Bug 1610135 (CVE-2018-9154) - CVE-2018-9154 jasper: reachable abort in jpc_dec_process_sot()
Summary: CVE-2018-9154 jasper: reachable abort in jpc_dec_process_sot()
Keywords:
Status: CLOSED DUPLICATE of bug 1488958
Alias: CVE-2018-9154
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1610136 1610137 1610138
Blocks: 1610141
TreeView+ depends on / blocked
 
Reported: 2018-07-31 03:55 UTC by Sam Fowler
Modified: 2020-02-10 04:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-07 13:27:02 UTC


Attachments (Terms of Use)

Description Sam Fowler 2018-07-31 03:55:26 UTC
There is a reachable abort in the function jpc_dec_process_sot in libjasper/jpc/jpc_dec.c of JasPer 2.0.14 that will lead to a remote denial of service attack by triggering an unexpected jas_alloc2 return value, a different vulnerability than CVE-2017-13745.


Reference:

https://drive.google.com/drive/u/2/folders/1YuxdfbZrw79kfzoQz0PpxIutZ7pkf_kW

Comment 1 Sam Fowler 2018-07-31 03:56:17 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1610136]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1610138]
Affects: fedora-all [bug 1610137]

Comment 4 Sam Fowler 2018-07-31 04:02:53 UTC
Reproduced on F28 with jasper-2.0.14-5.fc28.x86_64:

# gdb -q jasper 
Reading symbols from jasper...Reading symbols from /usr/lib/debug/usr/bin/jasper-2.0.14-5.fc28.x86_64.debug...done.
done.
(gdb) r --input jasper_POC --output-format jp2
Starting program: /usr/bin/jasper --input jasper_POC --output-format jp2
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.27-30.fc28.x86_64
warning: trailing garbage in marker segment (1 bytes)
warning: trailing garbage in marker segment (23 bytes)

Program received signal SIGABRT, Aborted.
0x00007ffff71f4feb in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install libjpeg-turbo-1.5.3-6.fc28.x86_64
(gdb) bt
#0  0x00007ffff71f4feb in raise () from /lib64/libc.so.6
#1  0x00007ffff71df5c1 in abort () from /lib64/libc.so.6
#2  0x00007ffff7b84c18 in jpc_dec_process_sot (dec=0x55555575f900, ms=0x55555575f9d0) at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/libjasper/jpc/jpc_dec.c:488
#3  0x00007ffff7b9bdc5 in jpc_dec_decode (dec=0x55555575f900) at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/libjasper/jpc/jpc_dec.c:424
#4  jpc_decode (in=<optimized out>, optstr=<optimized out>) at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/libjasper/jpc/jpc_dec.c:261
#5  0x00007ffff7b8c801 in jas_image_decode (in=in@entry=0x55555575b710, fmt=<optimized out>, optstr=0x0)
    at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/libjasper/base/jas_image.c:442
#6  0x0000555555555aba in main () at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/appl/jasper.c:236
#7  0x00007ffff71e124b in __libc_start_main () from /lib64/libc.so.6
#8  0x0000555555555eca in _start ()

Comment 5 Tomas Hoger 2018-07-31 11:03:39 UTC
Here are details that are noted for this issue on the Google Drive link in comment 0:


Triggered by: ./jasper --input jasper_POC --output-format jp2


Description of problem:

There is a reachable abort in function jpc_dec_process_sot of JasPer that will lead to remote denial of service attack.


Version-Release number of selected component (if applicable):

<= latest version


How reproducible:

./jasper --input jasper_POC --output-format jp2


The output information is as follows:

./jasper --input jasper_POC --output-format jp2
warning: trailing garbage in marker segment (1 bytes)
warning: trailing garbage in marker segment (23 bytes)
Aborted (core dumped)


The gdb debugging information:

(gdb) set args --input jasper_POC --output-format jp2
(gdb) r

Starting program: /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/appl/jasper --input jasper_POC --output-format jp2
warning: trailing garbage in marker segment (1 bytes)
warning: trailing garbage in marker segment (23 bytes)

(gdb) bt
#0  0x00007ffff7674428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff767602a in __GI_abort () at abort.c:89
#2  0x00007ffff7af5299 in jpc_dec_process_sot (dec=dec@entry=0x60d6b0, ms=ms@entry=0x60d780)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:488
#3  0x00007ffff7aeb8e9 in jpc_dec_decode (dec=0x60d6b0)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:424
#4  jpc_decode (in=<optimized out>, optstr=<optimized out>)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:261
#5  0x00007ffff7a785a4 in jas_image_decode (in=in@entry=0x6094c0, fmt=<optimized out>, optstr=0x0)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/base/jas_image.c:442
#6  0x0000000000401c35 in main (argc=5, argv=<optimized out>)
    at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/appl/jasper.c:236

Program received signal SIGABRT, Aborted.
0x00007ffff7674428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54        ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.


jpc_dec_process_sot in jpc_dec.c

if (dec->ppmstab) {
	/* Convert the PPM marker segment data into a collection of streams
	(one stream per tile-part). */
	if (!(dec->pkthdrstreams = jpc_ppmstabtostreams(dec->ppmstab))) {
		abort();
	}
	jpc_ppxstab_destroy(dec->ppmstab);
	dec->ppmstab = 0;
}

Comment 6 Tomas Hoger 2018-07-31 11:27:19 UTC
(In reply to Sam Fowler from comment #0)
> There is a reachable abort in the function jpc_dec_process_sot in
> libjasper/jpc/jpc_dec.c of JasPer 2.0.14 that will lead to a remote denial
> of service attack by triggering an unexpected jas_alloc2 return value, a
> different vulnerability than CVE-2017-13745.

The above information is not correct.  I see no evidence that this is different from CVE-2017-13745.  Provided reproducer triggers the same problem that is already covered by CVE-2017-13745.

The jpc_dec_process_sot() function calls jpc_ppmstabtostreams() which returns error because of entno becoming equal to tab->numents:

https://github.com/mdadams/jasper/blob/version-2.0.14/src/libjasper/jpc/jpc_dec.c#L2375-L2377

When that happens jpc_dec_process_sot() calls abort():

https://github.com/mdadams/jasper/blob/version-2.0.14/src/libjasper/jpc/jpc_dec.c#L514-L516

This is noted as a root cause in the flaw analysis that is provided along the reproducer, see the last part of comment 5 above.

However, the CVE description notes "an unexpected jas_alloc2 return value" as being the cause of this new CVE-2018-9154.  That seems to be an incorrect analysis of the crash.  It refers to the following code earlier in the jpc_dec_process_sot():

https://github.com/mdadams/jasper/blob/version-2.0.14/src/libjasper/jpc/jpc_dec.c#L486-L489

There, jas_alloc2() is called, and abort() is used when error occurs.  However, the reproducer does not demonstrate that.  The dec->numcomps value for the reproducer is 2, so it does not trigger failure because of integer overflow check, and is unlikely to fail because of out-of-memory condition.

However, as the code to handle errors of both jpc_ppmstabtostreams() and jas_alloc2() is the same, optimized builds of jasper use just one copy of the code, so debuggers show that abort() is called after jas_alloc2() failure while it is actually called after jpc_ppmstabtostreams() failure.

Comment 7 Tomas Hoger 2018-07-31 11:30:10 UTC
Upstream bug report for CVE-2017-13745 is:

https://github.com/mdadams/jasper/issues/166

Comment 9 Tomas Hoger 2018-08-02 19:53:41 UTC
(In reply to Tomas Hoger from comment #6)
> However, as the code to handle errors of both jpc_ppmstabtostreams() and
> jas_alloc2() is the same, optimized builds of jasper use just one copy of
> the code, so debuggers show that abort() is called after jas_alloc2()
> failure while it is actually called after jpc_ppmstabtostreams() failure.

Here is a gdb backtrace from a build of jasper 2.0.14 with -O2 optimization:

#0  0x00007ffff71f6feb in raise () from /lib64/libc.so.6
#1  0x00007ffff71e15c1 in abort () from /lib64/libc.so.6
#2  0x00007ffff7b86b10 in jpc_dec_process_sot (dec=0x6057d0, ms=0x6058a0) at /tmp/jasper-2.0.14-O2/src/libjasper/jpc/jpc_dec.c:488
#3  0x00007ffff7b9ced5 in jpc_dec_decode (dec=0x6057d0) at /tmp/jasper-2.0.14-O2/src/libjasper/jpc/jpc_dec.c:424
#4  jpc_decode (in=<optimized out>, optstr=<optimized out>) at /tmp/jasper-2.0.14-O2/src/libjasper/jpc/jpc_dec.c:261
#5  0x00007ffff7b8e32d in jas_image_decode (in=in@entry=0x6036a0, fmt=<optimized out>, fmt@entry=5, optstr=optstr@entry=0x7fffffffdb80 "")
    at /tmp/jasper-2.0.14-O2/src/libjasper/base/jas_image.c:442
#6  0x0000000000400f6b in main () at /tmp/jasper-2.0.14-O2/src/appl/imginfo.c:238
#7  0x00007ffff71e324b in __libc_start_main () from /lib64/libc.so.6
#8  0x00000000004011da in _start ()

jpc_dec.c:488 indicates abort() called after jas_alloc2().

A build with -O0 instead of -O2:

#0  0x00007ffff71d8feb in raise () from /lib64/libc.so.6
#1  0x00007ffff71c35c1 in abort () from /lib64/libc.so.6
#2  0x00007ffff7b87ca1 in jpc_dec_process_sot (dec=0x6057d0, ms=0x6058a0) at /tmp/jasper-2.0.14-O0/src/libjasper/jpc/jpc_dec.c:515
#3  0x00007ffff7b87a41 in jpc_dec_decode (dec=0x6057d0) at /tmp/jasper-2.0.14-O0/src/libjasper/jpc/jpc_dec.c:424
#4  0x00007ffff7b87621 in jpc_decode (in=0x6036a0, optstr=0x7fffffffdb30 "") at /tmp/jasper-2.0.14-O0/src/libjasper/jpc/jpc_dec.c:261
#5  0x00007ffff7b724fb in jas_image_decode (in=0x6036a0, fmt=5, optstr=0x7fffffffdb30 "") at /tmp/jasper-2.0.14-O0/src/libjasper/base/jas_image.c:442
#6  0x000000000040115f in main (argc=3, argv=0x7fffffffdd98) at /tmp/jasper-2.0.14-O0/src/appl/imginfo.c:238

jpc_dec.c:515 now correctly indicates abort() after jpc_ppmstabtostreams().

Comment 10 Tomas Hoger 2018-08-07 13:27:02 UTC
This CVE has now been rejected as duplicate of CVE-2017-13745.

*** This bug has been marked as a duplicate of bug 1488958 ***

Comment 11 Doran Moppert 2020-02-10 04:33:47 UTC
Statement:

This flaw was found to be a duplicate of CVE-2017-13745. Please see https://access.redhat.com/security/cve/CVE-2017-13745 for information about affected products and security errata.


Note You need to log in before you can comment on or make changes to this bug.