Bug 1385507 (CVE-2016-8693) - CVE-2016-8693 jasper: incorrect handling of bufsize 0 in mem_resize()
Summary: CVE-2016-8693 jasper: incorrect handling of bufsize 0 in mem_resize()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-8693
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1385516 1385517 1385518 1385519 1439171 1439172 1439173 1439174
Blocks: 1314477
TreeView+ depends on / blocked
 
Reported: 2016-10-17 08:46 UTC by Adam Mariš
Modified: 2019-09-29 13:57 UTC (History)
26 users (show)

Fixed In Version: jasper 1.900.10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-09 21:46:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 0 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC

Description Adam Mariš 2016-10-17 08:46:04 UTC 
A double free vulnerability was found in mem_close in jas_stream.c triggered by invoking imginfo command on specially crafted image file.

CVE assignment:

http://www.openwall.com/lists/oss-security/2016/10/16/14
Comment 1 Adam Mariš 2016-10-17 08:56:39 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385517]
Affects: epel-7 [bug 1385519]
Comment 2 Adam Mariš 2016-10-17 08:56:58 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385516]
Affects: epel-5 [bug 1385518]
Comment 3 Tomas Hoger 2016-12-07 10:41:18 UTC 
Original reporter's advisory:

https://blogs.gentoo.org/ago/2016/10/16/jasper-double-free-in-mem_close-jas_stream-c/

Relevant info from the advisory:

A fuzzing revealed a double-free in mem_close.

# imginfo -f $FILE
Corrupt JPEG data: 1 extraneous bytes before marker 0xc4
=================================================================
==31536==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0:
    #0 0x4bfe10 in __interceptor_free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38
    #1 0x7f15e7385450 in mem_close /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:1079:3
    #2 0x7f15e737ffcb in jas_stream_close /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:466:2
    #3 0x7f15e7353b71 in jas_image_cmpt_destroy /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:343:3
    #4 0x7f15e7353b71 in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:333
    #5 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18
    #6 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7
    #7 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171
    #8 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16
    #9 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16
    #10 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #11 0x418bc8 in _start (/tmp/jasper-version-1.900.4/src/appl/.libs/imginfo+0x418bc8)

0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80)
freed by thread T0 here:
    #0 0x4c0498 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71
    #1 0x7f15e7385048 in mem_resize /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:995:14
    #2 0x7f15e7385048 in mem_write /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:1018
    #3 0x7f15e73823a3 in jas_stream_flushbuf /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:819:7
    #4 0x7f15e7383e04 in jas_stream_flush /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:749:9
    #5 0x7f15e7383e04 in jas_stream_seek /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:656
    #6 0x7f15e7353b4a in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:332:4
    #7 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18
    #8 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7
    #9 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171
    #10 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16
    #11 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16
    #12 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4c0118 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f15e737fb4e in jas_stream_memopen /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:215:15
    #2 0x7f15e735397e in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:322:28
    #3 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18
    #4 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7
    #5 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171
    #6 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16
    #7 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16
    #8 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: double-free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 in __interceptor_free
==31536==ABORTING

There are 2 upstream bug reports with reproducers:

https://github.com/mdadams/jasper/issues/25
https://github.com/mdadams/jasper/issues/31

And the issue was fixed in version 1.900.10 via the following commit:

https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309

The problem is that mem_resize(), if called with bufsize == 0, was freeing m->buf_, but not setting it to NULL.  As error was returned by the function, it led to the second attempt to free the same memory in mem_close().  With the glibc malloc hardening, this issue is unlikely to have worse impact than unexpected application termination.
Comment 8 errata-xmlrpc 2017-05-09 17:17:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208
Note You need to log in before you can comment on or make changes to this bug.