Bug 2655 – Out-of-Bound read and write issue that can occur in function put1bitbwtile()(tiff-4.0.7/libtiff/tif-getimage.c:1352) that called by tiffttopnm(netpbm 10.47.63).

Bug 2655 - Out-of-Bound read and write issue that can occur in function put1bitbwtile()(tiff-4.0.7/libtiff/tif-getimage.c:1352) that called by tiffttopnm(netpbm 10.47.63).

Summary:

Out-of-Bound read and write issue that can occur in function put1bitbwtile()(...

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 critical
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-01-05 21:24 by chunibalon
Modified:	2019-10-01 14:20 (History)

Attachments
a report and a poc of this issue (320.38 KB, application/zip) 2017-01-05 21:24, chunibalon	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From chunibalon 2017-01-05 21:24:12

Created an attachment (id=741) [details]
a report and a poc of this issue 

Recently, I fuzzed tifftopnm(netpbm 10.47.63) and crashed in
put1bitbwtile()(tif-getimage.c:1352) of tiff-4.0.7
I check the bug reports and found a issue in the same
file(http://bugzilla.maptools.org/show_bug.cgi?id=2652), but the call stack is
different, so I think it is not the same issue.
The crash infomation is as follows:
Starting program:
/home/kirito/Desktop/fuzz/netpbm/test_libtiff407/gdb_test/tifftopnm
'/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif'
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 64 (0x40) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 72 (0x48) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 29554 (0x7372) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 28751 (0x704f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 25956 (0x6564) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 27949 (0x6d2d) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag
ignored.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
tifftopnm: writing PBM file
P4
32811 73
tifftopnm: WARNING: This TIFF image has an orientation that most TIFF libraries
converts incorrectly.  Use -byrow to circumvent.
TIFFFillStrip: Read error on strip 0; got 624 bytes, expected 8190.


[----------------------------------registers-----------------------------------]
RAX: 0x49 ('I')
RBX: 0x2e4 
RCX: 0x48 ('H')
RDX: 0x48 ('H')
RSI: 0x7ffff69b8070 --> 0x0 
RDI: 0x7fffffffaca0 --> 0x621330 --> 0x621768
("/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif")
RBP: 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140
--> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...)
RSP: 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140
--> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...)
RIP: 0x7ffff7b83bea (<put1bitbwtile+60>:    mov    eax,DWORD PTR [rbp-0x3c])
R8 : 0x802b 
R9 : 0x49 ('I')
R10: 0x1 
R11: 0x246 
R12: 0x0 
R13: 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b83bdf <put1bitbwtile+49>:    sar    eax,0x3
   0x7ffff7b83be2 <put1bitbwtile+52>:    mov    DWORD PTR [rbp+0x10],eax
   0x7ffff7b83be5 <put1bitbwtile+55>:    jmp    0x7ffff7b83e45
<put1bitbwtile+663>
=> 0x7ffff7b83bea <put1bitbwtile+60>:    mov    eax,DWORD PTR [rbp-0x3c]
   0x7ffff7b83bed <put1bitbwtile+63>:    mov    DWORD PTR [rbp-0x14],eax
   0x7ffff7b83bf0 <put1bitbwtile+66>:    jmp    0x7ffff7b83d01
<put1bitbwtile+339>
   0x7ffff7b83bf5 <put1bitbwtile+71>:    mov    rax,QWORD PTR [rbp+0x20]
   0x7ffff7b83bf9 <put1bitbwtile+75>:    lea    rdx,[rax+0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140
--> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...)
0008| 0x7fffffffab28 --> 0x7ffff7b82aaa (<gtStripContig+962>:    add   
rsp,0x20)
0016| 0x7fffffffab30 --> 0x0 
0024| 0x7fffffffab38 --> 0xfffeffaa 
0032| 0x7fffffffab40 --> 0x625060 --> 0x0 
0040| 0x7fffffffab48 --> 0x7ffff7b829d4 (<gtStripContig+748>:    cmp   
rax,0xffffffffffffffff)
0048| 0x7fffffffab50 --> 0x0 
0056| 0x7fffffffab58 --> 0x802b00000049 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, put1bitbwtile (img=0x7fffffffaca0, cp=0x7ffff69b8070, x=0x0,
y=0x48, w=0x802b, h=0x48, fromskew=0x0, 
    toskew=0xfffeffaa, pp=0x625060 "") at tif_getimage.c:1352
1352        UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++);
gdb-peda$ p h
$30 = 0x48
gdb-peda$ p w
$31 = 0x802b
gdb-peda$ p cp
$32 = (uint32 *) 0x7ffff69b8070
gdb-peda$ p pp
$33 = (unsigned char *) 0x625060 ""
gdb-peda$ dis
gdb-peda$ c
Continuing.

Program received signal SIGSEGV, Segmentation fault.





[----------------------------------registers-----------------------------------]
RAX: 0x642000 ('')
RBX: 0x2e4 
RCX: 0x623070 --> 0xff000000ff000000 
RDX: 0x642001 
RSI: 0x7ffff69b8070 --> 0xff000000ff000000 
RDI: 0x7fffffffaca0 --> 0x621330 --> 0x621768
("/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif")
RBP: 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140
--> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...)
RSP: 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140
--> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...)
RIP: 0x7ffff7b83c01 (<put1bitbwtile+83>:    movzx  eax,BYTE PTR [rax])
R8 : 0x802b 
R9 : 0x49 ('I')
R10: 0x1 
R11: 0x246 
R12: 0x0 
R13: 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b83bf5 <put1bitbwtile+71>:    mov    rax,QWORD PTR [rbp+0x20]
   0x7ffff7b83bf9 <put1bitbwtile+75>:    lea    rdx,[rax+0x1]
   0x7ffff7b83bfd <put1bitbwtile+79>:    mov    QWORD PTR [rbp+0x20],rdx
=> 0x7ffff7b83c01 <put1bitbwtile+83>:    movzx  eax,BYTE PTR [rax]
   0x7ffff7b83c04 <put1bitbwtile+86>:    movzx  eax,al
   0x7ffff7b83c07 <put1bitbwtile+89>:    lea    rdx,[rax*8+0x0]
   0x7ffff7b83c0f <put1bitbwtile+97>:    mov    rax,QWORD PTR [rbp-0x8]
   0x7ffff7b83c13 <put1bitbwtile+101>:    add    rax,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140
--> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...)
0008| 0x7fffffffab28 --> 0x7ffff7b82aaa (<gtStripContig+962>:    add   
rsp,0x20)
0016| 0x7fffffffab30 --> 0x0 
0024| 0x7fffffffab38 --> 0xfffeffaa 
0032| 0x7fffffffab40 --> 0x642001 
0040| 0x7fffffffab48 --> 0x7ffff7b829d4 (<gtStripContig+748>:    cmp   
rax,0xffffffffffffffff)
0048| 0x7fffffffab50 --> 0x0 
0056| 0x7fffffffab58 --> 0x802b00000049 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b83c01 in put1bitbwtile (img=0x7fffffffaca0, cp=0x7ffff6654ca0,
x=0x0, y=0x48, w=0x802b, h=0x2c, 
    fromskew=0x0, toskew=0xfffeffaa, pp=0x642001 <error: Cannot access memory
at address 0x642001>)
    at tif_getimage.c:1352
1352        UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++);
gdb-peda$ p h
$34 = 0x2c
gdb-peda$ p w
$35 = 0x802b
gdb-peda$ p cp
$36 = (uint32 *) 0x7ffff6654ca0
gdb-peda$ p pp
$37 = (unsigned char *) 0x642001 <error: Cannot access memory at address
0x642001>
gdb-peda$ bt
#0  0x00007ffff7b83c01 in put1bitbwtile (img=0x7fffffffaca0, cp=0x7ffff6654ca0,
x=0x0, y=0x48, w=0x802b, h=0x2c, 
    fromskew=0x0, toskew=0xfffeffaa, pp=0x642001 <error: Cannot access memory
at address 0x642001>)
    at tif_getimage.c:1352
#1  0x00007ffff7b82aaa in gtStripContig (img=0x7fffffffaca0,
raster=0x7ffff60b5010, w=0x802b, h=0x49)
    at tif_getimage.c:964
#2  0x00007ffff7b8163c in TIFFRGBAImageGet (img=0x7fffffffaca0,
raster=0x7ffff60b5010, w=0x802b, h=0x49)
    at tif_getimage.c:516
#3  0x0000000000404d3b in convertRasterInMemory (pnmOutP=0x7fffffffb270,
maxval=0x1, tif=0x621330, photomet=0x1, 
    planarconfig=0x1, bps=0x1, spp=0x1, fillorder=0x1, colormap=0x7fffffffb2c0,
verbose=0x0, statusP=0x7fffffffb1b4)
    at tifftopnm.c:1496
#4  0x0000000000404e74 in convertRaster (pnmOutP=0x7fffffffb270, tifP=0x621330,
tiffDir=..., maxval=0x1, 
    fillorder=0x1, colormap=0x7fffffffb2c0, byrow=0x0, flipOk=0x1,
noflipOk=0x0, verbose=0x0) at tifftopnm.c:1530
#5  0x000000000040510f in convertImage (tifP=0x621330, alphaFileP=0x0, 
    imageoutFileP=0x7ffff7844620 <_IO_2_1_stdout_>, cmdline=...) at
tifftopnm.c:1590
#6  0x00000000004051b1 in convertIt (tifP=0x621330, alphaFile=0x0,
imageoutFile=0x7ffff7844620 <_IO_2_1_stdout_>, 
    cmdline=...) at tifftopnm.c:1616
#7  0x0000000000405317 in main (argc=0x2, argv=0x7fffffffe4f8) at
tifftopnm.c:1659
#8  0x00007ffff74a0830 in __libc_start_main (main=0x4051de <main>, argc=0x2,
argv=0x7fffffffe4f8, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe4e8)
    at ../csu/libc-start.c:291
#9  0x0000000000401f69 in _start ()

Attachment is a zip of a report and a poc.

------- Comment #1 From chunibalon 2017-01-07 02:01:15 -------

I tested the CVS of libtiff(https://github.com/vadz/libtiff) and the
Segmentation Fault is still existed.
##################################################
gdb-peda$ run
'/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif' 
Starting program: /home/kirito/Desktop/fuzz/netpbm/test_libtiffCVS/tifftopnm
'/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif'
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 64 (0x40) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 72 (0x48) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 29554 (0x7372) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 28751 (0x704f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 25956 (0x6564) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 27949 (0x6d2d) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag
ignored.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
tifftopnm: writing PBM file
P4
32811 73
tifftopnm: WARNING: This TIFF image has an orientation that most TIFF libraries
converts incorrectly.  Use -byrow to circumvent.
TIFFFillStrip: Read error on strip 0; got 624 bytes, expected 8190.

Program received signal SIGSEGV, Segmentation fault.


[----------------------------------registers-----------------------------------]
RAX: 0x687000 ('')
RBX: 0x2e4 
RCX: 0x668070 --> 0xff000000ff000000 
RDX: 0x687001 
RSI: 0x7ffff69ac070 --> 0xff000000ff000000 
RDI: 0x7fffffffae60 --> 0x666330 --> 0x666768
("/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif")
RBP: 0x7fffffffac30 --> 0x7fffffffad10 --> 0x7fffffffad40 --> 0x248c43 
RSP: 0x7fffffffac30 --> 0x7fffffffad10 --> 0x7fffffffad40 --> 0x248c43 
RIP: 0x7ffff7b77d63 (<put1bitbwtile+83>:    movzx  eax,BYTE PTR [rax])
R8 : 0x802b 
R9 : 0x49 ('I')
R10: 0x1 
R11: 0x246 
R12: 0x49 ('I')
R13: 0x802b 
R14: 0x6 
R15: 0x7ffff60a9010 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b77d57 <put1bitbwtile+71>:    mov    rax,QWORD PTR [rbp+0x20]
   0x7ffff7b77d5b <put1bitbwtile+75>:    lea    rdx,[rax+0x1]
   0x7ffff7b77d5f <put1bitbwtile+79>:    mov    QWORD PTR [rbp+0x20],rdx
=> 0x7ffff7b77d63 <put1bitbwtile+83>:    movzx  eax,BYTE PTR [rax]
   0x7ffff7b77d66 <put1bitbwtile+86>:    movzx  eax,al
   0x7ffff7b77d69 <put1bitbwtile+89>:    lea    rdx,[rax*8+0x0]
   0x7ffff7b77d71 <put1bitbwtile+97>:    mov    rax,QWORD PTR [rbp-0x8]
   0x7ffff7b77d75 <put1bitbwtile+101>:    add    rax,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffac30 --> 0x7fffffffad10 --> 0x7fffffffad40 --> 0x248c43 
0008| 0x7fffffffac38 --> 0x7ffff7b76c0c (<gtStripContig+962>:    add   
rsp,0x20)
0016| 0x7fffffffac40 --> 0x0 
0024| 0x7fffffffac48 --> 0xfffeffaa 
0032| 0x7fffffffac50 --> 0x687001 
0040| 0x7fffffffac58 --> 0x7ffff7b76b36 (<gtStripContig+748>:    cmp   
rax,0xffffffffffffffff)
0048| 0x7fffffffac60 --> 0x0 
0056| 0x7fffffffac68 --> 0x802b00000049 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b77d63 in put1bitbwtile (img=0x7fffffffae60, cp=0x7ffff6648ca0,
x=0x0, y=0x48, w=0x802b, h=0x2c, 
    fromskew=0x0, toskew=0xfffeffaa, pp=0x687001 <error: Cannot access memory
at address 0x687001>)
    at tif_getimage.c:1349
1349        UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++);
gdb-peda$ bt
#0  0x00007ffff7b77d63 in put1bitbwtile (img=0x7fffffffae60, cp=0x7ffff6648ca0,
x=0x0, y=0x48, w=0x802b, 
    h=0x2c, fromskew=0x0, toskew=0xfffeffaa, pp=0x687001 <error: Cannot access
memory at address 0x687001>)
    at tif_getimage.c:1349
#1  0x00007ffff7b76c0c in gtStripContig (img=0x7fffffffae60,
raster=0x7ffff60a9010, w=0x802b, h=0x49)
    at tif_getimage.c:961
#2  0x00007ffff7b7579e in TIFFRGBAImageGet (img=0x7fffffffae60,
raster=0x7ffff60a9010, w=0x802b, h=0x49)
    at tif_getimage.c:513
#3  0x000000000040f711 in convertRasterInMemory (statusP=<synthetic pointer>,
verbose=0x0, 
    colormap=0x7fffffffaef0, fillorder=0x1, spp=0x1, bps=0x1, planarconfig=0x1,
photomet=0x1, tif=0x666330, 
    maxval=0x1, pnmOutP=0x7fffffffae10) at tifftopnm.c:1496
#4  convertRaster (verbose=0x0, noflipOk=0x0, flipOk=<optimized out>,
byrow=0x0, colormap=0x7fffffffaef0, 
    fillorder=0x1, maxval=0x1, tiffDir=..., tifP=0x666330,
pnmOutP=0x7fffffffae10) at tifftopnm.c:1530
#5  convertImage (tifP=tifP@entry=0x666330, alphaFileP=alphaFileP@entry=0x0, 
    imageoutFileP=imageoutFileP@entry=0x7ffff7838620 <_IO_2_1_stdout_>,
cmdline=...) at tifftopnm.c:1590
#6  0x000000000040267e in convertIt (cmdline=..., imageoutFile=0x7ffff7838620
<_IO_2_1_stdout_>, 
    alphaFile=0x0, tifP=0x666330) at tifftopnm.c:1616
#7  main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe508) at
tifftopnm.c:1659
#8  0x00007ffff7494830 in __libc_start_main (main=0x4020c0 <main>, argc=0x2,
argv=0x7fffffffe508, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe4f8)
    at ../csu/libc-start.c:291
#9  0x0000000000402d99 in _start ()

------- Comment #2 From Even Rouault 2017-01-11 08:07:43 -------

Cannot reproduce on Ubuntu 1604 with netpbm 10.0-15.3 and libtiff 4.0.6-1 or
libtiff CVS HEAD (post 4.0.7)

I also tried "tiff2rgba 000009.tif out.tif" and it doesn't crash.

In your analysis you mention "Tifftopnm calls this API  with illegal
arguments.". If that's the case, this is a tifftopnm issue. libtiff assumes in
a number of places that it is correctly called .

------- Comment #3 From chunibalon 2017-01-11 09:04:03 -------

(In reply to comment #2)
> Cannot reproduce on Ubuntu 1604 with netpbm 10.0-15.3 and libtiff 4.0.6-1 or
> libtiff CVS HEAD (post 4.0.7)
> 
> I also tried "tiff2rgba 000009.tif out.tif" and it doesn't crash.
> 
> In your analysis you mention "Tifftopnm calls this API  with illegal
> arguments.". If that's the case, this is a tifftopnm issue. libtiff assumes in
> a number of places that it is correctly called .

My update is in http://bugzilla.maptools.org/show_bug.cgi?id=2654 and please
check it :)

------- Comment #4 From Even Rouault 2017-01-16 03:44:15 -------

Same issue as http://bugzilla.maptools.org/show_bug.cgi?id=2654: tifftopnm
assumes that libtiff will do image transposition.

------- Comment #5 From Henri Salo 2017-02-02 03:17:25 -------

Use CVE-2017-5849 for both 2654 and 2655.

http://www.openwall.com/lists/oss-security/2017/02/02/2

------- Comment #6 From Even Rouault 2019-10-01 14:20:14 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.