Bug 1388828 (CVE-2016-8887) - CVE-2016-8887 jasper: uninitialized pointer use in jp2_box_get()
Summary: CVE-2016-8887 jasper: uninitialized pointer use in jp2_box_get()
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-8887
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2016-10250 (view as bug list)
Depends On: 1388873 1388874 1388875 1388876
Blocks: 1314477
TreeView+ depends on / blocked
 
Reported: 2016-10-26 09:21 UTC by Adam Mariš
Modified: 2019-09-29 13:58 UTC (History)
28 users (show)

Fixed In Version: jasper 1.900.10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-12 14:06:55 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2016-10-26 09:21:17 UTC 
Null pointer dereference vulnerability in jp2_colr_destroy in jp2_cod.c was found.

Upstream patch:

https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d

CVE assignment:

http://seclists.org/oss-sec/2016/q4/215
Comment 1 Adam Mariš 2016-10-26 10:54:12 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388874]
Affects: epel-7 [bug 1388876]
Comment 2 Adam Mariš 2016-10-26 10:54:31 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388873]
Affects: epel-5 [bug 1388875]
Comment 3 Tomas Hoger 2016-12-12 13:25:13 UTC 
This isn't actually a NULL pointer dereference issue, but rather a use of uninitialized pointer.  In the jp2_box_get() function, a variable box of type jp2_box_t is allocated using jas_malloc().  Data parsed from a read file is stored in the structure.  However, if certain errors occur while parsing, the structure is destroyed using jp2_box_destroy() before it was fully initialized.  jp2_box_destroy() calls box type specific destroy functions, such as jp2_colr_destroy() mentioned in the original report, which contains a code as this:

static void jp2_colr_destroy(jp2_box_t *box)
{
    jp2_colr_t *colr = &box->data.colr;
    if (colr->iccp) {
        jas_free(colr->iccp);
    }
}

As colr->iccp has not been initialized yet, this leads to an attempt to free invalid pointer.  It seems attacker may be able to trigger freeing of the attacker controlled pointer, which may lead to use after free.  Therefore, impact of this problem does not seem limited to application crash.

This problem did not affect jasper packages in Red Hat Enterprise Linux 6 and 7, as they include the following change as part of the patch for CVE-2008-3520:

+++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
 	box = 0;
 	tmpstream = 0;
 
-	if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
+	if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
 		goto error;

As jas_calloc() is used to allocate memory instead of jas_malloc(), uninitialized fields of the box are guaranteed to be 0 / NULL, avoiding problematic jas_free() calls in jp2_*_destroy() functions.
Comment 4 Tomas Hoger 2016-12-12 13:31:55 UTC 
Original reporter's advisory:

https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c/

Relevant info from the advisory:

jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)

Another round of fuzzing on an updated version (1.900.5) revealed a NULL pointer access in jp2_colr_destroy

The complete ASan output:

# imginfo -f $FILE
cannot copy box data
ASAN:DEADLYSIGNAL
=================================================================
==19664==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc50768570 T0)
    #0 0x41defc in atomic_compare_exchange_strong /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
    #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:465
    #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:525
    #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:709
    #4 0x4c008c in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:41
    #5 0x7f8dcb5bc940 in jp2_colr_destroy /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:443:3
    #6 0x7f8dcb5c1f69 in jp2_box_destroy /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:211:3
    #7 0x7f8dcb5c1f69 in jp2_box_get /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_cod.c:307
    #8 0x7f8dcb5c5dc0 in jp2_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:156:16
    #9 0x7f8dcb556f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #10 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #11 0x7f8dca66561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong
==19664==ABORTING

Upstream bug report:

https://github.com/mdadams/jasper/issues/34

The following fix was applied in version 1.900.10:

https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d


However, the above fix was found to be incomplete.  There is this follow-up advisory from the original reporter:

https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887/

Relevant info from the advisory:

jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887)

Another round of fuzzing on an updated version (1.900.10) revealed that the NULL pointer access identified as CVE-2016-8887 which upstream declared to be fixed in the version 1.900.10 is still here.

The complete ASan output:

# imginfo -f $FILE
ASAN:DEADLYSIGNAL
=================================================================
==20885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041defd bp 0xbebebebebebebebe sp 0x7ffc4e4a4550 T0)
    #0 0x41defc in atomic_compare_exchange_strong /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
    #1 0x41defc in __asan::Allocator::AtomicallySetQuarantineFlag(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:465
    #2 0x41defc in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:525
    #3 0x41defc in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:709
    #4 0x4c008c in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:41
    #5 0x7faeeeb2d430 in jp2_colr_destroy /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:450:3
    #6 0x7faeeeb32b0e in jp2_box_destroy /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:211:3
    #7 0x7faeeeb32b0e in jp2_box_get /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_cod.c:314
    #8 0x7faeeeb369a0 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:156:16
    #9 0x7faeeeac6a29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16
    #10 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16
    #11 0x7faeedbd361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong
==20885==ABORTING

Upstream bug report:

https://github.com/mdadams/jasper/issues/45

Upstream fix applied in version 1.900.13:

https://github.com/mdadams/jasper/commit/bdfe95a6e81ffb4b2fad31a76b57943695beed20
Comment 8 Tomas Hoger 2016-12-12 14:07:53 UTC 
*** Bug 1388829 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.