After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 795248 - (CVE-2018-10114) crash on reading malformed ppm files
(CVE-2018-10114)
crash on reading malformed ppm files
Status: RESOLVED FIXED
Product: GEGL
Classification: Other
Component: gegl binary
unspecified
Other Linux
: Normal major
: ---
Assigned To: Default Gegl Component Owner
Default Gegl Component Owner
Depends on:
Blocks:
 
 
Reported: 2018-04-14 05:02 UTC by xqx
Modified: 2018-04-15 05:51 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description xqx 2018-04-14 05:02:07 UTC
An outbound write in gegl could result to crash at least. It maybe exploited to execute code.
the debug information as follows:

========
(gdb) run ./gegl-outbound-write-1
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /src/aflbuild/installed/bin/gegl ./gegl-outbound-write-1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

(gegl:303): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead

(gegl:303): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead

** (gegl:303): WARNING **: No display handler operation found for gegl:display
[New Thread 0x7fffef432700 (LWP 304)]

Thread 1 "gegl" received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:37
37      ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: d7482cdb03f2cb0b586cd5cf74b1cb43.f4d790321ded280ed3837c295823fc52
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: AccessViolation (21/22)
(gdb) bt
  • #0 __memcpy_sse2_unaligned
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S line 37
  • #1 memcpy
    at /usr/include/x86_64-linux-gnu/bits/string3.h line 53
  • #2 gegl_buffer_iterate_read_simple
    at ../../../gegl/gegl/buffer/gegl-buffer-access.c line 1212
  • #3 gegl_buffer_iterate_read_dispatch
    at ../../../gegl/gegl/buffer/gegl-buffer-access.c line 1832
  • #4 _gegl_buffer_get_unlocked
    at ../../../gegl/gegl/buffer/gegl-buffer-access.c line 2055
  • #5 process
    at ../../../gegl/operations/external/ppm-load.c line 320
  • #6 gegl_operation_source_process
    at ../../../gegl/gegl/operation/gegl-operation-source.c line 182
  • #7 gegl_graph_process
    at ../../../gegl/gegl/process/gegl-graph-traversal.c line 469
  • #8 gegl_eval_manager_apply
    at ../../../gegl/gegl/process/gegl-eval-manager.c line 128
  • #9 gegl_node_apply_roi
    at ../../../gegl/gegl/graph/gegl-node.c line 1081
  • #10 gegl_node_blit
    at ../../../gegl/gegl/graph/gegl-node.c line 1161
  • #11 render_rectangle
    at ../../../gegl/gegl/process/gegl-processor.c line 518
  • #12 gegl_processor_render
    at ../../../gegl/gegl/process/gegl-processor.c line 662
  • #13 gegl_processor_work
    at ../../../gegl/gegl/process/gegl-processor.c line 796
  • #14 gegl_node_process
    at ../../../gegl/gegl/graph/gegl-node.c line 1827
  • #15 main
    at ../../gegl/bin/gegl.c line 255


the poc please ref to :
https://github.com/xiaoqx/pocs/blob/master/gegl/gegl-outbound-write-1
Comment 1 Øyvind Kolås (pippin) 2018-04-14 12:25:46 UTC
For crashes which result from a fuzzed input file, the problem is likely in the file reader for this operation itself - please attach files/test-cases directly to bug reports instead of linking to external repositories.
Comment 2 Øyvind Kolås (pippin) 2018-04-14 12:30:27 UTC
Using a more valid ppm would also cause the same crash, thus rejecting the strange fuzzed form would be insufficient.

---------------
P6
725583137 4
255
---------------

commit 66003c7fee310f203c9947864429e03e652e02e7 (HEAD -> master)
Author: Øyvind Kolås <pippin@gimp.org>
Date:   Sat Apr 14 14:26:37 2018 +0200

    ppm-load: limit max permitted buffer allocation to 2GB
    
    Fixing bug #795248
Comment 3 Øyvind Kolås (pippin) 2018-04-14 12:32:26 UTC
Actual commit hash, changed - since other changes had happend in the repo.

commit c83b05d565a1e3392c9606a4ecaa560eb9a4ee29
Author: Øyvind Kolås <pippin@gimp.org>
Date:   Sat Apr 14 14:26:37 2018 +0200

    ppm-load: limit max permitted buffer allocation to 2GB
    
    Fixing bug #795248