Bug 1575188
Summary: | Stack Buffer Overflow in calling glib in gxps_images_guess_content_type of gcontenttype.c | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | chenyuan <bugzilla> | ||||
Component: | libgxps | Assignee: | Marek Kašík <mkasik> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.5-Alt | CC: | carnil, herrold, jkoten, tpelka | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | libgxps-0.3.0-3.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-30 10:26:16 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Thank you for this report. I've found an issue in one of current patches we have + an upstream patch needed to resolve this. I'm giving this bug devel_ack+. This issue was assigned CVE-2018-10767 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3140 |
Created attachment 1431678 [details] POC_glib_stackoverflow.xps Description of problem: Stack Buffer Overflow in calling glib in gxps_images_guess_content_type of gcontenttype.c Version-Release number of selected component (if applicable): libgxps <= 0.3.0 glib 2.0-2.56.1 How reproducible: $ ./xpstojpeg POC_glib_stackoverflow.xps Error rendering page 1: Error rendering page /Documents/1/Pages/1.fpage: Font source /Resources/18FA7CE1-4E72-1633-2736-9421A12AEF65.odttf not found in archive Error rendering page 2: Error rendering page /Documents/1/Pages/2.fpage: Font source /Resources/18FA7CE1-4E72-1633-2736-9421A12AEF65.odttf not found in archive Error rendering page 3: Error rendering page /Documents/1/Pages/3.fpage: Font source /Resources/18FA7CE1-4E72-1633-2736-9421A12AEF65.odttf not found in archive Error rendering page 4: Error rendering page /Documents/1/Pages/4.fpage: Font source /Resources/18FA7CE1-4E72-1633-2736-9421A12AEF65.odttf not found in archive ================================================================= ==63668==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc4ef3f310 at pc 0x5654ae04feb7 bp 0x7ffc4ef3ea90 sp 0x7ffc4ef3ea80 READ of size 1 at 0x7ffc4ef3f310 thread T0 #0 0x5654ae04feb6 in cache_magic_matchlet_compare_to_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:204 #1 0x5654ae050028 in cache_magic_matchlet_compare /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:230 #2 0x5654ae0502b6 in cache_magic_compare_to_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:262 #3 0x5654ae050544 in cache_magic_lookup_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:298 #4 0x5654ae0529a9 in cache_get_mime_type_for_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:746 #5 0x5654ae052c27 in __gio_xdg_cache_get_mime_type_for_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:776 #6 0x5654ae04de68 in _gio_xdg_get_mime_type_for_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmime.c:469 #7 0x5654ae02c170 in g_content_type_guess /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/gcontenttype.c:686 #8 0x5654adfa64cc in gxps_images_guess_content_type /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-images.c:894 #9 0x5654adfa669c in gxps_images_get_image /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-images.c:930 #10 0x5654adf748fa in gxps_page_get_image /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:94 #11 0x5654adf96280 in brush_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-brush.c:974 #12 0x5654ae2b9576 in emit_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/glib/gmarkup.c:1076 #13 0x5654ae2bc9a0 in g_markup_parse_context_parse /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/glib/gmarkup.c:1618 #14 0x5654adf8266b in gxps_parse_stream /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-parse-utils.c:184 #15 0x5654adf7ba46 in gxps_page_parse_for_rendering /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:992 #16 0x5654adf80c91 in gxps_page_render /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:1694 #17 0x5654adf69ac5 in gxps_converter_run /home/v-fuzz/libgxps-0.2.5/tools/gxps-converter.c:322 #18 0x5654adf65a32 in main /home/v-fuzz/libgxps-0.2.5/tools/gxps-converter-main.c:42 #19 0x7efd325c8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #20 0x5654adf658c9 in _start (/home/v-fuzz/libgxps-0.2.5/tools/xpstopng+0x1328c9) Address 0x7ffc4ef3f310 is located in stack of thread T0 at offset 1056 in frame #0 0x5654adfa63c4 in gxps_images_guess_content_type /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-images.c:883 This frame has 1 object(s): [32, 1056) 'buffer' <== Memory access at offset 1056 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:204 in cache_magic_matchlet_compare_to_data Shadow bytes around the buggy address: 0x100009ddfe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100009ddfe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100009ddfe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100009ddfe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100009ddfe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100009ddfe60: 00 00[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 0x100009ddfe70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100009ddfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100009ddfe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100009ddfea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100009ddfeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==63668==ABORTING This vulnerability was due to libgxps/gxps-images.c:894 880 static gchar * 881 gxps_images_guess_content_type (GXPSArchive *zip, 882 const gchar *image_uri) 883 { 884 GInputStream *stream; 885 guchar buffer[1024]; 886 gssize bytes_read; 887 gchar *mime_type; 888 889 stream = gxps_archive_open (zip, image_uri); 890 if (!stream) 891 return NULL; 892 893 bytes_read = g_input_stream_read (stream, buffer, 1024, NULL, NULL); 894 mime_type = g_content_type_guess (NULL, buffer, bytes_read, NULL); 895 g_object_unref (stream); 896 897 return mime_type; 898 } In gdb debugging, we found g_input_stream_read returned a negative value -20, and leads to futher g_content_type_guess stack overflow Actual results: crash Expected results: crash Additional info: This vulnerability is detected by NESA Lab(nesa.zju.edu.cn), with our custom fuzzer v-fuzz. Please contact liyuwei23 and chenyuan.cn if you need more info about the team, the tool or the vulnerability.