-0x602e00000000   
    0x602e00000000-0x602e00010000   
    0x602e00010000-0x603000000000   
    0x603000000000-0x603000010000   
    0x603000010000-0x603e00000000   
    0x603e00000000-0x603e00010000   
    0x603e00010000-0x604000000000   
    0x604000000000-0x604000010000   
    0x604000010000-0x604e00000000   
    0x604e00000000-0x604e00010000   
    0x604e00010000-0x606000000000   
    0x606000000000-0x606000010000   
    0x606000010000-0x606e00000000   
    0x606e00000000-0x606e00010000   
    0x606e00010000-0x607000000000   
    0x607000000000-0x607000010000   
    0x607000010000-0x607e00000000   
    0x607e00000000-0x607e00010000   
    0x607e00010000-0x608000000000   
    0x608000000000-0x608000010000   
    0x608000010000-0x608e00000000   
    0x608e00000000-0x608e00010000   
    0x608e00010000-0x60a000000000   
    0x60a000000000-0x60a000010000   
    0x60a000010000-0x60ae00000000   
    0x60ae00000000-0x60ae00010000   
    0x60ae00010000-0x60b000000000   
    0x60b000000000-0x60b000010000   
    0x60b000010000-0x60be00000000   
    0x60be00000000-0x60be00010000   
    0x60be00010000-0x60c000000000   
    0x60c000000000-0x60c000010000   
    0x60c000010000-0x60ce00000000   
    0x60ce00000000-0x60ce00010000   
    0x60ce00010000-0x60f000000000   
    0x60f000000000-0x60f000010000   
    0x60f000010000-0x60fe00000000   
    0x60fe00000000-0x60fe00010000   
    0x60fe00010000-0x610000000000   
    0x610000000000-0x610000010000   
    0x610000010000-0x610e00000000   
    0x610e00000000-0x610e00010000   
    0x610e00010000-0x611000000000   
    0x611000000000-0x611000010000   
    0x611000010000-0x611e00000000   
    0x611e00000000-0x611e00010000   
    0x611e00010000-0x612000000000   
    0x612000000000-0x612000010000   
    0x612000010000-0x612e00000000   
    0x612e00000000-0x612e00010000   
    0x612e00010000-0x614000000000   
    0x614000000000-0x614000010000   
    0x614000010000-0x614e00000000   
    0x614e00000000-0x614e00010000   
    0x614e00010000-0x616000000000   
    0x616000000000-0x616000010000   
    0x616000010000-0x616e00000000   
    0x616e00000000-0x616e00010000   
    0x616e00010000-0x618000000000   
    0x618000000000-0x618000010000   
    0x618000010000-0x618e00000000   
    0x618e00000000-0x618e00010000   
    0x618e00010000-0x619000000000   
    0x619000000000-0x619000010000   
    0x619000010000-0x619e00000000   
    0x619e00000000-0x619e00010000   
    0x619e00010000-0x61a000000000   
    0x61a000000000-0x61a000010000   
    0x61a000010000-0x61ae00000000   
    0x61ae00000000-0x61ae00010000   
    0x61ae00010000-0x61e000000000   
    0x61e000000000-0x61e000010000   
    0x61e000010000-0x61ee00000000   
    0x61ee00000000-0x61ee00010000   
    0x61ee00010000-0x621000000000   
    0x621000000000-0x621000010000   
    0x621000010000-0x621e00000000   
    0x621e00000000-0x621e00010000   
    0x621e00010000-0x623000000000   
    0x623000000000-0x623000010000   
    0x623000010000-0x623e00000000   
    0x623e00000000-0x623e00010000   
    0x623e00010000-0x624000000000   
    0x624000000000-0x624000010000   
    0x624000010000-0x624e00000000   
    0x624e00000000-0x624e00010000   
    0x624e00010000-0x625000000000   
    0x625000000000-0x625000010000   
    0x625000010000-0x625e00000000   
    0x625e00000000-0x625e00010000   
    0x625e00010000-0x62a000000000   
    0x62a000000000-0x62a000010000   
    0x62a000010000-0x62ae00000000   
    0x62ae00000000-0x62ae00010000   
    0x62ae00010000-0x640000000000   
    0x640000000000-0x640000003000   
    0x7f2a5cdd7000-0x7f2a63300000    /usr/lib/locale/locale-archive
    0x7f2a63300000-0x7f2a63400000   
    0x7f2a63500000-0x7f2a63600000   
    0x7f2a63700000-0x7f2a63800000   
    0x7f2a63900000-0x7f2a63a00000   
    0x7f2a63a9f000-0x7f2a65df1000   
    0x7f2a65df1000-0x7f2a65df3000    /usr/lib64/libXau.so.6.0.0
    0x7f2a65df3000-0x7f2a65ff3000    /usr/lib64/libXau.so.6.0.0
    0x7f2a65ff3000-0x7f2a65ff4000    /usr/lib64/libXau.so.6.0.0
    0x7f2a65ff4000-0x7f2a65ff5000    /usr/lib64/libXau.so.6.0.0
    0x7f2a65ff5000-0x7f2a66016000    /usr/lib64/libxcb.so.1.1.0
    0x7f2a66016000-0x7f2a66215000    /usr/lib64/libxcb.so.1.1.0
    0x7f2a66215000-0x7f2a66216000    /usr/lib64/libxcb.so.1.1.0
    0x7f2a66216000-0x7f2a66217000    /usr/lib64/libxcb.so.1.1.0
    0x7f2a66217000-0x7f2a6621b000    /usr/lib64/libuuid.so.1.3.0
    0x7f2a6621b000-0x7f2a6641a000    /usr/lib64/libuuid.so.1.3.0
    0x7f2a6641a000-0x7f2a6641b000    /usr/lib64/libuuid.so.1.3.0
    0x7f2a6641b000-0x7f2a6641c000    /usr/lib64/libuuid.so.1.3.0
    0x7f2a6641c000-0x7f2a6645f000    /usr/lib64/libjpeg.so.62.1.0
    0x7f2a6645f000-0x7f2a6665f000    /usr/lib64/libjpeg.so.62.1.0
    0x7f2a6665f000-0x7f2a66660000    /usr/lib64/libjpeg.so.62.1.0
    0x7f2a66660000-0x7f2a66661000    /usr/lib64/libjpeg.so.62.1.0
    0x7f2a66661000-0x7f2a66671000   
    0x7f2a66671000-0x7f2a66827000    /usr/lib64/libc-2.17.so
    0x7f2a66827000-0x7f2a66a27000    /usr/lib64/libc-2.17.so
    0x7f2a66a27000-0x7f2a66a2b000    /usr/lib64/libc-2.17.so
    0x7f2a66a2b000-0x7f2a66a2d000    /usr/lib64/libc-2.17.so
    0x7f2a66a2d000-0x7f2a66a32000   
    0x7f2a66a32000-0x7f2a66a47000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7f2a66a47000-0x7f2a66c46000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7f2a66c46000-0x7f2a66c47000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7f2a66c47000-0x7f2a66c48000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7f2a66c48000-0x7f2a66c4a000    /usr/lib64/libdl-2.17.so
    0x7f2a66c4a000-0x7f2a66e4a000    /usr/lib64/libdl-2.17.so
    0x7f2a66e4a000-0x7f2a66e4b000    /usr/lib64/libdl-2.17.so
    0x7f2a66e4b000-0x7f2a66e4c000    /usr/lib64/libdl-2.17.so
    0x7f2a66e4c000-0x7f2a66e53000    /usr/lib64/librt-2.17.so
    0x7f2a66e53000-0x7f2a67052000    /usr/lib64/librt-2.17.so
    0x7f2a67052000-0x7f2a67053000    /usr/lib64/librt-2.17.so
    0x7f2a67053000-0x7f2a67054000    /usr/lib64/librt-2.17.so
    0x7f2a67054000-0x7f2a6706b000    /usr/lib64/libpthread-2.17.so
    0x7f2a6706b000-0x7f2a6726a000    /usr/lib64/libpthread-2.17.so
    0x7f2a6726a000-0x7f2a6726b000    /usr/lib64/libpthread-2.17.so
    0x7f2a6726b000-0x7f2a6726c000    /usr/lib64/libpthread-2.17.so
    0x7f2a6726c000-0x7f2a67270000   
    0x7f2a67270000-0x7f2a67370000    /usr/lib64/libm-2.17.so
    0x7f2a67370000-0x7f2a67570000    /usr/lib64/libm-2.17.so
    0x7f2a67570000-0x7f2a67571000    /usr/lib64/libm-2.17.so
    0x7f2a67571000-0x7f2a67572000    /usr/lib64/libm-2.17.so
    0x7f2a67572000-0x7f2a67587000    /usr/lib64/libz.so.1.2.7
    0x7f2a67587000-0x7f2a67786000    /usr/lib64/libz.so.1.2.7
    0x7f2a67786000-0x7f2a67787000    /usr/lib64/libz.so.1.2.7
    0x7f2a67787000-0x7f2a67788000    /usr/lib64/libz.so.1.2.7
    0x7f2a67788000-0x7f2a678e7000    /usr/lib64/libxml2.so.2.9.1
    0x7f2a678e7000-0x7f2a67ae6000    /usr/lib64/libxml2.so.2.9.1
    0x7f2a67ae6000-0x7f2a67aee000    /usr/lib64/libxml2.so.2.9.1
    0x7f2a67aee000-0x7f2a67af0000    /usr/lib64/libxml2.so.2.9.1
    0x7f2a67af0000-0x7f2a67af2000   
    0x7f2a67af2000-0x7f2a67b01000    /usr/lib64/libbz2.so.1.0.6
    0x7f2a67b01000-0x7f2a67d00000    /usr/lib64/libbz2.so.1.0.6
    0x7f2a67d00000-0x7f2a67d01000    /usr/lib64/libbz2.so.1.0.6
    0x7f2a67d01000-0x7f2a67d02000    /usr/lib64/libbz2.so.1.0.6
    0x7f2a67d02000-0x7f2a67d27000    /usr/lib64/liblzma.so.5.2.2
    0x7f2a67d27000-0x7f2a67f26000    /usr/lib64/liblzma.so.5.2.2
    0x7f2a67f26000-0x7f2a67f27000    /usr/lib64/liblzma.so.5.2.2
    0x7f2a67f27000-0x7f2a67f28000    /usr/lib64/liblzma.so.5.2.2
    0x7f2a67f28000-0x7f2a68060000    /usr/lib64/libX11.so.6.3.0
    0x7f2a68060000-0x7f2a68260000    /usr/lib64/libX11.so.6.3.0
    0x7f2a68260000-0x7f2a68261000    /usr/lib64/libX11.so.6.3.0
    0x7f2a68261000-0x7f2a68266000    /usr/lib64/libX11.so.6.3.0
    0x7f2a68266000-0x7f2a6827d000    /usr/lib64/libICE.so.6.3.0
    0x7f2a6827d000-0x7f2a6847c000    /usr/lib64/libICE.so.6.3.0
    0x7f2a6847c000-0x7f2a6847d000    /usr/lib64/libICE.so.6.3.0
    0x7f2a6847d000-0x7f2a6847e000    /usr/lib64/libICE.so.6.3.0
    0x7f2a6847e000-0x7f2a68482000   
    0x7f2a68482000-0x7f2a68489000    /usr/lib64/libSM.so.6.0.1
    0x7f2a68489000-0x7f2a68688000    /usr/lib64/libSM.so.6.0.1
    0x7f2a68688000-0x7f2a68689000    /usr/lib64/libSM.so.6.0.1
    0x7f2a68689000-0x7f2a6868a000    /usr/lib64/libSM.so.6.0.1
    0x7f2a6868a000-0x7f2a6869b000    /usr/lib64/libXext.so.6.4.0
    0x7f2a6869b000-0x7f2a6889a000    /usr/lib64/libXext.so.6.4.0
    0x7f2a6889a000-0x7f2a6889b000    /usr/lib64/libXext.so.6.4.0
    0x7f2a6889b000-0x7f2a6889c000    /usr/lib64/libXext.so.6.4.0
    0x7f2a6889c000-0x7f2a688b8000    /usr/lib64/libwmflite-0.2.so.7.0.1
    0x7f2a688b8000-0x7f2a68ab7000    /usr/lib64/libwmflite-0.2.so.7.0.1
    0x7f2a68ab7000-0x7f2a68ab8000    /usr/lib64/libwmflite-0.2.so.7.0.1
    0x7f2a68ab8000-0x7f2a68ab9000    /usr/lib64/libwmflite-0.2.so.7.0.1
    0x7f2a68ab9000-0x7f2a68ae2000    /usr/lib64/libpng15.so.15.13.0
    0x7f2a68ae2000-0x7f2a68ce2000    /usr/lib64/libpng15.so.15.13.0
    0x7f2a68ce2000-0x7f2a68ce3000    /usr/lib64/libpng15.so.15.13.0
    0x7f2a68ce3000-0x7f2a68ce4000    /usr/lib64/libpng15.so.15.13.0
    0x7f2a68ce4000-0x7f2a68d1d000    /usr/lib64/libjpeg.so.9.2.0
    0x7f2a68d1d000-0x7f2a68f1d000    /usr/lib64/libjpeg.so.9.2.0
    0x7f2a68f1d000-0x7f2a68f1e000    /usr/lib64/libjpeg.so.9.2.0
    0x7f2a68f1e000-0x7f2a68f1f000    /usr/lib64/libjpeg.so.9.2.0
    0x7f2a68f1f000-0x7f2a68f6e000    /usr/lib64/libjasper.so.1.0.0
    0x7f2a68f6e000-0x7f2a6916d000    /usr/lib64/libjasper.so.1.0.0
    0x7f2a6916d000-0x7f2a6916e000    /usr/lib64/libjasper.so.1.0.0
    0x7f2a6916e000-0x7f2a69172000    /usr/lib64/libjasper.so.1.0.0
    0x7f2a69172000-0x7f2a69179000   
    0x7f2a69179000-0x7f2a69219000    /usr/lib64/libfreetype.so.6.10.0
    0x7f2a69219000-0x7f2a69418000    /usr/lib64/libfreetype.so.6.10.0
    0x7f2a69418000-0x7f2a6941e000    /usr/lib64/libfreetype.so.6.10.0
    0x7f2a6941e000-0x7f2a6941f000    /usr/lib64/libfreetype.so.6.10.0
    0x7f2a6941f000-0x7f2a6948e000    /usr/lib64/libtiff.so.5.2.0
    0x7f2a6948e000-0x7f2a6968e000    /usr/lib64/libtiff.so.5.2.0
    0x7f2a6968e000-0x7f2a6968f000    /usr/lib64/libtiff.so.5.2.0
    0x7f2a6968f000-0x7f2a69692000    /usr/lib64/libtiff.so.5.2.0
    0x7f2a69692000-0x7f2a69693000   
    0x7f2a69693000-0x7f2a696e8000    /usr/lib64/liblcms2.so.2.0.6
    0x7f2a696e8000-0x7f2a698e7000    /usr/lib64/liblcms2.so.2.0.6
    0x7f2a698e7000-0x7f2a698e8000    /usr/lib64/liblcms2.so.2.0.6
    0x7f2a698e8000-0x7f2a698ed000    /usr/lib64/liblcms2.so.2.0.6
    0x7f2a698ed000-0x7f2a69939000    /usr/lib64/libwebp.so.4.0.2
    0x7f2a69939000-0x7f2a69b38000    /usr/lib64/libwebp.so.4.0.2
    0x7f2a69b38000-0x7f2a69b39000    /usr/lib64/libwebp.so.4.0.2
    0x7f2a69b39000-0x7f2a69b3a000    /usr/lib64/libwebp.so.4.0.2
    0x7f2a69b3a000-0x7f2a69b3d000   
    0x7f2a69b3d000-0x7f2a69b46000    /usr/lib64/libjbig.so.2.0
    0x7f2a69b46000-0x7f2a69d45000    /usr/lib64/libjbig.so.2.0
    0x7f2a69d45000-0x7f2a69d46000    /usr/lib64/libjbig.so.2.0
    0x7f2a69d46000-0x7f2a69d49000    /usr/lib64/libjbig.so.2.0
    0x7f2a69d49000-0x7f2a69d69000    /usr/lib64/ld-2.17.so
    0x7f2a69d93000-0x7f2a69f68000   
    0x7f2a69f68000-0x7f2a69f69000    /usr/lib64/ld-2.17.so
    0x7f2a69f69000-0x7f2a69f6a000    /usr/lib64/ld-2.17.so
    0x7f2a69f6a000-0x7f2a69f6b000   
    0x7fff9cefd000-0x7fff9cf1e000    [stack]
    0x7fff9cf87000-0x7fff9cf89000    [vdso]
    0xffffffffff600000-0xffffffffff601000    [vsyscall]
==124737==End of process memory map.
==124737==AddressSanitizer CHECK failed: /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4f3dbf in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x50b6e5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4fc380 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
    #3 0x504b5e in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132
    #4 0x42fe0f in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41
    #5 0x42fe0f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70
    #6 0x42fe0f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:407
    #7 0x4e9789 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67
    #8 0xa5dd34 in ReadMNGImage /home/test/Downloads/GraphicsMagick-1.3.26/coders/png.c:3980:21
    #9 0x640fbd in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #10 0x6404f0 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
    #11 0x5aa668 in IdentifyImageCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8379:17
    #12 0x5af409 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #13 0x5f6472 in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #14 0x5f4daa in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #15 0x7f2a66692b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #16 0x4247fb in _start (/home/test/Downloads/GM-afl-build/bin/gm+0x4247fb)

The poc file is in the attachment.

Credit:ADLab of Venustech

1 Attachments

Discussion

  • Glenn Randers-Pehrson

    This is a small MNG file with a MEND chunk that has length ff000000.
    Confirmed that gm crashes on it.

     
  • Glenn Randers-Pehrson

    I've pushed a fix for Bob to check in.

    For completeness I tested a variant of the file with MEND length 7fffffff (the largest valid PNG chunk length) and, although there was a few-second delay while the malloc occurred, it did not crash.

     
  • Glenn Randers-Pehrson

    • status: open --> pending
    • assigned_to: Glenn Randers-Pehrson
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-22
    • status: pending --> closed-fixed
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-22

    I am not seeing any large memory usage with the test case after Glenn's fix.

     

Log in to post a comment.