Bug 1500623 (CVE-2017-2888) - CVE-2017-2888 SDL: Integer overflow while creating a new RGB surface
Summary: CVE-2017-2888 SDL: Integer overflow while creating a new RGB surface
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-2888
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20171010,repo...
Depends On: 1500624 1500625 1500734 1500735
Blocks: 1500626
TreeView+ depends on / blocked
 
Reported: 2017-10-11 08:31 UTC by Andrej Nemec
Modified: 2019-06-08 22:24 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-20 09:57:08 UTC


Attachments (Terms of Use)
Ugly patch based on secure coding guide (1.52 KB, patch)
2017-10-12 09:54 UTC, Stefan Cornelius
no flags Details | Diff
Patch using a builtin compiler function (844 bytes, patch)
2017-10-12 09:57 UTC, Stefan Cornelius
no flags Details | Diff

Description Andrej Nemec 2017-10-11 08:31:24 UTC
An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395

Comment 1 Andrej Nemec 2017-10-11 08:31:53 UTC
Created SDL tracking bugs for this issue:

Affects: fedora-all [bug 1500624]


Created mingw-SDL tracking bugs for this issue:

Affects: fedora-all [bug 1500625]

Comment 2 Stefan Cornelius 2017-10-11 10:30:32 UTC
This appears to be the patch:
http://hg.libsdl.org/SDL/rev/7e0f1498ddb5

PLEASE NOTE: Simply applying the patch will not work with F26, as the compiler appears to optimize the check away. Set the "-fno-strict-overflow" compiler flag to prevent this.

Comment 3 Stefan Cornelius 2017-10-11 11:53:43 UTC
Created SDL2 tracking bugs for this issue:

Affects: epel-7 [bug 1500735]
Affects: fedora-all [bug 1500734]

Comment 4 Stefan Cornelius 2017-10-11 11:57:35 UTC
SDL1 has the following check and should not be vulnerable:

> /* Make sure the size requested doesn't overflow our datatypes */
> /* Next time I write a library like SDL, I'll use int for size. :) */
> if ( width >= 16384 || height >= 65536 ) {
>	SDL_SetError("Width or height is too large");
>	return(NULL);
> }

Comment 5 Igor Gnatenko 2017-10-11 13:17:49 UTC
(In reply to Stefan Cornelius from comment #2)
> This appears to be the patch:
> http://hg.libsdl.org/SDL/rev/7e0f1498ddb5
> 
> PLEASE NOTE: Simply applying the patch will not work with F26, as the
> compiler appears to optimize the check away. Set the "-fno-strict-overflow"
> compiler flag to prevent this.

Ugh, is there some better way of doing this?

Comment 7 Stefan Cornelius 2017-10-12 09:54:07 UTC
Created attachment 1337656 [details]
Ugly patch based on secure coding guide

This is an ugly patch (the new functions and includes should probably have their own header etc) roughly based on what the CERT Secure Coding Guide recommends. Should work with most compilers, though.

Not extensively tested, so no guarantees that this is indeed correct.

Comment 8 Stefan Cornelius 2017-10-12 09:57:06 UTC
Created attachment 1337658 [details]
Patch using a builtin compiler function

This one uses a builtin compiler function - gcc and llvm should support this, not sure about other compilers, though.

Not extensively tested, so no guarantees that this is indeed correct.

Comment 9 Stefan Cornelius 2017-10-12 10:00:37 UTC
Statement:

This issue did not affect the versions of SDL as shipped with Red Hat Enterprise Linux 5, 6, and 7.

Comment 10 Salvatore Bonaccorso 2017-10-18 20:47:19 UTC
See: https://hg.libsdl.org/SDL/rev/81a4950907a0

Comment 11 Igor Gnatenko 2017-10-19 07:50:51 UTC
(In reply to Stefan Cornelius from comment #9)
> Statement:
> 
> This issue did not affect the versions of SDL as shipped with Red Hat
> Enterprise Linux 5, 6, and 7.

Why would I care about those distributions when I'm working on Fedora?

Comment 12 Igor Gnatenko 2017-10-19 08:01:03 UTC
(In reply to Salvatore Bonaccorso from comment #10)
> See: https://hg.libsdl.org/SDL/rev/81a4950907a0

Thanks a lot! Applied and building.


Note You need to log in before you can comment on or make changes to this bug.