{"id":2016,"date":"2017-08-14T20:10:42","date_gmt":"2017-08-14T18:10:42","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=2016"},"modified":"2017-08-21T08:51:01","modified_gmt":"2017-08-21T06:51:01","slug":"openjpeg-memory-allocation-failure-in-opj_aligned_alloc_n-opj_malloc-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/08\/14\/openjpeg-memory-allocation-failure-in-opj_aligned_alloc_n-opj_malloc-c\/","title":{"rendered":"openjpeg: memory allocation failure in opj_aligned_alloc_n (opj_malloc.c)"},"content":{"rendered":"

Description<\/strong>:
\nopenjpeg<\/a> is an open-source JPEG 2000 library.<\/p>\n

The complete ASan output of the issue:<\/p>\n

# opj_compress -n 1 -i $FILE -o null.j2c\r\n==78690==ERROR: AddressSanitizer failed to allocate 0x5ea7983000 (406538694656) bytes of LargeMmapAllocator (error code: 12)\r\n==78690==Process memory map follows:\r\n        0x000000400000-0x0000005a6000   \/usr\/bin\/opj_compress\r\n        0x0000007a5000-0x0000007a6000   \/usr\/bin\/opj_compress\r\n        0x0000007a6000-0x0000007b0000   \/usr\/bin\/opj_compress\r\n        0x0000007b0000-0x000001425000\r\n        0x00007fff7000-0x00008fff7000\r\n        0x00008fff7000-0x02008fff7000\r\n        0x02008fff7000-0x10007fff8000\r\n        0x600000000000-0x602000000000\r\n        0x602000000000-0x602000010000\r\n        0x602000010000-0x602e00000000\r\n        0x602e00000000-0x602e00010000\r\n        0x602e00010000-0x604000000000\r\n        0x604000000000-0x604000010000\r\n        0x604000010000-0x604e00000000\r\n        0x604e00000000-0x604e00010000\r\n        0x604e00010000-0x606000000000\r\n        0x606000000000-0x606000010000\r\n        0x606000010000-0x606e00000000\r\n        0x606e00000000-0x606e00010000\r\n        0x606e00010000-0x610000000000\r\n        0x610000000000-0x610000010000\r\n        0x610000010000-0x610e00000000\r\n        0x610e00000000-0x610e00010000\r\n        0x610e00010000-0x616000000000\r\n        0x616000000000-0x616000010000\r\n        0x616000010000-0x616e00000000\r\n        0x616e00000000-0x616e00010000\r\n        0x616e00010000-0x621000000000\r\n        0x621000000000-0x621000010000\r\n        0x621000010000-0x621e00000000\r\n        0x621e00000000-0x621e00010000\r\n        0x621e00010000-0x640000000000\r\n        0x640000000000-0x640000003000\r\n        0x7f2622bf7000-0x7f2623800000\r\n        0x7f2623900000-0x7f2623a00000\r\n        0x7f2623a5c000-0x7f2625dae000\r\n        0x7f2625dae000-0x7f2625e16000   \/usr\/lib64\/libjpeg.so.62.2.0\r\n        0x7f2625e16000-0x7f2626016000   \/usr\/lib64\/libjpeg.so.62.2.0\r\n        0x7f2626016000-0x7f2626017000   \/usr\/lib64\/libjpeg.so.62.2.0\r\n        0x7f2626017000-0x7f2626018000   \/usr\/lib64\/libjpeg.so.62.2.0\r\n        0x7f2626018000-0x7f2626021000   \/usr\/lib64\/libjbig.so\r\n        0x7f2626021000-0x7f2626220000   \/usr\/lib64\/libjbig.so\r\n        0x7f2626220000-0x7f2626221000   \/usr\/lib64\/libjbig.so\r\n        0x7f2626221000-0x7f2626224000   \/usr\/lib64\/libjbig.so\r\n        0x7f2626224000-0x7f2626248000   \/lib64\/liblzma.so.5.2.3\r\n        0x7f2626248000-0x7f2626448000   \/lib64\/liblzma.so.5.2.3\r\n        0x7f2626448000-0x7f2626449000   \/lib64\/liblzma.so.5.2.3\r\n        0x7f2626449000-0x7f262644a000   \/lib64\/liblzma.so.5.2.3\r\n        0x7f262644a000-0x7f2626460000   \/lib64\/libz.so.1.2.11\r\n        0x7f2626460000-0x7f262665f000   \/lib64\/libz.so.1.2.11\r\n        0x7f262665f000-0x7f2626660000   \/lib64\/libz.so.1.2.11\r\n        0x7f2626660000-0x7f2626661000   \/lib64\/libz.so.1.2.11\r\n        0x7f2626661000-0x7f26267f0000   \/lib64\/libc-2.23.so\r\n        0x7f26267f0000-0x7f26269f0000   \/lib64\/libc-2.23.so\r\n        0x7f26269f0000-0x7f26269f4000   \/lib64\/libc-2.23.so\r\n        0x7f26269f4000-0x7f26269f6000   \/lib64\/libc-2.23.so\r\n        0x7f26269f6000-0x7f26269fa000\r\n        0x7f26269fa000-0x7f2626a10000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libgcc_s.so.1\r\n        0x7f2626a10000-0x7f2626c0f000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libgcc_s.so.1\r\n        0x7f2626c0f000-0x7f2626c10000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libgcc_s.so.1\r\n        0x7f2626c10000-0x7f2626c11000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libgcc_s.so.1\r\n        0x7f2626c11000-0x7f2626c13000   \/lib64\/libdl-2.23.so\r\n        0x7f2626c13000-0x7f2626e13000   \/lib64\/libdl-2.23.so\r\n        0x7f2626e13000-0x7f2626e14000   \/lib64\/libdl-2.23.so\r\n        0x7f2626e14000-0x7f2626e15000   \/lib64\/libdl-2.23.so\r\n        0x7f2626e15000-0x7f2626e2c000   \/lib64\/libpthread-2.23.so\r\n        0x7f2626e2c000-0x7f262702b000   \/lib64\/libpthread-2.23.so\r\n        0x7f262702b000-0x7f262702c000   \/lib64\/libpthread-2.23.so\r\n        0x7f262702c000-0x7f262702d000   \/lib64\/libpthread-2.23.so\r\n        0x7f262702d000-0x7f2627031000\r\n        0x7f2627031000-0x7f2627037000   \/lib64\/librt-2.23.so\r\n        0x7f2627037000-0x7f2627237000   \/lib64\/librt-2.23.so\r\n        0x7f2627237000-0x7f2627238000   \/lib64\/librt-2.23.so\r\n        0x7f2627238000-0x7f2627239000   \/lib64\/librt-2.23.so\r\n        0x7f2627239000-0x7f262733b000   \/lib64\/libm-2.23.so\r\n        0x7f262733b000-0x7f262753a000   \/lib64\/libm-2.23.so\r\n        0x7f262753a000-0x7f262753b000   \/lib64\/libm-2.23.so\r\n        0x7f262753b000-0x7f262753c000   \/lib64\/libm-2.23.so\r\n        0x7f262753c000-0x7f2627591000   \/usr\/lib64\/liblcms2.so.2.0.8\r\n        0x7f2627591000-0x7f2627790000   \/usr\/lib64\/liblcms2.so.2.0.8\r\n        0x7f2627790000-0x7f2627791000   \/usr\/lib64\/liblcms2.so.2.0.8\r\n        0x7f2627791000-0x7f2627796000   \/usr\/lib64\/liblcms2.so.2.0.8\r\n        0x7f2627796000-0x7f2627809000   \/usr\/lib64\/libtiff.so.5.2.6\r\n        0x7f2627809000-0x7f2627a08000   \/usr\/lib64\/libtiff.so.5.2.6\r\n        0x7f2627a08000-0x7f2627a0c000   \/usr\/lib64\/libtiff.so.5.2.6\r\n        0x7f2627a0c000-0x7f2627a0d000   \/usr\/lib64\/libtiff.so.5.2.6\r\n        0x7f2627a0d000-0x7f2627a3f000   \/usr\/lib64\/libpng16.so.16.29.0\r\n        0x7f2627a3f000-0x7f2627c3e000   \/usr\/lib64\/libpng16.so.16.29.0\r\n        0x7f2627c3e000-0x7f2627c3f000   \/usr\/lib64\/libpng16.so.16.29.0\r\n        0x7f2627c3f000-0x7f2627c40000   \/usr\/lib64\/libpng16.so.16.29.0\r\n        0x7f2627c40000-0x7f2627da7000   \/usr\/lib64\/libopenjp2.so.2.2.0\r\n        0x7f2627da7000-0x7f2627fa6000   \/usr\/lib64\/libopenjp2.so.2.2.0\r\n        0x7f2627fa6000-0x7f2627fa9000   \/usr\/lib64\/libopenjp2.so.2.2.0\r\n        0x7f2627fa9000-0x7f2627fb1000   \/usr\/lib64\/libopenjp2.so.2.2.0\r\n        0x7f2627fb1000-0x7f2627fd5000   \/lib64\/ld-2.23.so\r\n        0x7f262804a000-0x7f26281c6000\r\n        0x7f26281c6000-0x7f26281d4000\r\n        0x7f26281d4000-0x7f26281d5000   \/lib64\/ld-2.23.so\r\n        0x7f26281d5000-0x7f26281d6000   \/lib64\/ld-2.23.so\r\n        0x7f26281d6000-0x7f26281d7000\r\n        0x7ffeff1e8000-0x7ffeff209000   [stack]\r\n        0x7ffeff28f000-0x7ffeff291000   [vdso]\r\n        0x7ffeff291000-0x7ffeff293000   [vvar]\r\n        0xffffffffff600000-0xffffffffff601000   [vsyscall]\r\n==78690==End of process memory map.\r\n==78690==AddressSanitizer CHECK failed: \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/sanitizer_common\/sanitizer_common.cc:120 \"((0 && \"unable to mmap\")) != (0)\" (0x0, 0x0)\r\n    #0 0x4db60f in AsanCheckFailed \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/asan_rtl.cc:69\r\n    #1 0x4f6375 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/sanitizer_common\/sanitizer_termination.cc:79\r\n    #2 0x4e59a2 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/sanitizer_common\/sanitizer_common.cc:120\r\n    #3 0x4ef2a5 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/sanitizer_common\/sanitizer_posix.cc:132\r\n    #4 0x426caa in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator_secondary.h:41\r\n    #5 0x426caa in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64 >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64 >*, unsigned long, unsigned long, bool, bool) \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator_combined.h:70\r\n    #6 0x426caa in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/asan_allocator.cc:407\r\n    #7 0x42138d in __asan::asan_posix_memalign(void**, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/asan_allocator.cc:815\r\n    #8 0x4d206d in __interceptor_posix_memalign \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/asan_malloc_linux.cc:144\r\n    #9 0x7f2627d95aa4 in opj_aligned_alloc_n \/var\/tmp\/portage\/media-libs\/openjpeg-2.2.0\/work\/openjpeg-2.2.0\/src\/lib\/openjp2\/opj_malloc.c:61:9\r\n    #10 0x7f2627d95aa4 in opj_aligned_malloc \/var\/tmp\/portage\/media-libs\/openjpeg-2.2.0\/work\/openjpeg-2.2.0\/src\/lib\/openjp2\/opj_malloc.c:209\r\n    #11 0x7f2627c79d09 in opj_image_create \/var\/tmp\/portage\/media-libs\/openjpeg-2.2.0\/work\/openjpeg-2.2.0\/src\/lib\/openjp2\/image.c:77:39\r\n    #12 0x53437b in bmptoimage \/var\/tmp\/portage\/media-libs\/openjpeg-2.2.0\/work\/openjpeg-2.2.0\/src\/bin\/jp2\/convertbmp.c:768:13\r\n    #13 0x50b635 in main \/var\/tmp\/portage\/media-libs\/openjpeg-2.2.0\/work\/openjpeg-2.2.0\/src\/bin\/jp2\/opj_compress.c:1844:21\r\n    #14 0x7f2626681680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #15 0x41bc78 in _start (\/usr\/bin\/opj_compress+0x41bc78)\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n2.2.0<\/p>\n
Fixed version:<\/strong>
\nN\/A<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/uclouvain\/openjpeg\/commit\/baf0c1ad4572daa89caa3b12985bdd93530f0dd7<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2017-12982<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00315-openjpeg-memallocfailure-opj_aligned_alloc_n<\/a><\/p>\n
Timeline:<\/strong>
\n2017-08-14: bug discovered and reported to upstream
\n2017-08-14: blog post about the issue
\n2017-08-21: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.
\nThis bug was identified with bare metal servers donated by Packet<\/a>. This work is also supported by the Core Infrastructure Initiative<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
openjpeg: memory allocation failure in opj_aligned_alloc_n (opj_malloc.c)<\/a><\/p><\/blockquote>\n