Open EnchantedJohn opened 6 years ago
there is abort information:
gdb) set args -d /home/lx/DIVE_github/secdive/bin/hfl/output/3066771E5C592B1C72695C17AA24193689A625/hfl-libc-abort-1-\{reta_libc.so.6.0x732a4\} output.png --overwrite
(gdb) r
Starting program: /home/lx/github/7_25/flif/HFL/flif -d /home/lx/DIVE_github/secdive/bin/hfl/output/3066771E5C592B1C72695C17AA24193689A625/hfl-libc-abort-1-\{reta_libc.so.6.0x732a4\} output.png --overwrite
Warning: expected file name extension ".flif" for input file, trying anyway...
Invalid tree. Aborting tree decoding.
File ended prematurely or decoding was interrupted.
libpng warning: Image width exceeds user limit in IHDR
libpng error: Invalid IHDR data
*** longjmp causes uninitialized stack frame ***: /home/lx/github/7_25/flif/HFL/flif terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7329f)[0x7ffff7a8429f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1f87c]
/lib/x86_64-linux-gnu/libc.so.6(+0x10e78d)[0x7ffff7b1f78d]
/lib/x86_64-linux-gnu/libc.so.6(__longjmp_chk+0x29)[0x7ffff7b1f6e9]
/lib/x86_64-linux-gnu/libpng12.so.0(png_error+0x91)[0x7ffff7806311]
/lib/x86_64-linux-gnu/libpng12.so.0(png_set_IHDR+0x80)[0x7ffff77f04b0]
/home/lx/github/7_25/flif/HFL/flif[0x441e40]
/home/lx/github/7_25/flif/HFL/flif[0x420f2b]
/home/lx/github/7_25/flif/HFL/flif[0x407d3e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a32f45]
/home/lx/github/7_25/flif/HFL/flif[0x41fb19]
======= Memory map: ========
00400000-00501000 r-xp 00000000 08:01 25185630 /home/lx/github/7_25/flif/HFL/flif
00700000-00703000 r--p 00100000 08:01 25185630 /home/lx/github/7_25/flif/HFL/flif
00703000-00705000 rw-p 00103000 08:01 25185630 /home/lx/github/7_25/flif/HFL/flif
00705000-0073d000 rw-p 00000000 00:00 0 [heap]
7ffff6082000-7ffff6da2000 rw-p 00000000 00:00 0
7ffff6da2000-7ffff6ea7000 r-xp 00000000 08:01 61349090 /lib/x86_64-linux-gnu/libm-2.19.so
7ffff6ea7000-7ffff70a6000 ---p 00105000 08:01 61349090 /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a6000-7ffff70a7000 r--p 00104000 08:01 61349090 /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a7000-7ffff70a8000 rw-p 00105000 08:01 61349090 /lib/x86_64-linux-gnu/libm-2.19.so
7ffff70a8000-7ffff70c0000 r-xp 00000000 08:01 61341903 /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff70c0000-7ffff72bf000 ---p 00018000 08:01 61341903 /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72bf000-7ffff72c0000 r--p 00017000 08:01 61341903 /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72c0000-7ffff72c1000 rw-p 00018000 08:01 61341903 /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff72c1000-7ffff72d7000 r-xp 00000000 08:01 61342814 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72d7000-7ffff74d6000 ---p 00016000 08:01 61342814 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d6000-7ffff74d7000 r--p 00015000 08:01 61342814 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d7000-7ffff74d8000 rw-p 00016000 08:01 61342814 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff74d8000-7ffff75df000 r-xp 00000000 08:01 60689024 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff75df000-7ffff77de000 ---p 00107000 08:01 60689024 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77de000-7ffff77e6000 r--p 00106000 08:01 60689024 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77e6000-7ffff77e8000 rw-p 0010e000 08:01 60689024 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff77e8000-7ffff77eb000 rw-p 00000000 00:00 0
7ffff77eb000-7ffff7810000 r-xp 00000000 08:01 61346095 /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7810000-7ffff7a0f000 ---p 00025000 08:01 61346095 /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a0f000-7ffff7a10000 r--p 00024000 08:01 61346095 /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a10000-7ffff7a11000 rw-p 00025000 08:01 61346095 /lib/x86_64-linux-gnu/libpng12.so.0.50.0
7ffff7a11000-7ffff7bcf000 r-xp 00000000 08:01 61349104 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7bcf000-7ffff7dcf000 ---p 001be000 08:01 61349104 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dcf000-7ffff7dd3000 r--p 001be000 08:01 61349104 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd3000-7ffff7dd5000 rw-p 001c2000 08:01 61349104 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 61349093 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fbb000-7ffff7fc2000 rw-p 00000000 00:00 0
7ffff7ff6000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 61349093 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 61349093 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Program received signal SIGABRT, Aborted.
0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
then,it is gdb informaiton:
(gdb) bt
#0 0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4b028 in __GI_abort () at abort.c:89
#2 0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7b93db0 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7b1f87c in __GI___fortify_fail (msg=<optimized out>) at fortify_fail.c:38
#4 0x00007ffff7b1f78d in ____longjmp_chk () at ../sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S:100
#5 0x00007ffff7b1f6e9 in __longjmp_chk (env=0x1, val=1) at ../setjmp/longjmp.c:38
#6 0x00007ffff7806311 in png_error () from /lib/x86_64-linux-gnu/libpng12.so.0
#7 0x00007ffff77f04b0 in png_set_IHDR () from /lib/x86_64-linux-gnu/libpng12.so.0
#8 0x0000000000441e40 in image_save_png(char const*, Image const&) [clone .part.23] [clone .lto_priv.316] ()
#9 0x0000000000420f2b in Image::save(char const*) const ()
#10 0x0000000000407d3e in main ()
(gdb) i r
rax 0x0 0
rbx 0x60 96
rcx 0x7ffff7a47c37 140737348140087
rdx 0x6 6
rsi 0x36b4b 224075
rdi 0x36b4b 224075
rbp 0x7fffffffdbb0 0x7fffffffdbb0
rsp 0x7fffffffd898 0x7fffffffd898
r8 0x7ffff7b8b640 140737349465664
r9 0x4028f0 4204784
r10 0x8 8
r11 0x246 582
r12 0x7fffffffda20 140737488345632
r13 0x5 5
r14 0x60 96
r15 0x5 5
rip 0x7ffff7a47c37 0x7ffff7a47c37 <__GI_raise+55>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/10i $pc
=> 0x7ffff7a47c37 <__GI_raise+55>: cmp $0xfffffffffffff000,%rax
0x7ffff7a47c3d <__GI_raise+61>: ja 0x7ffff7a47c5d <__GI_raise+93>
0x7ffff7a47c3f <__GI_raise+63>: repz retq
0x7ffff7a47c41 <__GI_raise+65>: nopl 0x0(%rax)
0x7ffff7a47c48 <__GI_raise+72>: test %ecx,%ecx
0x7ffff7a47c4a <__GI_raise+74>: jg 0x7ffff7a47c27 <__GI_raise+39>
0x7ffff7a47c4c <__GI_raise+76>: mov %ecx,%eax
0x7ffff7a47c4e <__GI_raise+78>: neg %eax
0x7ffff7a47c50 <__GI_raise+80>: and $0x7fffffff,%ecx
0x7ffff7a47c56 <__GI_raise+86>: cmove %esi,%eax
@EnchantedJohn Include the file causing this as a zip file to this issue report.
Someone (probably @EnchantedJohn) requested CVE identifier for this issue http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14876
An issue was discovered in image_save_png in image/image-png.cpp in Free Lossless Image Format (FLIF) 0.3. Attackers can trigger a longjmp that leads to an uninitialized stack frame after a libpng error concerning the IHDR image width.
Hello,guys,I use my company fuzzing tools .I found FLIF aborted.I think it caused by longjmp causes uninitialized stack frame.I search some information abort it. In google,the curl meet same situation.So I think it is a BUG. So,I want to show you more information about it.