[Secure-testing-team] Bug#881120: gifsicle: use after free while running gifsicle
Joonun Jang
joonun.jang at gmail.com
Wed Nov 8 01:48:57 UTC 2017
Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security
use after free while running gifsicle with "poc poc -o output" option
Running 'gifsicle poc poc -o output' with the attached file raises use after free
which may allow a remote attack to cause a denial-of-service attack or other unspecified
impact with a crafted file
I expected the program to terminate without segfault, but the program crashes as follow
-------------------------------------------
june at yuweol:~/poc/gifsicle/crash3$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
*** Error in `gifsicle': corrupted size vs. prev_size: 0x00005607ed886d40 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f4338e5abfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f4338e60fc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7738d)[0x7f4338e6138d]
/lib/x86_64-linux-gnu/libc.so.6(+0x78dfa)[0x7f4338e62dfa]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7f4338e64f64]
gifsicle(+0x877e)[0x5607ecfff77e]
gifsicle(+0x21a51)[0x5607ed018a51]
gifsicle(+0x22d97)[0x5607ed019d97]
gifsicle(+0x1f674)[0x5607ed016674]
gifsicle(+0x209a3)[0x5607ed0179a3]
gifsicle(+0x4054)[0x5607ecffb054]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f4338e0a2e1]
gifsicle(+0x472a)[0x5607ecffb72a]
======= Memory map: ========
5607ecff7000-5607ed024000 r-xp 00000000 08:01 2104695 /usr/bin/gifsicle
5607ed224000-5607ed225000 r--p 0002d000 08:01 2104695 /usr/bin/gifsicle
5607ed225000-5607ed226000 rw-p 0002e000 08:01 2104695 /usr/bin/gifsicle
5607ed885000-5607ed8ad000 rw-p 00000000 00:00 0 [heap]
7f4334000000-7f4334021000 rw-p 00000000 00:00 0
7f4334021000-7f4338000000 ---p 00000000 00:00 0
7f4338bd3000-7f4338be9000 r-xp 00000000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338be9000-7f4338de8000 ---p 00016000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338de8000-7f4338de9000 r--p 00015000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338de9000-7f4338dea000 rw-p 00016000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338dea000-7f4338f7d000 r-xp 00000000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so
7f4338f7d000-7f433917d000 ---p 00193000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so
7f433917d000-7f4339181000 r--p 00193000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so
7f4339181000-7f4339183000 rw-p 00197000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so
7f4339183000-7f4339187000 rw-p 00000000 00:00 0
7f4339187000-7f433928a000 r-xp 00000000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so
7f433928a000-7f4339489000 ---p 00103000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so
7f4339489000-7f433948a000 r--p 00102000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so
7f433948a000-7f433948b000 rw-p 00103000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so
7f433948b000-7f43394a3000 r-xp 00000000 08:01 2235501 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f43394a3000-7f43396a2000 ---p 00018000 08:01 2235501 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a2000-7f43396a3000 r--p 00017000 08:01 2235501 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a3000-7f43396a4000 rw-p 00018000 08:01 2235501 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a4000-7f43396a8000 rw-p 00000000 00:00 0
7f43396a8000-7f43396cb000 r-xp 00000000 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so
7f43398a6000-7f43398a8000 rw-p 00000000 00:00 0
7f43398c7000-7f43398cb000 rw-p 00000000 00:00 0
7f43398cb000-7f43398cc000 r--p 00023000 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so
7f43398cc000-7f43398cd000 rw-p 00024000 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so
7f43398cd000-7f43398ce000 rw-p 00000000 00:00 0
7ffddc943000-7ffddc964000 rw-p 00000000 00:00 0 [stack]
7ffddc96f000-7ffddc971000 r--p 00000000 00:00 0 [vvar]
7ffddc971000-7ffddc973000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
-------------------------------------------
june at yuweol:~/poc/gifsicle/crash3$ ~/project/analyze/bins/gifsicle-1.90/src/gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
=================================================================
==4710==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000000020 at pc 0x7fb750ff7994 bp 0x7ffd9ce72e40 sp 0x7ffd9ce725f0
READ of size 2 at 0x608000000020 thread T0
#0 0x7fb750ff7993 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x4f993)
#1 0x561e458994b7 in Gif_CopyString (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x214b7)
#2 0x561e458a9efc in merge_image (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x31efc)
#3 0x561e458df0d4 in merge_frame_interval (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x670d4)
#4 0x561e458f55db in merge_and_write_frames (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7d5db)
#5 0x561e458f5f77 in output_frames (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7df77)
#6 0x561e458fb3c7 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x833c7)
#7 0x7fb7509272e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#8 0x561e45887da9 in _start (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0xfda9)
0x608000000020 is located 0 bytes inside of 87-byte region [0x608000000020,0x608000000077)
freed by thread T0 here:
#0 0x7fb7510818c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x561e458a43ae in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c3ae)
#2 0x561e458a48cd in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#3 0x561e458f401d in input_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#4 0x561e458fb2e2 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#5 0x7fb7509272e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
previously allocated by thread T0 here:
#0 0x7fb751081fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x561e45897de8 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
#2 0x561e458a29db in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
#3 0x561e458a3fe2 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
#4 0x561e458a48cd in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#5 0x561e458f401d in input_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#6 0x561e458fb2e2 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#7 0x7fb7509272e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x4f993)
Shadow bytes around the buggy address:
0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8000: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa
0x0c107fff8010: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4710==ABORTING
-------------------------------------------
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gifsicle depends on:
ii libc6 2.24-17
ii libx11-6 2:1.6.4-3
gifsicle recommends no packages.
gifsicle suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 105 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171108/cfb69d40/attachment.obj>
More information about the Secure-testing-team
mailing list