Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.
A fuzzing with the upstream security policy enabled revealed a memory allocation failure.
The complete ASan output:
# identify $FILE
==14275==ERROR: AddressSanitizer failed to allocate 0x99ad49000 (41252327424) bytes of LargeMmapAllocator (error code: 12)
==14275==Process memory map follows:
0x000000400000-0x000000520000 /usr/bin/magick
0x000000720000-0x000000721000 /usr/bin/magick
0x000000721000-0x000000724000 /usr/bin/magick
0x000000724000-0x000001397000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x606000000000
0x606000000000-0x606000010000
0x606000010000-0x607000000000
0x607000000000-0x607000010000
0x607000010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x60a000000000
0x60a000000000-0x60a000020000
0x60a000020000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x60e000000000
0x60e000000000-0x60e000010000
0x60e000010000-0x60f000000000
0x60f000000000-0x60f000010000
0x60f000010000-0x610000000000
0x610000000000-0x610000010000
0x610000010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x612000000000
0x612000000000-0x612000010000
0x612000010000-0x614000000000
0x614000000000-0x614000020000
0x614000020000-0x615000000000
0x615000000000-0x615000020000
0x615000020000-0x616000000000
0x616000000000-0x616000020000
0x616000020000-0x618000000000
0x618000000000-0x618000020000
0x618000020000-0x619000000000
0x619000000000-0x619000020000
0x619000020000-0x61a000000000
0x61a000000000-0x61a000020000
0x61a000020000-0x61b000000000
0x61b000000000-0x61b000020000
0x61b000020000-0x61d000000000
0x61d000000000-0x61d000020000
0x61d000020000-0x621000000000
0x621000000000-0x621000020000
0x621000020000-0x622000000000
0x622000000000-0x622000020000
0x622000020000-0x623000000000
0x623000000000-0x623000020000
0x623000020000-0x624000000000
0x624000000000-0x624000020000
0x624000020000-0x625000000000
0x625000000000-0x625000020000
0x625000020000-0x627000000000
0x627000000000-0x627000030000
0x627000030000-0x629000000000
0x629000000000-0x629000010000
0x629000010000-0x640000000000
0x640000000000-0x640000003000
0x7fe564f76000-0x7fe564f8d000 /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
0x7fe564f8d000-0x7fe56518c000 /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
0x7fe56518c000-0x7fe56518d000 /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
0x7fe56518d000-0x7fe56518e000 /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
0x7fe56518e000-0x7fe56b800000 /usr/lib64/locale/locale-archive
0x7fe56b800000-0x7fe56b900000
0x7fe56ba00000-0x7fe56bb00000
0x7fe56bbe6000-0x7fe56df38000
0x7fe56df38000-0x7fe56df5f000 /usr/lib64/libexpat.so.1.6.0
0x7fe56df5f000-0x7fe56e15e000 /usr/lib64/libexpat.so.1.6.0
0x7fe56e15e000-0x7fe56e161000 /usr/lib64/libexpat.so.1.6.0
0x7fe56e161000-0x7fe56e162000 /usr/lib64/libexpat.so.1.6.0
0x7fe56e162000-0x7fe56e297000 /usr/lib64/libglib-2.0.so.0.4600.2
0x7fe56e297000-0x7fe56e497000 /usr/lib64/libglib-2.0.so.0.4600.2
0x7fe56e497000-0x7fe56e498000 /usr/lib64/libglib-2.0.so.0.4600.2
0x7fe56e498000-0x7fe56e499000 /usr/lib64/libglib-2.0.so.0.4600.2
0x7fe56e499000-0x7fe56e49a000
0x7fe56e49a000-0x7fe56e4a3000 /usr/lib64/libltdl.so.7.3.1
0x7fe56e4a3000-0x7fe56e6a2000 /usr/lib64/libltdl.so.7.3.1
0x7fe56e6a2000-0x7fe56e6a3000 /usr/lib64/libltdl.so.7.3.1
0x7fe56e6a3000-0x7fe56e6a4000 /usr/lib64/libltdl.so.7.3.1
0x7fe56e6a4000-0x7fe56e6b9000 /lib64/libz.so.1.2.8
0x7fe56e6b9000-0x7fe56e8b8000 /lib64/libz.so.1.2.8
0x7fe56e8b8000-0x7fe56e8b9000 /lib64/libz.so.1.2.8
0x7fe56e8b9000-0x7fe56e8ba000 /lib64/libz.so.1.2.8
0x7fe56e8ba000-0x7fe56e8c9000 /lib64/libbz2.so.1.0.6
0x7fe56e8c9000-0x7fe56eac8000 /lib64/libbz2.so.1.0.6
0x7fe56eac8000-0x7fe56eac9000 /lib64/libbz2.so.1.0.6
0x7fe56eac9000-0x7fe56eaca000 /lib64/libbz2.so.1.0.6
0x7fe56eaca000-0x7fe56eb71000 /usr/lib64/libfreetype.so.6.12.3
0x7fe56eb71000-0x7fe56ed71000 /usr/lib64/libfreetype.so.6.12.3
0x7fe56ed71000-0x7fe56ed77000 /usr/lib64/libfreetype.so.6.12.3
0x7fe56ed77000-0x7fe56ed78000 /usr/lib64/libfreetype.so.6.12.3
0x7fe56ed78000-0x7fe56edb3000 /usr/lib64/libfontconfig.so.1.8.0
0x7fe56edb3000-0x7fe56efb2000 /usr/lib64/libfontconfig.so.1.8.0
0x7fe56efb2000-0x7fe56efb4000 /usr/lib64/libfontconfig.so.1.8.0
0x7fe56efb4000-0x7fe56efb5000 /usr/lib64/libfontconfig.so.1.8.0
0x7fe56efb5000-0x7fe56f1aa000 /usr/lib64/libfftw3.so.3.4.4
0x7fe56f1aa000-0x7fe56f3a9000 /usr/lib64/libfftw3.so.3.4.4
0x7fe56f3a9000-0x7fe56f3bd000 /usr/lib64/libfftw3.so.3.4.4
0x7fe56f3bd000-0x7fe56f3be000 /usr/lib64/libfftw3.so.3.4.4
0x7fe56f3be000-0x7fe56f3cc000 /usr/lib64/liblqr-1.so.0.3.2
0x7fe56f3cc000-0x7fe56f5cb000 /usr/lib64/liblqr-1.so.0.3.2
0x7fe56f5cb000-0x7fe56f5cc000 /usr/lib64/liblqr-1.so.0.3.2
0x7fe56f5cc000-0x7fe56f5cd000 /usr/lib64/liblqr-1.so.0.3.2
0x7fe56f5cd000-0x7fe56f620000 /usr/lib64/liblcms2.so.2.0.6
0x7fe56f620000-0x7fe56f820000 /usr/lib64/liblcms2.so.2.0.6
0x7fe56f820000-0x7fe56f821000 /usr/lib64/liblcms2.so.2.0.6
0x7fe56f821000-0x7fe56f826000 /usr/lib64/liblcms2.so.2.0.6
0x7fe56f826000-0x7fe56f9b9000 /lib64/libc-2.22.so
0x7fe56f9b9000-0x7fe56fbb9000 /lib64/libc-2.22.so
0x7fe56fbb9000-0x7fe56fbbd000 /lib64/libc-2.22.so
0x7fe56fbbd000-0x7fe56fbbf000 /lib64/libc-2.22.so
0x7fe56fbbf000-0x7fe56fbc3000
0x7fe56fbc3000-0x7fe56fbd9000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
0x7fe56fbd9000-0x7fe56fdd8000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
0x7fe56fdd8000-0x7fe56fdd9000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
0x7fe56fdd9000-0x7fe56fdda000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
0x7fe56fdda000-0x7fe56fde0000 /lib64/librt-2.22.so
0x7fe56fde0000-0x7fe56ffe0000 /lib64/librt-2.22.so
0x7fe56ffe0000-0x7fe56ffe1000 /lib64/librt-2.22.so
0x7fe56ffe1000-0x7fe56ffe2000 /lib64/librt-2.22.so
0x7fe56ffe2000-0x7fe56fff9000 /lib64/libpthread-2.22.so
0x7fe56fff9000-0x7fe5701f8000 /lib64/libpthread-2.22.so
0x7fe5701f8000-0x7fe5701f9000 /lib64/libpthread-2.22.so
0x7fe5701f9000-0x7fe5701fa000 /lib64/libpthread-2.22.so
0x7fe5701fa000-0x7fe5701fe000
0x7fe5701fe000-0x7fe5702fb000 /lib64/libm-2.22.so
0x7fe5702fb000-0x7fe5704fa000 /lib64/libm-2.22.so
0x7fe5704fa000-0x7fe5704fb000 /lib64/libm-2.22.so
0x7fe5704fb000-0x7fe5704fc000 /lib64/libm-2.22.so
0x7fe5704fc000-0x7fe5704fe000 /lib64/libdl-2.22.so
0x7fe5704fe000-0x7fe5706fe000 /lib64/libdl-2.22.so
0x7fe5706fe000-0x7fe5706ff000 /lib64/libdl-2.22.so
0x7fe5706ff000-0x7fe570700000 /lib64/libdl-2.22.so
0x7fe570700000-0x7fe570bc6000 /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
0x7fe570bc6000-0x7fe570dc5000 /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
0x7fe570dc5000-0x7fe570dda000 /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
0x7fe570dda000-0x7fe570e1c000 /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
0x7fe570e1c000-0x7fe5719af000 /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
0x7fe5719af000-0x7fe571bae000 /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
0x7fe571bae000-0x7fe571be7000 /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
0x7fe571be7000-0x7fe571c59000 /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
0x7fe571c59000-0x7fe571c5c000
0x7fe571c5c000-0x7fe571c7e000 /lib64/ld-2.22.so
0x7fe571cf9000-0x7fe571da4000
0x7fe571da4000-0x7fe571dc7000 /usr/share/locale/it/LC_MESSAGES/libc.mo
0x7fe571dc7000-0x7fe571e70000
0x7fe571e70000-0x7fe571e7d000
0x7fe571e7d000-0x7fe571e7e000 /lib64/ld-2.22.so
0x7fe571e7e000-0x7fe571e7f000 /lib64/ld-2.22.so
0x7fe571e7f000-0x7fe571e80000
0x7ffddcca3000-0x7ffddccc4000 [stack]
0x7ffddcd4d000-0x7ffddcd4f000 [vvar]
0x7ffddcd4f000-0x7ffddcd51000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==14275==End of process memory map.
==14275==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
#0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
#1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
#2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
#3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
#4 0x42208f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
#5 0x42208f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
#6 0x42208f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
#7 0x42208f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
#8 0x4c0661 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
#9 0x7fe5713b3b3b in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:460:10
#10 0x7fe5713b3b3b in AcquireVirtualMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:642
#11 0x7fe564f7af95 in ReadPCXImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/pcx.c:400:16
#12 0x7fe571087b12 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13
#13 0x7fe57181f406 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9
#14 0x7fe5710865ca in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9
#15 0x7fe571086e25 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10
#16 0x7fe57090c4c3 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18
#17 0x7fe5709a226a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
#18 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
#19 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
#20 0x7fe56f84661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#21 0x419138 in _init (/usr/bin/magick+0x419138)
Affected version:
7.0.3.2
Fixed version:
7.0.3.3
Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/aea6c6507f55632829e6432f8177a084a57c9fcc
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-8862
Timeline:
2016-09-14: bug discovered
2016-09-14: bug reported to upstream
2016-10-07: upstream released a patch
2016-10-08: upstream released 7.0.3.3
2016-10-17: blog post about the issue
2016-10-20: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
imagemagick: memory allocation failure in AcquireMagickMemory (memory.c)