search

FLIF-hub / FLIF

Free Lossless Image Format
Other
3.72k stars 229 forks source link

FLIF aborted caused by longjmp causes uninitialized stack frame #520

Open EnchantedJohn opened 6 years ago

EnchantedJohn commented 6 years ago

Hello,guys,I use my company fuzzing tools .I found FLIF aborted.I think it caused by longjmp causes uninitialized stack frame.I search some information abort it. In google,the curl meet same situation.So I think it is a BUG. So,I want to show you more information about it.

EnchantedJohn commented 6 years ago

there is abort information:

gdb) set args -d /home/lx/DIVE_github/secdive/bin/hfl/output/3066771E5C592B1C72695C17AA24193689A625/hfl-libc-abort-1-\{reta_libc.so.6.0x732a4\} output.png --overwrite
(gdb) r
Starting program: /home/lx/github/7_25/flif/HFL/flif -d /home/lx/DIVE_github/secdive/bin/hfl/output/3066771E5C592B1C72695C17AA24193689A625/hfl-libc-abort-1-\{reta_libc.so.6.0x732a4\} output.png --overwrite
Warning: expected file name extension ".flif" for input file, trying anyway...
Invalid tree. Aborting tree decoding.
File ended prematurely or decoding was interrupted.
libpng warning: Image width exceeds user limit in IHDR
libpng error: Invalid IHDR data
*** longjmp causes uninitialized stack frame ***: /home/lx/github/7_25/flif/HFL/flif terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7329f)[0x7ffff7a8429f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1f87c]
/lib/x86_64-linux-gnu/libc.so.6(+0x10e78d)[0x7ffff7b1f78d]
/lib/x86_64-linux-gnu/libc.so.6(__longjmp_chk+0x29)[0x7ffff7b1f6e9]
/lib/x86_64-linux-gnu/libpng12.so.0(png_error+0x91)[0x7ffff7806311]
/lib/x86_64-linux-gnu/libpng12.so.0(png_set_IHDR+0x80)[0x7ffff77f04b0]
/home/lx/github/7_25/flif/HFL/flif[0x441e40]
/home/lx/github/7_25/flif/HFL/flif[0x420f2b]
/home/lx/github/7_25/flif/HFL/flif[0x407d3e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a32f45]
/home/lx/github/7_25/flif/HFL/flif[0x41fb19]
======= Memory map: ========
00400000-00501000 r-xp 00000000 08:01 25185630                           /home/lx/github/7_25/flif/HFL/flif
00700000-00703000 r--p 00100000 08:01 25185630                           /home/lx/github/7_25/flif/HFL/flif
00703000-00705000 rw-p 00103000 08:01 25185630                           /home/lx/github/7_25/flif/HFL/flif
00705000-0073d000 rw-p 00000000 00:00 0                                  [heap]
7ffff6082000-7ffff6da2000 rw-p 00000000 00:00 0 
7ffff6da2000-7ffff6ea7000 r-xp 00000000 08:01 61349090                   /lib/x86_64-linux-gnu/libm-2.19.so
7ffff6ea7000-7ffff70a6000 ---p 00105000 08:01 61349090                   /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a6000-7ffff70a7000 r--p 00104000 08:01 61349090                   /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a7000-7ffff70a8000 rw-p 00105000 08:01 61349090                   /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a8000-7ffff70c0000 r-xp 00000000 08:01 61341903                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff70c0000-7ffff72bf000 ---p 00018000 08:01 61341903                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72bf000-7ffff72c0000 r--p 00017000 08:01 61341903                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72c0000-7ffff72c1000 rw-p 00018000 08:01 61341903                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72c1000-7ffff72d7000 r-xp 00000000 08:01 61342814                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72d7000-7ffff74d6000 ---p 00016000 08:01 61342814                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d6000-7ffff74d7000 r--p 00015000 08:01 61342814                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d7000-7ffff74d8000 rw-p 00016000 08:01 61342814                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d8000-7ffff75df000 r-xp 00000000 08:01 60689024                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff75df000-7ffff77de000 ---p 00107000 08:01 60689024                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77de000-7ffff77e6000 r--p 00106000 08:01 60689024                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77e6000-7ffff77e8000 rw-p 0010e000 08:01 60689024                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77e8000-7ffff77eb000 rw-p 00000000 00:00 0 
7ffff77eb000-7ffff7810000 r-xp 00000000 08:01 61346095                   /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7810000-7ffff7a0f000 ---p 00025000 08:01 61346095                   /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a0f000-7ffff7a10000 r--p 00024000 08:01 61346095                   /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a10000-7ffff7a11000 rw-p 00025000 08:01 61346095                   /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a11000-7ffff7bcf000 r-xp 00000000 08:01 61349104                   /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7bcf000-7ffff7dcf000 ---p 001be000 08:01 61349104                   /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dcf000-7ffff7dd3000 r--p 001be000 08:01 61349104                   /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd3000-7ffff7dd5000 rw-p 001c2000 08:01 61349104                   /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0 
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 61349093                   /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fbb000-7ffff7fc2000 rw-p 00000000 00:00 0 
7ffff7ff6000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 61349093                   /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 61349093                   /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
EnchantedJohn commented 6 years ago

then,it is gdb informaiton:

(gdb) bt
#0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
#2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7b93db0 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7b1f87c in __GI___fortify_fail (msg=<optimized out>) at fortify_fail.c:38
#4  0x00007ffff7b1f78d in ____longjmp_chk () at ../sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S:100
#5  0x00007ffff7b1f6e9 in __longjmp_chk (env=0x1, val=1) at ../setjmp/longjmp.c:38
#6  0x00007ffff7806311 in png_error () from /lib/x86_64-linux-gnu/libpng12.so.0
#7  0x00007ffff77f04b0 in png_set_IHDR () from /lib/x86_64-linux-gnu/libpng12.so.0
#8  0x0000000000441e40 in image_save_png(char const*, Image const&) [clone .part.23] [clone .lto_priv.316] ()
#9  0x0000000000420f2b in Image::save(char const*) const ()
#10 0x0000000000407d3e in main ()
(gdb) i r
rax            0x0  0
rbx            0x60 96
rcx            0x7ffff7a47c37   140737348140087
rdx            0x6  6
rsi            0x36b4b  224075
rdi            0x36b4b  224075
rbp            0x7fffffffdbb0   0x7fffffffdbb0
rsp            0x7fffffffd898   0x7fffffffd898
r8             0x7ffff7b8b640   140737349465664
r9             0x4028f0 4204784
r10            0x8  8
r11            0x246    582
r12            0x7fffffffda20   140737488345632
r13            0x5  5
r14            0x60 96
r15            0x5  5
rip            0x7ffff7a47c37   0x7ffff7a47c37 <__GI_raise+55>
eflags         0x246    [ PF ZF IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
(gdb) x/10i $pc
=> 0x7ffff7a47c37 <__GI_raise+55>:  cmp    $0xfffffffffffff000,%rax
   0x7ffff7a47c3d <__GI_raise+61>:  ja     0x7ffff7a47c5d <__GI_raise+93>
   0x7ffff7a47c3f <__GI_raise+63>:  repz retq 
   0x7ffff7a47c41 <__GI_raise+65>:  nopl   0x0(%rax)
   0x7ffff7a47c48 <__GI_raise+72>:  test   %ecx,%ecx
   0x7ffff7a47c4a <__GI_raise+74>:  jg     0x7ffff7a47c27 <__GI_raise+39>
   0x7ffff7a47c4c <__GI_raise+76>:  mov    %ecx,%eax
   0x7ffff7a47c4e <__GI_raise+78>:  neg    %eax
   0x7ffff7a47c50 <__GI_raise+80>:  and    $0x7fffffff,%ecx
   0x7ffff7a47c56 <__GI_raise+86>:  cmove  %esi,%eax
fgeek commented 6 years ago

@EnchantedJohn Include the file causing this as a zip file to this issue report.

fgeek commented 6 years ago

Someone (probably @EnchantedJohn) requested CVE identifier for this issue http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14876

An issue was discovered in image_save_png in image/image-png.cpp in Free Lossless Image Format (FLIF) 0.3. Attackers can trigger a longjmp that leads to an uninitialized stack frame after a libpng error concerning the IHDR image width.