Bug 1575188

Summary: Stack Buffer Overflow in calling glib in gxps_images_guess_content_type of gcontenttype.c
Product: Red Hat Enterprise Linux 7 Reporter: chenyuan <bugzilla>
Component: libgxpsAssignee: Marek Kašík <mkasik>
Status: CLOSED ERRATA QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: carnil, herrold, jkoten, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libgxps-0.3.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:26:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
POC_glib_stackoverflow.xps none

Description chenyuan 2018-05-05 02:04:45 UTC
Created attachment 1431678 [details]
POC_glib_stackoverflow.xps

Description of problem:

Stack Buffer Overflow in calling glib in gxps_images_guess_content_type of gcontenttype.c

Version-Release number of selected component (if applicable):

libgxps <= 0.3.0
glib 2.0-2.56.1

How reproducible:

$ ./xpstojpeg POC_glib_stackoverflow.xps

Error rendering page 1: Error rendering page /Documents/1/Pages/1.fpage: Font source /Resources/18FA7CE1-4E72-1633-2736-9421A12AEF65.odttf not found in archive
Error rendering page 2: Error rendering page /Documents/1/Pages/2.fpage: Font source /Resources/18FA7CE1-4E72-1633-2736-9421A12AEF65.odttf not found in archive
Error rendering page 3: Error rendering page /Documents/1/Pages/3.fpage: Font source /Resources/18FA7CE1-4E72-1633-2736-9421A12AEF65.odttf not found in archive
Error rendering page 4: Error rendering page /Documents/1/Pages/4.fpage: Font source /Resources/18FA7CE1-4E72-1633-2736-9421A12AEF65.odttf not found in archive
=================================================================
==63668==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc4ef3f310 at pc 0x5654ae04feb7 bp 0x7ffc4ef3ea90 sp 0x7ffc4ef3ea80
READ of size 1 at 0x7ffc4ef3f310 thread T0
    #0 0x5654ae04feb6 in cache_magic_matchlet_compare_to_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:204
    #1 0x5654ae050028 in cache_magic_matchlet_compare /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:230
    #2 0x5654ae0502b6 in cache_magic_compare_to_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:262
    #3 0x5654ae050544 in cache_magic_lookup_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:298
    #4 0x5654ae0529a9 in cache_get_mime_type_for_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:746
    #5 0x5654ae052c27 in __gio_xdg_cache_get_mime_type_for_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:776
    #6 0x5654ae04de68 in _gio_xdg_get_mime_type_for_data /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmime.c:469
    #7 0x5654ae02c170 in g_content_type_guess /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/gcontenttype.c:686
    #8 0x5654adfa64cc in gxps_images_guess_content_type /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-images.c:894
    #9 0x5654adfa669c in gxps_images_get_image /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-images.c:930
    #10 0x5654adf748fa in gxps_page_get_image /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:94
    #11 0x5654adf96280 in brush_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-brush.c:974
    #12 0x5654ae2b9576 in emit_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/glib/gmarkup.c:1076
    #13 0x5654ae2bc9a0 in g_markup_parse_context_parse /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/glib/gmarkup.c:1618
    #14 0x5654adf8266b in gxps_parse_stream /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-parse-utils.c:184
    #15 0x5654adf7ba46 in gxps_page_parse_for_rendering /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:992
    #16 0x5654adf80c91 in gxps_page_render /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:1694
    #17 0x5654adf69ac5 in gxps_converter_run /home/v-fuzz/libgxps-0.2.5/tools/gxps-converter.c:322
    #18 0x5654adf65a32 in main /home/v-fuzz/libgxps-0.2.5/tools/gxps-converter-main.c:42
    #19 0x7efd325c8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #20 0x5654adf658c9 in _start (/home/v-fuzz/libgxps-0.2.5/tools/xpstopng+0x1328c9)

Address 0x7ffc4ef3f310 is located in stack of thread T0 at offset 1056 in frame
    #0 0x5654adfa63c4 in gxps_images_guess_content_type /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-images.c:883

  This frame has 1 object(s):
    [32, 1056) 'buffer' <== Memory access at offset 1056 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/v-fuzz/libgxps-0.2.5/libgxps/glib2.0-2.56.1/gio/xdgmime/xdgmimecache.c:204 in cache_magic_matchlet_compare_to_data
Shadow bytes around the buggy address:
  0x100009ddfe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009ddfe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009ddfe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009ddfe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009ddfe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100009ddfe60: 00 00[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x100009ddfe70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009ddfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009ddfe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009ddfea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100009ddfeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==63668==ABORTING

This vulnerability was due to 

libgxps/gxps-images.c:894

880 static gchar *
881 gxps_images_guess_content_type (GXPSArchive *zip,
882 				const gchar *image_uri)
883 {
884 	GInputStream *stream;
885 	guchar        buffer[1024];
886 	gssize        bytes_read;
887 	gchar        *mime_type;
888 
889 	stream = gxps_archive_open (zip, image_uri);
890 	if (!stream)
891 		return NULL;
892 
893 	bytes_read = g_input_stream_read (stream, buffer, 1024, NULL, NULL);
894 	mime_type = g_content_type_guess (NULL, buffer, bytes_read, NULL);
895 	g_object_unref (stream);
896 
897 	return mime_type;
898 }

In gdb debugging, we found g_input_stream_read returned a negative value -20, and leads to futher g_content_type_guess stack overflow

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by NESA Lab(nesa.zju.edu.cn), with our custom fuzzer v-fuzz. Please contact  liyuwei23  and chenyuan.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Marek Kašík 2018-05-07 15:36:38 UTC
Thank you for this report. I've found an issue in one of current patches we have + an upstream patch needed to resolve this.
I'm giving this bug devel_ack+.

Comment 3 Salvatore Bonaccorso 2018-05-07 18:31:55 UTC
This issue was assigned CVE-2018-10767

Comment 7 errata-xmlrpc 2018-10-30 10:26:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3140