search

agl / jbig2enc

JBIG2 Encoder
Other
251 stars 86 forks source link

heap-use-after-free in jbig2enc via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc. #84

Open Frank-Z7 opened 10 months ago

Frank-Z7 commented 10 months ago

heap-use-after-free in jbig2enc

Description

jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc. This vulnerability can lead to a Denial of Service (DoS).

ASAN Log

./src/jbig2 -s -a -p Poc1jbig2enc

=================================================================
==1464517==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000015470 at pc 0x555555560b51 bp 0x7fffffffdf70 sp 0x7fffffffdf60
READ of size 4 at 0x603000015470 thread T0
    #0 0x555555560b50 in remove_templates /test2/jbig2enc/src/jbig2enc.cc:248
    #1 0x555555562efd in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:484
    #2 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492
    #3 0x7ffff6c1f082 in __libc_start_main ../csu/libc-start.c:308
    #4 0x55555555bf4d in _start (/test2/jbig2enc/src/jbig2+0x7f4d)

0x603000015470 is located 16 bytes inside of 24-byte region [0x603000015460,0x603000015478)
freed by thread T0 here:
    #0 0x7ffff769251f in operator delete(void*) ../../../../src/libsanitizer/asan/asan_new_delete.cc:165
    #1 0x55555557a4f5 in __gnu_cxx::new_allocator<std::_List_node<int> >::deallocate(std::_List_node<int>*, unsigned long) (/test2/jbig2enc/src/jbig2+0x264f5)
    #2 0x5555555778f3 in std::allocator_traits<std::allocator<std::_List_node<int> > >::deallocate(std::allocator<std::_List_node<int> >&, std::_List_node<int>*, unsigned long) (/test2/jbig2enc/src/jbig2+0x238f3)
    #3 0x555555571fc7 in std::__cxx11::_List_base<int, std::allocator<int> >::_M_put_node(std::_List_node<int>*) (/test2/jbig2enc/src/jbig2+0x1dfc7)
    #4 0x55555556e28e in std::__cxx11::list<int, std::allocator<int> >::_M_erase(std::_List_iterator<int>) (/test2/jbig2enc/src/jbig2+0x1a28e)
    #5 0x55555556c1f4 in std::__cxx11::list<int, std::allocator<int> >::pop_back() (/test2/jbig2enc/src/jbig2+0x181f4)
    #6 0x555555560ba2 in remove_templates /test2/jbig2enc/src/jbig2enc.cc:251
    #7 0x555555562efd in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:484
    #8 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492
    #9 0x7ffff6c1f082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7ffff7691587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x55555557b669 in __gnu_cxx::new_allocator<std::_List_node<int> >::allocate(unsigned long, void const*) (/test2/jbig2enc/src/jbig2+0x27669)
    #2 0x55555557a524 in std::allocator_traits<std::allocator<std::_List_node<int> > >::allocate(std::allocator<std::_List_node<int> >&, unsigned long) (/test2/jbig2enc/src/jbig2+0x26524)
    #3 0x555555577918 in std::__cxx11::_List_base<int, std::allocator<int> >::_M_get_node() (/test2/jbig2enc/src/jbig2+0x23918)
    #4 0x55555557236d in std::_List_node<int>* std::__cxx11::list<int, std::allocator<int> >::_M_create_node<int const&>(int const&) (/test2/jbig2enc/src/jbig2+0x1e36d)
    #5 0x55555556e99f in void std::__cxx11::list<int, std::allocator<int> >::_M_insert<int const&>(std::_List_iterator<int>, int const&) (/test2/jbig2enc/src/jbig2+0x1a99f)
    #6 0x555555577cf2 in void std::__cxx11::list<int, std::allocator<int> >::emplace_back<int const&>(int const&) (/test2/jbig2enc/src/jbig2+0x23cf2)
    #7 0x5555555728f2 in void std::__cxx11::list<int, std::allocator<int> >::_M_initialize_dispatch<std::_List_const_iterator<int> >(std::_List_const_iterator<int>, std::_List_const_iterator<int>, std::__false_type) (/test2/jbig2enc/src/jbig2+0x1e8f2)
    #8 0x55555556ebe7 in std::__cxx11::list<int, std::allocator<int> >::list(std::__cxx11::list<int, std::allocator<int> > const&) (/test2/jbig2enc/src/jbig2+0x1abe7)
    #9 0x55555556cbb6 in std::pair<unsigned int, std::__cxx11::list<int, std::allocator<int> > >::pair<int&, std::__cxx11::list<int, std::allocator<int> >&, true>(int&, std::__cxx11::list<int, std::allocator<int> >&) (/test2/jbig2enc/src/jbig2+0x18bb6)
    #10 0x555555562cba in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:471
    #11 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492
    #12 0x7ffff6c1f082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /test2/jbig2enc/src/jbig2enc.cc:248 in remove_templates
Shadow bytes around the buggy address:
  0x0c067fffaa30: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
  0x0c067fffaa40: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fffaa50: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
  0x0c067fffaa60: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
  0x0c067fffaa70: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x0c067fffaa80: fd fd fd fa fa fa fd fd fd fa fa fa fd fd[fd]fa
  0x0c067fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1464517==ABORTING

Reproduction

git clone https://github.com/agl/jbig2enc.git
cd jbig2enc
apt install libleptonica-dev
./autogen.sh
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure --disable-shared
make -j24

./src/jbig2 -s -a -p Poc1jbig2enc

PoC

Poc1jbig2enc: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/Poc1jbig2enc

Version

root@38ad1e4b9d16:/test2/jbig2enc# ./src/jbig2 --version
jbig2enc 0.28

Reference

https://github.com/agl/jbig2enc

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang

carnil commented 9 months ago

This seems to be CVE-2023-46362