Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-use-after-free in Imf_2_5::DeepScanLineInputFile::DeepScanLineInputFile #728

Closed
arnow117 opened this issue May 18, 2020 · 1 comment
Closed

heap-use-after-free in Imf_2_5::DeepScanLineInputFile::DeepScanLineInputFile #728

arnow117 opened this issue May 18, 2020 · 1 comment

Comments

@arnow117
Copy link

arnow117 commented May 18, 2020
edited
Loading

Hi ,there is a heap UAF in DeepScanLineInputFile by Fuzzing with exrmakepreview, This issue should be reproducible with the exrmakepreview binary(with or without ASAN) as follows:

CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE_BUILD_TYPE=Debug
make -j8
./bin/exrmakepreview t.exr /tmp/o

Following ASAN output

  =================================================================
  ==103308==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000000878 at pc 0x7f5c6b6ea032 bp 0x7ffda6be9c70 sp 0x7ffda6be9c68
  READ of size 8 at 0x616000000878 thread T0
      #0 0x7f5c6b6ea031 in Imf_2_5::DeepScanLineInputFile::DeepScanLineInputFile(Imf_2_5::Header const&, Imf_2_5::IStream*, int, int) openexr/source/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp:1058:30
      #1 0x7f5c6b24ec25 in Imf_2_5::InputFile::initialize() openexr/source/OpenEXR/IlmImf/ImfInputFile.cpp:538:33
      #2 0x7f5c6b24bbd4 in Imf_2_5::InputFile::InputFile(char const*, int) openexr/source/OpenEXR/IlmImf/ImfInputFile.cpp:388:13
      #3 0x7f5c6b2d7b77 in Imf_2_5::RgbaInputFile::RgbaInputFile(char const*, int) openexr/source/OpenEXR/IlmImf/ImfRgbaFile.cpp:1177:21
      #4 0xd19b54 in (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf_2_5::Array2D<Imf_2_5::PreviewRgba>&) openexr/source/OpenEXR/exrmakepreview/makePreview.cpp:105:19
      #5 0xd17bed in makePreview(char const*, char const*, int, float, bool) openexr/source/OpenEXR/exrmakepreview/makePreview.cpp:158:5
      #6 0xd16b5f in main openexr/source/OpenEXR/exrmakepreview/main.cpp:185:2
      #7 0x7f5c6483c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
      #8 0x670d98 in _start (openexr/source/fuzz_build/bin/exrmakepreview+0x670d98)

  0x616000000878 is located 504 bytes inside of 520-byte region [0x616000000680,0x616000000888)
  freed by thread T0 here:
      #0 0x781b10 in operator delete(void*) /media/arnow117/Data/build-clang/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:167
      #1 0x7f5c6b6e9e4a in Imf_2_5::DeepScanLineInputFile::DeepScanLineInputFile(Imf_2_5::Header const&, Imf_2_5::IStream*, int, int) openexr/source/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp:1055:26
      #2 0x7f5c6b24ec25 in Imf_2_5::InputFile::initialize() openexr/source/OpenEXR/IlmImf/ImfInputFile.cpp:538:33
      #3 0x7f5c6b24bbd4 in Imf_2_5::InputFile::InputFile(char const*, int) openexr/source/OpenEXR/IlmImf/ImfInputFile.cpp:388:13
      #4 0x7f5c6b2d7b77 in Imf_2_5::RgbaInputFile::RgbaInputFile(char const*, int) openexr/source/OpenEXR/IlmImf/ImfRgbaFile.cpp:1177:21
      #5 0xd19b54 in (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf_2_5::Array2D<Imf_2_5::PreviewRgba>&) openexr/source/OpenEXR/exrmakepreview/makePreview.cpp:105:19
      #6 0xd17bed in makePreview(char const*, char const*, int, float, bool) openexr/source/OpenEXR/exrmakepreview/makePreview.cpp:158:5
      #7 0xd16b5f in main openexr/source/OpenEXR/exrmakepreview/main.cpp:185:2
      #8 0x7f5c6483c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

  previously allocated by thread T0 here:
      #0 0x780d18 in operator new(unsigned long) /media/arnow117/Data/build-clang/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:106
      #1 0x7f5c6b6e8f69 in Imf_2_5::DeepScanLineInputFile::DeepScanLineInputFile(Imf_2_5::Header const&, Imf_2_5::IStream*, int, int) openexr/source/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp:1035:12
      #2 0x7f5c6b24ec25 in Imf_2_5::InputFile::initialize() openexr/source/OpenEXR/IlmImf/ImfInputFile.cpp:538:33
      #3 0x7f5c6b24bbd4 in Imf_2_5::InputFile::InputFile(char const*, int) openexr/source/OpenEXR/IlmImf/ImfInputFile.cpp:388:13
      #4 0x7f5c6b2d7b77 in Imf_2_5::RgbaInputFile::RgbaInputFile(char const*, int) openexr/source/OpenEXR/IlmImf/ImfRgbaFile.cpp:1177:21
      #5 0xd19b54 in (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf_2_5::Array2D<Imf_2_5::PreviewRgba>&) openexr/source/OpenEXR/exrmakepreview/makePreview.cpp:105:19
      #6 0xd17bed in makePreview(char const*, char const*, int, float, bool) openexr/source/OpenEXR/exrmakepreview/makePreview.cpp:158:5
      #7 0xd16b5f in main openexr/source/OpenEXR/exrmakepreview/main.cpp:185:2
      #8 0x7f5c6483c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

  SUMMARY: AddressSanitizer: heap-use-after-free openexr/source/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp:1058:30 in Imf_2_5::DeepScanLineInputFile::DeepScanLineInputFile(Imf_2_5::Header const&, Imf_2_5::IStream*, int, int)
  Shadow bytes around the buggy address:
    0x0c2c7fff80b0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
    0x0c2c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2c7fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2c7fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2c7fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  =>0x0c2c7fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
    0x0c2c7fff8110: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2c7fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2c7fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2c7fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==103308==ABORTING

The code snippets show root cause
image

For any further information, please feel free to contact us. please considering give credit for identifying the vulnerability if available.

Thanks.

arnow117 with AntFuzz,
Ant-financial Light-Year Security Lab.

t.exr.zip
peterhillman added a commit to peterhillman/openexr that referenced this issue May 19, 2020
@peterhillman
fix AcademySoftwareFoundation#728 - missing 'throw' in deepscanline e…
06c4b65 
…rror handling

Signed-off-by: Peter Hillman <[email protected]>
@cary-ilm
Copy link
Member

The should be fixed by #730.

cary-ilm pushed a commit to cary-ilm/openexr that referenced this issue Jun 11, 2020
@peterhillman @cary-ilm
fix AcademySoftwareFoundation#728 - missing 'throw' in deepscanline e…
929e7d4 
…rror handling

Signed-off-by: Peter Hillman <[email protected]>
cary-ilm pushed a commit to cary-ilm/openexr that referenced this issue Jun 11, 2020
@peterhillman @cary-ilm
fix AcademySoftwareFoundation#728 - missing 'throw' in deepscanline e…
342e2df 
…rror handling

Signed-off-by: Peter Hillman <[email protected]>
cary-ilm pushed a commit that referenced this issue Jun 12, 2020
@peterhillman @cary-ilm
fix #728 - missing 'throw' in deepscanline error handling
9a01e66 
Signed-off-by: Peter Hillman <[email protected]>
cary-ilm pushed a commit that referenced this issue Jun 12, 2020
@peterhillman @cary-ilm
fix #728 - missing 'throw' in deepscanline error handling
d8741bc 
Signed-off-by: Peter Hillman <[email protected]>
smartin-13 pushed a commit to smartin-13/openexr that referenced this issue Jul 23, 2020
@peterhillman @smartin-13
fix AcademySoftwareFoundation#728 - missing 'throw' in deepscanline e…
161e1ea 
…rror handling

Signed-off-by: Peter Hillman <[email protected]>
Signed-off-by: smartin-13 <[email protected]>
DominicJacksonBFX pushed a commit to boris-fx/mocha-openexr that referenced this issue Jun 22, 2022
@peterhillman @DominicJacksonBFX
fix AcademySoftwareFoundation#728 - missing 'throw' in deepscanline e…
d7aae89 
…rror handling

Signed-off-by: Peter Hillman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arnow117 @cary-ilm