Bug 1388828 (CVE-2016-8887)
Summary: | CVE-2016-8887 jasper: uninitialized pointer use in jp2_box_get() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, bmcclain, cfergeau, dblechte, dmcphers, eedri, erik-fedora, gklein, jialiu, jokerman, jridky, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, slawomir, srevivo, tiwillia, ykaul, ylavi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jasper 1.900.10 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-12-12 14:06:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1388873, 1388874, 1388875, 1388876 | ||
Bug Blocks: | 1314477 |
Description
Adam Mariš
2016-10-26 09:21:17 UTC
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1388874] Affects: epel-7 [bug 1388876] Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1388873] Affects: epel-5 [bug 1388875] This isn't actually a NULL pointer dereference issue, but rather a use of uninitialized pointer. In the jp2_box_get() function, a variable box of type jp2_box_t is allocated using jas_malloc(). Data parsed from a read file is stored in the structure. However, if certain errors occur while parsing, the structure is destroyed using jp2_box_destroy() before it was fully initialized. jp2_box_destroy() calls box type specific destroy functions, such as jp2_colr_destroy() mentioned in the original report, which contains a code as this: static void jp2_colr_destroy(jp2_box_t *box) { jp2_colr_t *colr = &box->data.colr; if (colr->iccp) { jas_free(colr->iccp); } } As colr->iccp has not been initialized yet, this leads to an attempt to free invalid pointer. It seems attacker may be able to trigger freeing of the attacker controlled pointer, which may lead to use after free. Therefore, impact of this problem does not seem limited to application crash. This problem did not affect jasper packages in Red Hat Enterprise Linux 6 and 7, as they include the following change as part of the patch for CVE-2008-3520: +++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c @@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) box = 0; tmpstream = 0; - if (!(box = jas_malloc(sizeof(jp2_box_t)))) { + if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) { goto error; As jas_calloc() is used to allocate memory instead of jas_malloc(), uninitialized fields of the box are guaranteed to be 0 / NULL, avoiding problematic jas_free() calls in jp2_*_destroy() functions. Original reporter's advisory: https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c/ Relevant info from the advisory: jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) Another round of fuzzing on an updated version (1.900.5) revealed a NULL pointer access in jp2_colr_destroy The complete ASan output: # imginfo -f $FILE cannot copy box data ASAN:DEADLYSIGNAL ================================================================= ==19664==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc50768570 T0) #0 0x41defc in atomic_compare_exchange_strong /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:465 #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:525 #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:709 #4 0x4c008c in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:41 #5 0x7f8dcb5bc940 in jp2_colr_destroy /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:443:3 #6 0x7f8dcb5c1f69 in jp2_box_destroy /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:211:3 #7 0x7f8dcb5c1f69 in jp2_box_get /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:307 #8 0x7f8dcb5c5dc0 in jp2_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:156:16 #9 0x7f8dcb556f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16 #10 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16 #11 0x7f8dca66561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #12 0x418e68 in _init (/usr/bin/imginfo+0x418e68) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong ==19664==ABORTING Upstream bug report: https://github.com/mdadams/jasper/issues/34 The following fix was applied in version 1.900.10: https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d However, the above fix was found to be incomplete. There is this follow-up advisory from the original reporter: https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887/ Relevant info from the advisory: jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887) Another round of fuzzing on an updated version (1.900.10) revealed that the NULL pointer access identified as CVE-2016-8887 which upstream declared to be fixed in the version 1.900.10 is still here. The complete ASan output: # imginfo -f $FILE ASAN:DEADLYSIGNAL ================================================================= ==20885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc4e4a4550 T0) #0 0x41defc in atomic_compare_exchange_strong /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:465 #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:525 #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:709 #4 0x4c008c in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:41 #5 0x7faeeeb2d430 in jp2_colr_destroy /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:450:3 #6 0x7faeeeb32b0e in jp2_box_destroy /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:211:3 #7 0x7faeeeb32b0e in jp2_box_get /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:314 #8 0x7faeeeb369a0 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:156:16 #9 0x7faeeeac6a29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16 #10 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16 #11 0x7faeedbd361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #12 0x418e68 in _init (/usr/bin/imginfo+0x418e68) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong ==20885==ABORTING Upstream bug report: https://github.com/mdadams/jasper/issues/45 Upstream fix applied in version 1.900.13: https://github.com/mdadams/jasper/commit/bdfe95a6e81ffb4b2fad31a76b57943695beed20 *** Bug 1388829 has been marked as a duplicate of this bug. *** |