search

jasper-software / jasper

Official Repository for the JasPer Image Coding Toolkit
http://www.ece.uvic.ca/~mdadams/jasper
Other
226 stars 101 forks source link

memory leak detected #188

Closed magicSwordsMan closed 4 years ago

magicSwordsMan commented 6 years ago

Hello jasper team, I have identified an issue affecting jasper by using AFL fuzz.

root@kali:~/jasper/outputFuzz/crashes# valgrind -v --tool=memcheck --leak-check=full jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp ==80146== Memcheck, a memory error detector ==80146== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==80146== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==80146== Command: jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp ==80146== --80146-- Valgrind options: --80146-- -v --80146-- --tool=memcheck --80146-- --leak-check=full --80146-- Contents of /proc/version: --80146-- Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0-25)) #1 SMP Debian 4.17.8-1kali1 (2018-07-24) --80146-- --80146-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx-avx2-bmi --80146-- Page sizes: currently 4096, max supported 4096 --80146-- Valgrind library directory: /usr/lib/valgrind --80146-- Reading syms from /usr/local/bin/jasper --80146-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.27.so --80146-- Considering /usr/lib/debug/.build-id/dc/5cb16f5e644116cac64a4c3f5da4d081b81a4f.debug .. --80146-- .. build-id is valid --80146-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux --80146-- Considering /usr/lib/valgrind/memcheck-amd64-linux .. --80146-- .. CRC mismatch (computed 7680f3df wanted 92e0f93c) --80146-- Considering /usr/lib/debug/usr/lib/valgrind/memcheck-amd64-linux .. --80146-- .. CRC is valid --80146-- object doesn't have a dynamic symbol table --80146-- Scheduler: using generic scheduler lock implementation. --80146-- Reading suppressions file: /usr/lib/valgrind/default.supp ==80146== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-80146-by-root-on-??? ==80146== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-80146-by-root-on-??? ==80146== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-80146-by-root-on-??? ==80146== ==80146== TO CONTROL THIS PROCESS USING vgdb (which you probably ==80146== don't want to do, unless you know exactly what you're doing, ==80146== or are doing some strange experiment): ==80146== /usr/lib/valgrind/../../bin/vgdb --pid=80146 ...command... ==80146== ==80146== TO DEBUG THIS PROCESS USING GDB: start GDB like this ==80146== /path/to/gdb jasper ==80146== and then give GDB the following command ==80146== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=80146 ==80146== --pid is optional if only one valgrind process is running ==80146== --80146-- REDIR: 0x401e290 (ld-linux-x86-64.so.2:strlen) redirected to 0x58061781 (vgPlain_amd64_linux_REDIR_FOR_strlen) --80146-- REDIR: 0x401e070 (ld-linux-x86-64.so.2:index) redirected to 0x5806179b (vgPlain_amd64_linux_REDIR_FOR_index) --80146-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so --80146-- Considering /usr/lib/valgrind/vgpreload_core-amd64-linux.so .. --80146-- .. CRC mismatch (computed 66a2a561 wanted 3789c7eb) --80146-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so .. --80146-- .. CRC is valid --80146-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so --80146-- Considering /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so .. --80146-- .. CRC mismatch (computed 8487a070 wanted 8af30a91) --80146-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so .. --80146-- .. CRC is valid ==80146== WARNING: new redirection conflicts with existing -- ignoring it --80146-- old: 0x0401e290 (strlen ) R-> (0000.0) 0x58061781 vgPlain_amd64_linux_REDIR_FOR_strlen --80146-- new: 0x0401e290 (strlen ) R-> (2007.0) 0x04838a60 strlen --80146-- REDIR: 0x401aab0 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4839b90 (strcmp) --80146-- REDIR: 0x401e7d0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x483d1a0 (mempcpy) --80146-- Reading syms from /usr/local/lib/libjasper.so.4.0.0 --80146-- Reading syms from /usr/lib/x86_64-linux-gnu/libm-2.27.so --80146-- Considering /usr/lib/debug/.build-id/fa/b2857727406caccd7ab22e1729b09ccf2c3eb7.debug .. --80146-- .. build-id is valid --80146-- Reading syms from /usr/lib/x86_64-linux-gnu/libc-2.27.so --80146-- Considering /usr/lib/debug/.build-id/dc/87cd1e2b171a4c51139cb4e1f2ec630e711de3.debug .. --80146-- .. build-id is valid --80146-- REDIR: 0x4c2d050 (libc.so.6:memmove) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2c280 (libc.so.6:strncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d330 (libc.so.6:strcasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2bcd0 (libc.so.6:strcat) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2c2b0 (libc.so.6:rindex) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2e900 (libc.so.6:rawmemchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d1c0 (libc.so.6:mempcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2cff0 (libc.so.6:bcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2c240 (libc.so.6:strncmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2bd40 (libc.so.6:strcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d120 (libc.so.6:memset) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c46b60 (libc.so.6:wcschr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2c1e0 (libc.so.6:strnlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2bdb0 (libc.so.6:strcspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d380 (libc.so.6:strncasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2bd80 (libc.so.6:strcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d4c0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2c2e0 (libc.so.6:strpbrk) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2bd00 (libc.so.6:index) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2c1b0 (libc.so.6:strlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c331b0 (libc.so.6:memrchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d3d0 (libc.so.6:strcasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2cfc0 (libc.so.6:memchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c47920 (libc.so.6:wcslen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2c590 (libc.so.6:strspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d300 (libc.so.6:stpncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d2d0 (libc.so.6:stpcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2e930 (libc.so.6:strchrnul) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4c2d420 (libc.so.6:strncasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper) --80146-- REDIR: 0x4cff700 (libc.so.6:strrchr_avx2) redirected to 0x48383e0 (rindex) --80146-- REDIR: 0x4cff8d0 (libc.so.6:__strlen_avx2) redirected to 0x48389a0 (strlen) --80146-- REDIR: 0x4c285c0 (libc.so.6:malloc) redirected to 0x4835750 (malloc) --80146-- REDIR: 0x4cecc90 (libc.so.6:strcpy_ssse3) redirected to 0x4838a80 (strcpy) --80146-- REDIR: 0x4cdb0a0 (libc.so.6:strcmp_ssse3) redirected to 0x4839a50 (strcmp) --80146-- REDIR: 0x4c28c50 (libc.so.6:free) redirected to 0x4836980 (free) --80146-- REDIR: 0x4cffe10 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x483c390 (memmove) --80146-- REDIR: 0x4cff510 (libc.so.6:strchrnul_avx2) redirected to 0x483ccd0 (strchrnul) --80146-- REDIR: 0x4cffdf0 (libc.so.6:__mempcpy_avx_unaligned_erms) redirected to 0x483cde0 (mempcpy) warning: trailing garbage in marker segment (15 bytes) warning: trailing garbage in marker segment (35 bytes) warning: ignoring unknown marker segment (0xff78) type = 0xff78 (UNKNOWN); len = 38;32 00 04 32 32 32 16 46 25 25 25 25 3c 25 25 12 00 02 25 ff ff ff ff ff ff ff 39 38 38 20 ff ff ff 25 25 80 warning: trailing garbage in marker segment (53 bytes) warning: trailing garbage in marker segment (6 bytes) --80146-- REDIR: 0x4d00290 (libc.so.6:__memset_avx2_unaligned_erms) redirected to 0x483c280 (memset) ==80146== ==80146== Process terminating with default action of signal 6 (SIGABRT) ==80146== at 0x4BDAF3B: raise (raise.c:51) ==80146== by 0x4BDC2F0: abort (abort.c:79) ==80146== by 0x484FA18: jpc_dec_process_sot.cold.16 (jpc_dec.c:488) ==80146== by 0x490E3E0: jpc_dec_decode (jpc_dec.c:424) ==80146== by 0x490E3E0: jpc_decode (jpc_dec.c:261) ==80146== by 0x48AA033: jas_image_decode (jas_image.c:442) ==80146== by 0x10A7E3: main (jasper.c:236) ==80146== ==80146== HEAP SUMMARY: ==80146== in use at exit: 38,186 bytes in 62 blocks ==80146== total heap usage: 151 allocs, 89 frees, 182,091 bytes allocated ==80146== ==80146== Searching for pointers to 62 not-freed blocks ==80146== Checked 125,920 bytes ==80146== ==80146== 14 bytes in 1 blocks are definitely lost in loss record 24 of 58 ==80146== at 0x48357BF: malloc (vg_replace_malloc.c:299) ==80146== by 0x48B8177: jas_malloc (jas_malloc.c:241) ==80146== by 0x48F7938: jpc_unk_getparms (jpc_cs.c:1554) ==80146== by 0x48FA9FA: jpc_getms (jpc_cs.c:280) ==80146== by 0x490E1AB: jpc_dec_decode (jpc_dec.c:406) ==80146== by 0x490E1AB: jpc_decode (jpc_dec.c:261) ==80146== by 0x48AA033: jas_image_decode (jas_image.c:442) ==80146== by 0x10A7E3: main (jasper.c:236) ==80146== ==80146== LEAK SUMMARY: ==80146== definitely lost: 14 bytes in 1 blocks ==80146== indirectly lost: 0 bytes in 0 blocks ==80146== possibly lost: 0 bytes in 0 blocks ==80146== still reachable: 38,172 bytes in 61 blocks ==80146== suppressed: 0 bytes in 0 blocks ==80146== Reachable blocks (those to which a pointer was found) are not shown. ==80146== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==80146== ==80146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ==80146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Aborted

root@kali:~/jasper/outputFuzz/crashes# jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp warning: trailing garbage in marker segment (15 bytes) warning: trailing garbage in marker segment (35 bytes) warning: ignoring unknown marker segment (0xff78) type = 0xff78 (UNKNOWN); len = 38;32 00 04 32 32 32 16 46 25 25 25 25 3c 25 25 12 00 02 25 ff ff ff ff ff ff ff 39 38 38 20 ff ff ff 25 25 80 warning: trailing garbage in marker segment (53 bytes) warning: trailing garbage in marker segment (6 bytes) Aborted

Attached the POC poc.zip

Version jasper-2.0.14

Found by:TAN JIE

carnil commented 6 years ago

This issue has been assigned CVE-2018-19139

apoleon commented 5 years ago

After applying my patches I cannot reproduce the memory leak with valgrind anymore. See https://github.com/mdadams/jasper/issues/182

apoleon commented 5 years ago

Correction. This one is still reproducible. I forgot to disable ASAN again.

MaxKellermann commented 4 years ago

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many). This bug will be fixed by https://github.com/jasper-maint/jasper/pull/38 (merge pending)