Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.
A fuzz on an updated version revealed another overflow.
The complete ASan output:
# identify $FILE ================================================================= ==696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009700 at pc 0x7f300036c9a3 bp 0x7fff6e225970 sp 0x7fff6e225968 READ of size 4 at 0x611000009700 thread T0 #0 0x7f300036c9a2 in IsPixelGray /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/./MagickCore/pixel-accessor.h:507:30 #1 0x7f300036c9a2 in IdentifyImageGray /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:677 #2 0x7f300036f0dd in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:821:7 #3 0x7f300090c1da in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/identify.c:527:8 #4 0x7f2fff364075 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/identify.c:336:22 #5 0x7f2fff4afeca in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/mogrify.c:183:14 #6 0x50a339 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:145:10 #7 0x50a339 in main /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:176 #8 0x7f2ffd99c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #9 0x419d28 in _init (/usr/bin/magick+0x419d28) 0x611000009700 is located 0 bytes to the right of 192-byte region [0x611000009640,0x611000009700) allocated by thread T0 here: #0 0x4d3685 in posix_memalign /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130 #1 0x7f3000a466b0 in AcquireAlignedMemory /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/memory.c:258:7 #2 0x7f300043addf in AcquireCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:4636:33 #3 0x7f3000402030 in SetPixelCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:4748:14 #4 0x7f30003e7d2d in GetVirtualPixelsFromNexus /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:2629:10 #5 0x7f3000444e53 in GetCacheViewVirtualPixels /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache-view.c:664:10 #6 0x7f300036b27c in IdentifyImageGray /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:672:7 #7 0x7f300036f0dd in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:821:7 #8 0x7f300090c1da in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/identify.c:527:8 #9 0x7f2fff364075 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/identify.c:336:22 #10 0x7f2fff4afeca in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/mogrify.c:183:14 #11 0x50a339 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:145:10 #12 0x50a339 in main /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:176 #13 0x7f2ffd99c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/./MagickCore/pixel-accessor.h:507:30 in IsPixelGray Shadow bytes around the buggy address: 0x0c227fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff92e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff9300: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==696==ABORTING
Affected version:
7.0.3.6
Fixed version:
7.0.3.8
Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/ce98a7acbcfca7f0a178f4b1e7b957e419e0cc99
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9556
Reproducer:
https://github.com/asarubbo/poc/blob/master/00051-imagemagick-heapoverflow-IsPixelGray
Timeline:
2016-11-16: bug discovered and reported to upstream
2016-11-17: upstream released a patch
2016-11-19: blog post about the issue
2016-11-23: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h)
Pingback: SB17-086: Vulnerability Summary for the Week of March 20, 2017 – BuzzSec