Bug 1473167 - There is a NULL pointer dereference in gxps-archive.c in libgxps library .
Summary: There is a NULL pointer dereference in gxps-archive.c in libgxps library .
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libgxps
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Marek Kašík
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: CVE-2017-11590
TreeView+ depends on / blocked
 
Reported: 2017-07-20 07:25 UTC by owl337
Modified: 2018-10-30 10:20 UTC (History)
4 users (show)

Fixed In Version: libgxps-0.3.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:19:44 UTC


Attachments (Terms of Use)
Triggered by "./xpstojpeg POC1 /dev/null " (535 bytes, application/x-rar)
2017-07-20 07:25 UTC, owl337
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3140 None None None 2018-10-30 10:20:42 UTC

Description owl337 2017-07-20 07:25:07 UTC
Created attachment 1301548 [details]
Triggered by "./xpstojpeg  POC1  /dev/null "

Description of problem:

There is a NULL pointer dereference  in gxps-archive.c in libgxps library .


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./xpstojpeg  POC1  /dev/null 


Steps to Reproduce:

The output information is as follows:

$ ./xpstojpeg  POC1  /dev/null 

(xpstojpeg:122488): GXPS-WARNING **: Error: Pathname cannot be converted from UTF-8 to current locale.


(xpstojpeg:122488): GLib-CRITICAL **: g_ascii_strdown: assertion 'str != NULL' failed
Segmentation fault


ASAN output information:

$ ./xpstojpeg  POC1  /dev/null 

ASAN:SIGSEGV
=================================================================
==51273==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe62668a810 sp 0x7ffda3dbc728 bp 0x000000000000 T0)
==51273==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x7fe62668a80f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3980f)
    #1 0x7fe6271f2a44 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x18a44)
    #2 0x7fe62668947a (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3847a)
    #3 0x7fe6271f24fa (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x184fa)
    #4 0x7fe626c1010e (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d10e)
    #5 0x7fe626c101c5 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d1c5)
    #6 0x7fe62722e6c1 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x546c1)
    #7 0x7fe626c1010e (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d10e)
    #8 0x7fe626c101c5 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d1c5)
    #9 0x7fe62722bb74 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x51b74)
    #10 0x48673a (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x48673a)
    #11 0x47fe79 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47fe79)
    #12 0x47ced6 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47ced6)
    #13 0x7fe624865a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #14 0x47ccc8 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47ccc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==51273==ABORTING


GDB backtrace information is as follows:

(gdb) set args fuzz/xps2jpeg_out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:271 /dev/null 
(gdb) r
...
Breakpoint 1, caseless_hash (v=0x0) at gxps-archive.c:196
196		ret = g_str_hash (lower);

(xpstojpeg:55531): GXPS-WARNING **: Error: Pathname cannot be converted from UTF-8 to current locale.


(xpstojpeg:55531): GLib-CRITICAL **: g_ascii_strdown: assertion 'str != NULL' failed

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6fb4810 in g_str_hash () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt 
#0  0x00007ffff6fb4810 in g_str_hash () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007ffff7b1ca45 in caseless_hash (v=0x0) at gxps-archive.c:196
#2  0x00007ffff6fb347b in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff7b1c4fb in gxps_archive_initable_init (initable=<optimized out>, error=<optimized out>, 
    cancellable=<optimized out>) at gxps-archive.c:283
#4  0x00007ffff753a10f in g_initable_new_valist () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#5  0x00007ffff753a1c6 in g_initable_new () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#6  0x00007ffff7b586c2 in gxps_file_initable_init (initable=<optimized out>, error=<optimized out>, 
    cancellable=<optimized out>) at gxps-file.c:310
#7  0x00007ffff753a10f in g_initable_new_valist () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#8  0x00007ffff753a1c6 in g_initable_new () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#9  0x00007ffff7b55b75 in gxps_file_new (filename=<optimized out>, error=<optimized out>) at gxps-file.c:368
#10 0x000000000048673b in gxps_converter_real_init_with_args (converter=0x62100001c020, argc=<optimized out>, 
    argv=<optimized out>, option_groups=<optimized out>) at gxps-converter.c:104
#11 0x000000000047fe7a in gxps_converter_init_with_args (converter=<optimized out>, argc=0x7fffffffe3b0, 
    argv=0x7fffffffe3a0) at gxps-converter.c:230
#12 0x000000000047ced7 in main (argc=<optimized out>, argv=0x7fffffffe3a0) at gxps-converter-main.c:36


This vulnerability was triggered in caseless_hash () at libgxps/gxps-archive.c:196

190 caseless_hash (gconstpointer v)
191 {
192         gchar *lower;
193         guint ret;
194 
195         lower = g_ascii_strdown (v, -1);
196         ret = g_str_hash (lower);
197         g_free (lower);
198 
199         return ret;
200 }



Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 9 Michael Boisvert 2018-08-31 10:14:06 UTC
Verified based on #c8.

Comment 11 errata-xmlrpc 2018-10-30 10:19:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3140


Note You need to log in before you can comment on or make changes to this bug.