Bug 1179298 – CVE-2014-8158 jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015-001)

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1179298 - (CVE-2014-8158) CVE-2014-8158 jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015-001)

Summary:	CVE-2014-8158 jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015...

Status:	CLOSED ERRATA

Aliases:	CVE-2014-8158

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150121,repor...
Keywords:	Security

Depends On:	1183679 1183680 1183681 1183682 1184750 1184751 1184752 1184753
Blocks:	1167538 1179289
	Show dependency tree / graph

Reported:	2015-01-06 09:39 EST by Vasyl Kaigorodov
Modified:	2016-11-23 16:56 EST (History)
CC List:	17 users (show)

See Also:
Fixed In Version:	jasper 1.900.2
Doc Type:	Bug Fix
Doc Text:	An unrestricted stack memory use flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-18 09:25:10 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
jpc_qmfb.c.patch (6.51 KB, patch) 2015-01-06 09:40 EST, Vasyl Kaigorodov	no flags	Details \| Diff
do not define HAVE_VLA (679 bytes, patch) 2015-01-08 06:44 EST, Jiri Popelka	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0074	normal	SHIPPED_LIVE	Important: jasper security update	2015-01-22 21:13:34 EST
Red Hat Product Errata	RHSA-2015:0698	normal	SHIPPED_LIVE	Important: rhevm-spice-client security, bug fix, and enhancement update	2015-03-18 12:11:47 EDT

Groups: None (edit)

Description Vasyl Kaigorodov 2015-01-06 09:39:01 EST

oCERT reports an issue in jasper discovered by pyddeh:

"""

In jpc_qmfb.c JasPer uses variable length arrays where the sizes are
derived from the codestream data, e.g. jpc_qmfb.c:305:

    void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
    {

        int bufsize = JPC_CEILDIVPOW2(numcols, 1);
    #if !defined(HAVE_VLA)
        jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
    #else
        jpc_fix_t splitbuf[bufsize];
    #endif
        jpc_fix_t *buf = splitbuf;

Here, numcols is from the codestream, in other places its numrows. I'm not
sure how bad this is, but some broken codestreams i generated crashed there
with negative numbers, which i think is dangerous if combined with VLAs.

Fix proposal: remove the VLA code (see attached patch).

"""

Acknowledgement:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges pyddeh as the original reporter.

Comment 1 Vasyl Kaigorodov 2015-01-06 09:40:49 EST

Created attachment 976831 [details]
jpc_qmfb.c.patch

Comment 2 Jiri Popelka 2015-01-08 06:44:13 EST

Created attachment 977736 [details]
do not define HAVE_VLA

(In reply to Vasyl Kaigorodov from comment #0)
> some broken codestreams i generated crashed there
> with negative numbers, which i think is dangerous if combined with VLAs.

Can you perhaps upload such file(s) ?

> Fix proposal: remove the VLA code (see attached patch).

This can more easily be achieved by not defining HAVE_VLA, see my patch.

Comment 3 Tomas Hoger 2015-01-09 07:24:04 EST

This does not seem to be a buffer overflow issue.  The problem that was reported is that if HAVE_VLA is defined, size of the stack-based splitbuf[] or joinbuf[] is determined at runtime based on the values from the processed image.  This approach has drawback that there's no real error check used - allocation of the buffer is done by subtracting from the stack pointer.  As a consequence, splitbuf[] / joinbuf[] start may be outside of the stack memory - typically unmapped memory, but may reach to stack memory of other threads and possibly heap memory.  Use of such buffer leads to memory corruption.  Given how those buffers are used, program will crash on attempt to access unmapped memory before the end of the affected functions is reached.  Hence exploit would require race against other thread or signal handler.

Proposed fix removes the use of variable length arrays, which make jasper use fixed size stack array, or allocate memory from heap if larger buffer is needed.

(In reply to Jiri Popelka from comment #2)
> Can you perhaps upload such file(s) ?

No reproducer is available, oCERT / original reporter may or may not be able to provide one.

> > Fix proposal: remove the VLA code (see attached patch).
> 
> This can more easily be achieved by not defining HAVE_VLA, see my patch.

Agree, either approach should work.  As HAVE_VLA is not used elsewhere in the jasper sources, fixes should be equivalent.  Complete removal makes it less likely to have code re-enabled by accident in the future.

Comment 5 Jiri Popelka 2015-01-09 08:02:24 EST

Now it makes much more sense, thank you Thomas !

Comment 10 Tomas Hoger 2015-01-22 03:36:58 EST

Public now via oCERT-2015-001.

External References:

http://www.ocert.org/advisories/ocert-2015-001.html

Comment 11 Tomas Hoger 2015-01-22 03:39:36 EST

Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1184751]
Affects: epel-7 [bug 1184753]

Comment 12 Tomas Hoger 2015-01-22 03:39:39 EST

Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1184750]
Affects: epel-5 [bug 1184752]

Comment 13 Tomas Hoger 2015-01-22 04:41:20 EST

Patch that was added to Fedora jasper packages:

http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8158.patch

Comment 14 Ján Rusnačko 2015-01-22 09:49:40 EST

Statement:

(none)

Comment 15 errata-xmlrpc 2015-01-22 16:14:24 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0074 https://rhn.redhat.com/errata/RHSA-2015-0074.html

Comment 16 Fedora Update System 2015-02-02 12:21:38 EST

mingw-jasper-1.900.1-26.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-02-02 12:23:28 EST

mingw-jasper-1.900.1-26.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2015-02-09 00:28:31 EST

jasper-1.900.1-30.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2015-02-09 00:32:34 EST

jasper-1.900.1-28.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2015-02-13 21:46:52 EST

mingw-jasper-1.900.1-26.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 errata-xmlrpc 2015-03-18 08:12:54 EDT

This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html

Comment 22 Fedora Update System 2015-05-10 20:53:25 EDT

jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Tomas Hoger 2016-11-23 16:56:15 EST

Fix was integrated upstream in version 1.900.2:

https://github.com/mdadams/jasper/commit/0d64bde2b3ba7e1450710d540136a8ce4199ef30

Note You need to log in before you can comment on or make changes to this bug.