Bug 1179298 (CVE-2014-8158)

Summary: CVE-2014-8158 jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015-001)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, alonbl, bazulay, bmcclain, cfergeau, dblechte, ecohen, gklein, idith, iheim, jpopelka, jrusnack, lsurette, michal.skrivanek, rbalakri, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.2 Doc Type: Bug Fix
Doc Text:
An unrestricted stack memory use flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-18 13:25:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1183679, 1183680, 1183681, 1183682, 1184750, 1184751, 1184752, 1184753    
Bug Blocks: 1167538, 1179289    
Attachments:
Description Flags
jpc_qmfb.c.patch
none
do not define HAVE_VLA none

Description Vasyl Kaigorodov 2015-01-06 14:39:01 UTC
oCERT reports an issue in jasper discovered by pyddeh:

"""

In jpc_qmfb.c JasPer uses variable length arrays where the sizes are
derived from the codestream data, e.g. jpc_qmfb.c:305:

    void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
    {

        int bufsize = JPC_CEILDIVPOW2(numcols, 1);
    #if !defined(HAVE_VLA)
        jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
    #else
        jpc_fix_t splitbuf[bufsize];
    #endif
        jpc_fix_t *buf = splitbuf;

Here, numcols is from the codestream, in other places its numrows. I'm not
sure how bad this is, but some broken codestreams i generated crashed there
with negative numbers, which i think is dangerous if combined with VLAs.

Fix proposal: remove the VLA code (see attached patch).

"""

Acknowledgement:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges pyddeh as the original reporter.

Comment 1 Vasyl Kaigorodov 2015-01-06 14:40:49 UTC
Created attachment 976831 [details]
jpc_qmfb.c.patch

Comment 2 Jiri Popelka 2015-01-08 11:44:13 UTC
Created attachment 977736 [details]
do not define HAVE_VLA

(In reply to Vasyl Kaigorodov from comment #0)
> some broken codestreams i generated crashed there
> with negative numbers, which i think is dangerous if combined with VLAs.

Can you perhaps upload such file(s) ?

> Fix proposal: remove the VLA code (see attached patch).

This can more easily be achieved by not defining HAVE_VLA, see my patch.

Comment 3 Tomas Hoger 2015-01-09 12:24:04 UTC
This does not seem to be a buffer overflow issue.  The problem that was reported is that if HAVE_VLA is defined, size of the stack-based splitbuf[] or joinbuf[] is determined at runtime based on the values from the processed image.  This approach has drawback that there's no real error check used - allocation of the buffer is done by subtracting from the stack pointer.  As a consequence, splitbuf[] / joinbuf[] start may be outside of the stack memory - typically unmapped memory, but may reach to stack memory of other threads and possibly heap memory.  Use of such buffer leads to memory corruption.  Given how those buffers are used, program will crash on attempt to access unmapped memory before the end of the affected functions is reached.  Hence exploit would require race against other thread or signal handler.

Proposed fix removes the use of variable length arrays, which make jasper use fixed size stack array, or allocate memory from heap if larger buffer is needed.

(In reply to Jiri Popelka from comment #2)
> Can you perhaps upload such file(s) ?

No reproducer is available, oCERT / original reporter may or may not be able to provide one.

> > Fix proposal: remove the VLA code (see attached patch).
> 
> This can more easily be achieved by not defining HAVE_VLA, see my patch.

Agree, either approach should work.  As HAVE_VLA is not used elsewhere in the jasper sources, fixes should be equivalent.  Complete removal makes it less likely to have code re-enabled by accident in the future.

Comment 5 Jiri Popelka 2015-01-09 13:02:24 UTC
Now it makes much more sense, thank you Thomas !

Comment 10 Tomas Hoger 2015-01-22 08:36:58 UTC
Public now via oCERT-2015-001.

External References:

http://www.ocert.org/advisories/ocert-2015-001.html

Comment 11 Tomas Hoger 2015-01-22 08:39:36 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1184751]
Affects: epel-7 [bug 1184753]

Comment 12 Tomas Hoger 2015-01-22 08:39:39 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1184750]
Affects: epel-5 [bug 1184752]

Comment 13 Tomas Hoger 2015-01-22 09:41:20 UTC
Patch that was added to Fedora jasper packages:

http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8158.patch

Comment 14 Ján Rusnačko 2015-01-22 14:49:40 UTC
Statement:

(none)

Comment 15 errata-xmlrpc 2015-01-22 21:14:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0074 https://rhn.redhat.com/errata/RHSA-2015-0074.html

Comment 16 Fedora Update System 2015-02-02 17:21:38 UTC
mingw-jasper-1.900.1-26.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-02-02 17:23:28 UTC
mingw-jasper-1.900.1-26.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2015-02-09 05:28:31 UTC
jasper-1.900.1-30.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2015-02-09 05:32:34 UTC
jasper-1.900.1-28.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2015-02-14 02:46:52 UTC
mingw-jasper-1.900.1-26.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 errata-xmlrpc 2015-03-18 12:12:54 UTC
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html

Comment 22 Fedora Update System 2015-05-11 00:53:25 UTC
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Tomas Hoger 2016-11-23 21:56:15 UTC
Fix was integrated upstream in version 1.900.2:

https://github.com/mdadams/jasper/commit/0d64bde2b3ba7e1450710d540136a8ce4199ef30