Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

invalid free in MiniPS::delete0 (in minips.cpp:222) #28

Closed
fantasy7082 opened this issue Feb 23, 2018 · 5 comments
Closed

invalid free in MiniPS::delete0 (in minips.cpp:222) #28

fantasy7082 opened this issue Feb 23, 2018 · 5 comments
Labels
more info needed to reproduce This issue is blocked on more information from the reporter or from contributors.

Comments

@fantasy7082
Copy link

There is an invalid free in MiniPS::delete0 that leads to a Segmentation fault at sam2p 0.49.4. A crafted input will lead to denial of service attack.
Steps to Reproduce:

./sam2p 011-freenomalloc-minips EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 011-freenomalloc-minips
sam2p: Notice: writeTTT: using template: l23ind1
sam2p: Notice: applyProfile: applied OutputRule #9 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null
=================================================================
==20940==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60c000008380 in thread T0
    #0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x43f91f in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:222
    #2 0x43f9d8 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.hpp:223
    #3 0x43f9d8 in MiniPS::Array::free() /root/sam2p_ASAN2/sam2p/minips.cpp:376
    #4 0x43f91f in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:222
    #5 0x43f6ff in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:451
    #6 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
    #7 0x43f6ff in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:451
    #8 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
    #9 0x4043e6 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1103
    #10 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
    #11 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)

0x60c000008380 is located 48 bytes inside of 4294967295-byte region [0x60c000008350,0x60c10000834f)
ASAN:SIGSEGV
==20940==AddressSanitizer: while reporting a bug found another one. Ignoring.

POC FILE:https://github.com/fantasy7082/image_test/blob/master/011-freenomalloc-minips
@pts
Copy link
Owner

pts commented Feb 27, 2018

I'm not able to reproduce this bug as of a6621e9. Valgrind doesn't print any errors:

==5842== 
==5842== HEAP SUMMARY:
==5842==     in use at exit: 0 bytes in 0 blocks
==5842==   total heap usage: 2,980 allocs, 2,980 frees, 2,250,721 bytes allocated
==5842== 
==5842== All heap blocks were freed -- no leaks are possible
==5842== 
==5842== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)
--5842-- 
--5842-- used_suppression:      2 glibc-2.5.x-on-SUSE-10.2-(PPC)-2a
==5842== 
==5842== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)

If you can reproduce this bug with the latest sam2p commit and Valgrind, please reopen this issue.

@pts pts closed this as completed Feb 27, 2018
@fantasy7082
Copy link
Author

@pts Well, i also find the problem later, you should disable ASAN when you compile with gcc7.x (but no problem in gcc 5.x). That means you can't compile the project with flag "-ggdb -fsanitize=address" :

cat /etc/issue
Ubuntu 17.10 \n \l

root@ubuntu:~/sam2p-asan2/sam2p-test/sam2p# gcc --version
gcc (Ubuntu 7.2.0-8ubuntu3.2) 7.2.0
Copyright (C) 2017 Free Software Foundation, Inc.

./configure --enable-gif --enable-lzw --prefix=/usr/local/sam2p-test/
....
make
....

./sam2p 011-freenomalloc-minips EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 011-freenomalloc-minips
sam2p: Notice: writeTTT: using template: l23ind1
sam2p: Notice: applyProfile: applied OutputRule #9 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null
Segmentation fault (core dumped)

gdb -q ./sam2p
Reading symbols from ./sam2p...done.
(gdb) r 011-freenomalloc-minips EPS: /dev/null
Starting program: /root/sam2p-asan2/sam2p-test/sam2p/sam2p 011-freenomalloc-minips EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 011-freenomalloc-minips
sam2p: Notice: writeTTT: using template: l23ind1
sam2p: Notice: applyProfile: applied OutputRule #9 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0xffffffffffffffff) at malloc.c:3124
3124	malloc.c: No such file or directory.
(gdb) l
3119	in malloc.c
(gdb) bt
#0  __GI___libc_free (mem=0xffffffffffffffff) at malloc.c:3124
#1  0x0000555555577815 in MiniPS::delete0 (v=93824994864752) at minips.cpp:224
#2  0x00005555555777a5 in MiniPS::Dict::free (this=0x5555557d6ae0) at minips.cpp:451
#3  0x0000555555577825 in MiniPS::delete0 (v=93824994863840) at minips.cpp:221
#4  0x00005555555777a5 in MiniPS::Dict::free (this=0x5555557d6920) at minips.cpp:451
#5  0x0000555555577825 in MiniPS::delete0 (v=93824994863392) at minips.cpp:221
#6  0x000055555555bef4 in run_sam2p_engine (sout=..., serr=..., argv1=<optimized out>, helpp=<optimized out>)
    at sam2p_main.cpp:1103
#7  0x000055555555b029 in main (argv=0x7fffffffe488) at sam2p_main.cpp:1148
(gdb)

@batgui
Copy link

batgui commented Aug 28, 2018

Hi, I use your command to build sam2p, but i cannot get the exact source file where things go wrong,
#1 0x43f91f in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:222
#2 0x43f9d8 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.hpp:223
#3 0x43f9d8 in MiniPS::Array::free() /root/sam2p_ASAN2/sam2p/minips.cpp:376
#4 0x43f91f in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:222
i only get something like
#1 0x4203ec (/usr/local/bin/sam2p+0x4203ec)
#2 0x42339 (/usr/local/bin/sam2p+0x422339)
#3 0x46f349 (/usr/local/bin/sam2p+0x46f349)
#4 0x4036ea (/usr/local/bin/sam2p+0x4036ea)
#5 0x402323 (/usr/local/bin/sam2p+0x402323)
what's the problem...

@pts
Copy link
Owner

pts commented Aug 28, 2018

Thank you for the additional details! I need more time to debug this.

Please confirm the commit ID of your sam2p Git repo.

@pts pts reopened this Aug 28, 2018
@pts
Copy link
Owner

pts commented Sep 17, 2018
edited
Loading

I still can't reproduce this bug without ASAN:

$ git rev-parse HEAD
3eea9c499977ffd9da64ca9ad0967706a5b26004
$ gcc --version
gcc (Debian 7.3.0-5) 7.3.0
...
$ ./configure --enable-gif --enable-lzw
...
$ make
...
$ ./sam2p 011-freenomalloc-minips EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 011-freenomalloc-minips
sam2p: Notice: writeTTT: using template: l23ind1
sam2p: Notice: applyProfile: applied OutputRule #9 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null
Success.

I can't reproduce this bug with ASAN either:

$ git rev-parse HEAD
3eea9c499977ffd9da64ca9ad0967706a5b26004
$ gcc --version
gcc (Debian 7.3.0-5) 7.3.0
...
$ ./configure --enable-gif --enable-lzw
...
$ rm -f sam2p.yes && make sam2p.yes GFLAG='-ggdb -fsanitize=address'
...
g++ -ggdb -fsanitize=address -DHAVE_CONFIG2_H   -fsigned-char -fno-rtti -fno-exceptions -ansi -pedantic -Wall -W -Wextra   sam2p_main.cpp appliers.cpp crc32.c out_gif.cpp in_ps.cpp in_tga.cpp in_pnm.cpp in_bmp.cpp in_gif.cpp in_lbm.cpp in_xpm.cpp mapping.cpp in_pcx.cpp in_jai.cpp in_png.cpp in_jpeg.cpp in_tiff.cpp rule.cpp minips.cpp encoder.cpp pts_lzw.c pts_fax.c pts_defl.c error.cpp image.cpp gensio.cpp snprintf.c gensi.cpp -o sam2p.yes
$ ./sam2p.yes 011-freenomalloc-minips EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p.yes: Notice: job: read InputFile: 011-freenomalloc-minips
sam2p.yes: Notice: writeTTT: using template: l23ind1
sam2p.yes: Notice: applyProfile: applied OutputRule #9 using applier PSL23+PDF
sam2p.yes: Notice: job: written OutputFile: /dev/null
Success.

I'm closing this issue for now. Feel free to reopen it if you have more information on how this can be reproduced.

@pts pts closed this as completed Sep 17, 2018
@pts pts added the more info needed to reproduce This issue is blocked on more information from the reporter or from contributors. label Sep 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
more info needed to reproduce This issue is blocked on more information from the reporter or from contributors.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pts @fantasy7082 @batgui