Bug 1536856
| Summary: | [abrt] atril: ev_page_cache_schedule_job_if_needed(): atril killed by SIGSEGV | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kyle Marek <psppsn96> | ||||||||||||||||||||||||||||
| Component: | atril | Assignee: | Wolfgang Ulbrich <raveit65.sun> | ||||||||||||||||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||||||||||||||||||
| Priority: | unspecified | ||||||||||||||||||||||||||||||
| Version: | 27 | CC: | psppsn96, raveit65.sun, samtygier | ||||||||||||||||||||||||||||
| Target Milestone: | --- | ||||||||||||||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||||||||||||||
| Hardware: | x86_64 | ||||||||||||||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||||||||||||||
| URL: | https://retrace.fedoraproject.org/faf/reports/bthash/96536f43b6520cd52adb990390e7082acb9e93a5 | ||||||||||||||||||||||||||||||
| Whiteboard: | abrt_hash:008cb9f2e107858487e96f970cb9dbc3d730d3da; | ||||||||||||||||||||||||||||||
| Fixed In Version: | atril-1.19.6-4.fc27 | Doc Type: | If docs needed, set a value | ||||||||||||||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||||||||||||||||
| Last Closed: | 2018-03-30 13:55:13 UTC | Type: | --- | ||||||||||||||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||||||||
| Embargoed: | |||||||||||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||||||||||
|
Description
Kyle Marek
2018-01-21 18:23:40 UTC
Created attachment 1384101 [details]
File: backtrace
Created attachment 1384102 [details]
File: cgroup
Created attachment 1384103 [details]
File: core_backtrace
Created attachment 1384104 [details]
File: cpuinfo
Created attachment 1384105 [details]
File: dso_list
Created attachment 1384106 [details]
File: environ
Created attachment 1384107 [details]
File: exploitable
Created attachment 1384108 [details]
File: limits
Created attachment 1384109 [details]
File: maps
Created attachment 1384110 [details]
File: mountinfo
Created attachment 1384111 [details]
File: open_fds
Created attachment 1384112 [details]
File: proc_pid_status
Seems like it is 100% reproducible when opening the resulting file of `truncate --size=4M /tmp/325462-sdm-vol-1-2abcd-3abcd.pdf`. In this example, /tmp/325462-sdm-vol-1-2abcd-3abcd.pdf was the completed download of https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf evince, which has a lot of deviations but shares a codebase ancestor with atril, is unaffected. Might be worth investigating if they have a fix? Similar problem has been detected: rewriting a pdf that is open in atril reporter: libreport-2.9.3 backtrace_rating: 4 cmdline: atril test.pdf crash_function: ev_page_cache_schedule_job_if_needed executable: /usr/bin/atril journald_cursor: s=b0fd28a48c3e497fb4bb0da91df759c4;i=5c3fa;b=749775ad35a64145a901671015b402e6;m=4d5138a57f;t=56751d2993385;x=537b374017e5a6c0 kernel: 4.15.6-300.fc27.x86_64 package: atril-1.19.6-1.fc27 reason: atril killed by SIGSEGV rootdir: / runlevel: N 5 type: CCpp uid: 1000 I opened your pdf from given link with that fixed scratch build and the document doesn't crash. Can you please try this scratch build? https://koji.fedoraproject.org/koji/taskinfo?taskID=25681394 I think you forgot to truncate the PDF after downloading. Issue applies to the scratch build when reading the same PDF truncated to 4M. How should that work? And why? No it should not "work" [1], but it should not crash Atril. This indicates there is a bug in Atril, and is potentially exploitable (jump to an invalid address). See: https://bugzilla.redhat.com/attachment.cgi?id=1384107 While it is true that there is such a thing as "untrusted data", it is a bug for a program to consciously handle input data as such; it means missing error-handling. It makes relatively harmless formats like plain images capable of inducing the execution of native code. Example: https://www.kb.cert.org/vuls/id/189754 [1]: Or maybe it could work. See: https://github.com/mozilla/pdf.js/wiki/Frequently-Asked-Questions/e81e9207c1d6a90d9e89f517ce3bf25f3d8d8f90#corrupted-pdf Whoops! Correction: it is a bug for a program to *not* consciously handle input data as such Created attachment 1408605 [details]
test pdf
I can still reproduce with the koji build atril-1.19.6-2.fc27.x86_64.
I have attached a truncated version of the pdf from intel, which triggers the crash.
Can you please test this new scratch build? This fixes the problem with a truncated pdf for me. https://koji.fedoraproject.org/koji/taskinfo?taskID=25840846 That build works as expected with various truncations of this PDF. atril-1.19.6-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b atril-1.19.6-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b atril-1.19.6-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b atril-1.19.6-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b atril-1.19.6-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |