search

silnrsi / graphite

Graphite is a "smart font" system developed specifically to handle the complexities of lesser-known languages of the world.
http://graphite.sil.org/
Other
145 stars 44 forks source link

Memory corruption found in graphite2::SegCacheEntry::clear() #25

Closed gsharpsh00ter closed 6 years ago

gsharpsh00ter commented 6 years ago

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a memory corruption vulnerability was found in graphite2::SegCacheEntry::clear(), which may allow attackers to cause a denial of service or possibly excute arbitrary code via a crafted font type file.

0x02 How to reproduce

This issue can be reproduced by the following command: gr2fonttest libgraphite2-SegCacheEntry-clear-memory-corruption.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003

0x03 Backtrace Information

gzq@ubuntu:~/tmp/graphite-1.3.11/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...(no debugging symbols found)...done.
(gdb) r libgraphite2-SegCacheEntry-clear-memory-corruption.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest libgraphite2-SegCacheEntry-clear-memory-corruption.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000    102f    103f    104f    105f    106f    107f    108f    109f    10af
10bf    10cf    10df    10ef    10ff    2000    2001    2002    2003    
*** Error in `/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest': free(): invalid next size (fast): 0x00005555557704f0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7ffff74cf0cb]
/lib/x86_64-linux-gnu/libc.so.6(+0x82c9a)[0x7ffff74d8c9a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff74dcd8c]
/home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3(+0x2903f)[0x7ffff7bce03f]
/home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3(+0x280c8)[0x7ffff7bcd0c8]
/home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3(+0x6f3c)[0x7ffff7babf3c]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(_ZNK10Parameters12testFileFontEv+0x527)[0x555555556df7]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(main+0x268)[0x555555555f98]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff74763f1]
/home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest(_start+0x2a)[0x555555555fea]
======= Memory map: ========
555555554000-555555559000 r-xp 00000000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
555555758000-555555759000 r--p 00004000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
555555759000-55555575a000 rw-p 00005000 08:01 1283739                    /home/gzq/tmp/graphite-1.3.11/build/gr2fonttest/gr2fonttest
55555575a000-5555557af000 rw-p 00000000 00:00 0                          [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff6f36000-7ffff703e000 r-xp 00000000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff703e000-7ffff723d000 ---p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723d000-7ffff723e000 r--p 00107000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723e000-7ffff723f000 rw-p 00108000 08:01 1442008                    /lib/x86_64-linux-gnu/libm-2.24.so
7ffff723f000-7ffff7255000 r-xp 00000000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7255000-7ffff7454000 ---p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7454000-7ffff7455000 r--p 00015000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7455000-7ffff7456000 rw-p 00016000 08:01 1447267                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7456000-7ffff7614000 r-xp 00000000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7614000-7ffff7813000 ---p 001be000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7813000-7ffff7817000 r--p 001bd000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7817000-7ffff7819000 rw-p 001c1000 08:01 1442004                    /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7819000-7ffff781d000 rw-p 00000000 00:00 0 
7ffff781d000-7ffff7995000 r-xp 00000000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7995000-7ffff7b95000 ---p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b95000-7ffff7b9f000 r--p 00178000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7b9f000-7ffff7ba1000 rw-p 00182000 08:01 1715108                    /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.22
7ffff7ba1000-7ffff7ba5000 rw-p 00000000 00:00 0 
7ffff7ba5000-7ffff7bd5000 r-xp 00000000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7bd5000-7ffff7dd4000 ---p 00030000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd4000-7ffff7dd6000 r--p 0002f000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd6000-7ffff7dd7000 rw-p 00031000 08:01 1283559                    /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3.0.1
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7fd2000-7ffff7fd7000 rw-p 00000000 00:00 0 
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1441999                    /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007ffff748d3ea in __GI_abort () at abort.c:89
#2  0x00007ffff74cf0d0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff75e4f80 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff74d8c9a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff75e4ff8 "free(): invalid next size (fast)", action=3) at malloc.c:5048
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:3904
#5  0x00007ffff74dcd8c in __GI___libc_free (mem=<optimized out>) at malloc.c:2984
#6  0x00007ffff7bce03f in graphite2::SegCacheEntry::clear() () from /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3
#7  0x00007ffff7bcd0c8 in graphite2::SegCache::clear(graphite2::SegCacheStore*) () from /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3
#8  0x00007ffff7babf3c in graphite2::CachedFace::~CachedFace() () from /home/gzq/tmp/graphite-1.3.11/build/src/libgraphite2.so.3
#9  0x0000555555556df7 in Parameters::testFileFont() const ()
#10 0x0000555555555f98 in main ()

I didn't dig into the detail. I'm not sure if this issue is the same with the previous one(#24 ), the backtrace seems different.

For security consideration, the poc file attached is encrypted with a password, if you need it, please ask me for it.

0x04 Author

This issue is reported by Ziqiang Gu from Weiran Labs.

libgraphite2-SegCacheEntry-clear-memory-corruption.zip

tim-eves commented 6 years ago

I've added you to our private repo for security bugs, please could you re-post the zip files (both from here and #24 too) in an issue there unencrypted or the password. I'll leave this bug open so I can mark it closed once it's been fixed.

gsharpsh00ter commented 6 years ago

can you tell me how to visit your private repository? I found no way.

mhosken commented 6 years ago

The segcache has been removed, thus -cache is no longer valid. Please retest without -cache and reopen this bug if there is still a problem.