{"id":541,"date":"2016-09-15T17:54:54","date_gmt":"2016-09-15T15:54:54","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=541"},"modified":"2016-10-16T11:31:14","modified_gmt":"2016-10-16T09:31:14","slug":"graphicsmagick-memory-allocation-failure-in-magickmalloc-memory-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/15\/graphicsmagick-memory-allocation-failure-in-magickmalloc-memory-c\/","title":{"rendered":"graphicsmagick: memory allocation failure in MagickMalloc (memory.c)"},"content":{"rendered":"

Description<\/strong>:
\nGraphicsmagick<\/a> is an Image Processing System.<\/p>\n

After the first round of fuzzing where I discovered some slowness issues that make the fuzz hard, the second round revealed a memory allocation failure.<\/p>\n

The complete ASan output:<\/p>\n

# gm identify $FILE\r\n==20592==ERROR: AddressSanitizer failed to allocate 0x7fff03000 (34358702080) bytes of LargeMmapAllocator (error code: 12)\r\n==20592==Process memory map follows:\r\n        0x000000400000-0x000000522000   \/usr\/bin\/gm\r\n        0x000000722000-0x000000723000   \/usr\/bin\/gm\r\n        0x000000723000-0x000000726000   \/usr\/bin\/gm\r\n        0x000000726000-0x000001399000\r\n        0x00007fff7000-0x00008fff7000\r\n        0x00008fff7000-0x02008fff7000\r\n        0x02008fff7000-0x10007fff8000\r\n        0x600000000000-0x602000000000\r\n        0x602000000000-0x602000010000\r\n        0x602000010000-0x603000000000\r\n        0x603000000000-0x603000010000\r\n        0x603000010000-0x604000000000\r\n        0x604000000000-0x604000010000\r\n        0x604000010000-0x606000000000\r\n        0x606000000000-0x606000010000\r\n        0x606000010000-0x607000000000\r\n        0x607000000000-0x607000010000\r\n        0x607000010000-0x608000000000\r\n        0x608000000000-0x608000010000\r\n        0x608000010000-0x60a000000000\r\n        0x60a000000000-0x60a000010000\r\n        0x60a000010000-0x60b000000000\r\n        0x60b000000000-0x60b000010000\r\n        0x60b000010000-0x60c000000000\r\n        0x60c000000000-0x60c000010000\r\n        0x60c000010000-0x60d000000000\r\n        0x60d000000000-0x60d000010000\r\n        0x60d000010000-0x60f000000000\r\n        0x60f000000000-0x60f000010000\r\n        0x60f000010000-0x610000000000\r\n        0x610000000000-0x610000010000\r\n        0x610000010000-0x611000000000\r\n        0x611000000000-0x611000010000\r\n        0x611000010000-0x612000000000\r\n        0x612000000000-0x612000010000\r\n        0x612000010000-0x614000000000\r\n        0x614000000000-0x614000020000\r\n        0x614000020000-0x616000000000\r\n        0x616000000000-0x616000020000\r\n        0x616000020000-0x618000000000\r\n        0x618000000000-0x618000020000\r\n        0x618000020000-0x619000000000\r\n        0x619000000000-0x619000020000\r\n        0x619000020000-0x61a000000000\r\n        0x61a000000000-0x61a000020000\r\n        0x61a000020000-0x61b000000000\r\n        0x61b000000000-0x61b000020000\r\n        0x61b000020000-0x61d000000000\r\n        0x61d000000000-0x61d000020000\r\n        0x61d000020000-0x61e000000000\r\n        0x61e000000000-0x61e000020000\r\n        0x61e000020000-0x621000000000\r\n        0x621000000000-0x621000020000\r\n        0x621000020000-0x623000000000\r\n        0x623000000000-0x623000020000\r\n        0x623000020000-0x624000000000\r\n        0x624000000000-0x624000020000\r\n        0x624000020000-0x625000000000\r\n        0x625000000000-0x625000020000\r\n        0x625000020000-0x640000000000\r\n        0x640000000000-0x640000003000\r\n        0x7f889986d000-0x7f889988b000   \/usr\/lib64\/GraphicsMagick-1.3.25\/modules-Q32\/coders\/sgi.so\r\n        0x7f889988b000-0x7f8899a8a000   \/usr\/lib64\/GraphicsMagick-1.3.25\/modules-Q32\/coders\/sgi.so\r\n        0x7f8899a8a000-0x7f8899a8b000   \/usr\/lib64\/GraphicsMagick-1.3.25\/modules-Q32\/coders\/sgi.so\r\n        0x7f8899a8b000-0x7f8899a8c000   \/usr\/lib64\/GraphicsMagick-1.3.25\/modules-Q32\/coders\/sgi.so\r\n        0x7f8899a8c000-0x7f8899a8e000\r\n        0x7f8899a8e000-0x7f88a0100000   \/usr\/lib64\/locale\/locale-archive\r\n        0x7f88a0100000-0x7f88a0200000\r\n        0x7f88a0300000-0x7f88a0400000\r\n        0x7f88a049b000-0x7f88a27ed000\r\n        0x7f88a27ed000-0x7f88a27f6000   \/usr\/lib64\/libltdl.so.7.3.1\r\n        0x7f88a27f6000-0x7f88a29f5000   \/usr\/lib64\/libltdl.so.7.3.1\r\n        0x7f88a29f5000-0x7f88a29f6000   \/usr\/lib64\/libltdl.so.7.3.1\r\n        0x7f88a29f6000-0x7f88a29f7000   \/usr\/lib64\/libltdl.so.7.3.1\r\n        0x7f88a29f7000-0x7f88a2a0c000   \/lib64\/libz.so.1.2.8\r\n        0x7f88a2a0c000-0x7f88a2c0b000   \/lib64\/libz.so.1.2.8\r\n        0x7f88a2c0b000-0x7f88a2c0c000   \/lib64\/libz.so.1.2.8\r\n        0x7f88a2c0c000-0x7f88a2c0d000   \/lib64\/libz.so.1.2.8\r\n        0x7f88a2c0d000-0x7f88a2c1c000   \/lib64\/libbz2.so.1.0.6\r\n        0x7f88a2c1c000-0x7f88a2e1b000   \/lib64\/libbz2.so.1.0.6\r\n        0x7f88a2e1b000-0x7f88a2e1c000   \/lib64\/libbz2.so.1.0.6\r\n        0x7f88a2e1c000-0x7f88a2e1d000   \/lib64\/libbz2.so.1.0.6\r\n        0x7f88a2e1d000-0x7f88a2ec4000   \/usr\/lib64\/libfreetype.so.6.12.3\r\n        0x7f88a2ec4000-0x7f88a30c4000   \/usr\/lib64\/libfreetype.so.6.12.3\r\n        0x7f88a30c4000-0x7f88a30ca000   \/usr\/lib64\/libfreetype.so.6.12.3\r\n        0x7f88a30ca000-0x7f88a30cb000   \/usr\/lib64\/libfreetype.so.6.12.3\r\n        0x7f88a30cb000-0x7f88a311f000   \/usr\/lib64\/liblcms2.so.2.0.6\r\n        0x7f88a311f000-0x7f88a331e000   \/usr\/lib64\/liblcms2.so.2.0.6\r\n        0x7f88a331e000-0x7f88a331f000   \/usr\/lib64\/liblcms2.so.2.0.6\r\n        0x7f88a331f000-0x7f88a3324000   \/usr\/lib64\/liblcms2.so.2.0.6\r\n        0x7f88a3324000-0x7f88a34b7000   \/lib64\/libc-2.22.so\r\n        0x7f88a34b7000-0x7f88a36b7000   \/lib64\/libc-2.22.so\r\n        0x7f88a36b7000-0x7f88a36bb000   \/lib64\/libc-2.22.so\r\n        0x7f88a36bb000-0x7f88a36bd000   \/lib64\/libc-2.22.so\r\n        0x7f88a36bd000-0x7f88a36c1000\r\n        0x7f88a36c1000-0x7f88a36d7000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7f88a36d7000-0x7f88a38d6000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7f88a38d6000-0x7f88a38d7000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7f88a38d7000-0x7f88a38d8000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7f88a38d8000-0x7f88a38de000   \/lib64\/librt-2.22.so\r\n        0x7f88a38de000-0x7f88a3ade000   \/lib64\/librt-2.22.so\r\n        0x7f88a3ade000-0x7f88a3adf000   \/lib64\/librt-2.22.so\r\n        0x7f88a3adf000-0x7f88a3ae0000   \/lib64\/librt-2.22.so\r\n        0x7f88a3ae0000-0x7f88a3af7000   \/lib64\/libpthread-2.22.so\r\n        0x7f88a3af7000-0x7f88a3cf6000   \/lib64\/libpthread-2.22.so\r\n        0x7f88a3cf6000-0x7f88a3cf7000   \/lib64\/libpthread-2.22.so\r\n        0x7f88a3cf7000-0x7f88a3cf8000   \/lib64\/libpthread-2.22.so\r\n        0x7f88a3cf8000-0x7f88a3cfc000\r\n        0x7f88a3cfc000-0x7f88a3df9000   \/lib64\/libm-2.22.so\r\n        0x7f88a3df9000-0x7f88a3ff8000   \/lib64\/libm-2.22.so\r\n        0x7f88a3ff8000-0x7f88a3ff9000   \/lib64\/libm-2.22.so\r\n        0x7f88a3ff9000-0x7f88a3ffa000   \/lib64\/libm-2.22.so\r\n        0x7f88a3ffa000-0x7f88a3ffc000   \/lib64\/libdl-2.22.so\r\n        0x7f88a3ffc000-0x7f88a41fc000   \/lib64\/libdl-2.22.so\r\n        0x7f88a41fc000-0x7f88a41fd000   \/lib64\/libdl-2.22.so\r\n        0x7f88a41fd000-0x7f88a41fe000   \/lib64\/libdl-2.22.so\r\n        0x7f88a41fe000-0x7f88a4a0d000   \/usr\/lib64\/libGraphicsMagick.so.3.15.1\r\n        0x7f88a4a0d000-0x7f88a4c0d000   \/usr\/lib64\/libGraphicsMagick.so.3.15.1\r\n        0x7f88a4c0d000-0x7f88a4c3e000   \/usr\/lib64\/libGraphicsMagick.so.3.15.1\r\n        0x7f88a4c3e000-0x7f88a4cc4000   \/usr\/lib64\/libGraphicsMagick.so.3.15.1\r\n        0x7f88a4cc4000-0x7f88a4d3f000\r\n        0x7f88a4d3f000-0x7f88a4d61000   \/lib64\/ld-2.22.so\r\n        0x7f88a4eab000-0x7f88a4ec0000\r\n        0x7f88a4ec0000-0x7f88a4ec7000   \/usr\/lib64\/gconv\/gconv-modules.cache\r\n        0x7f88a4ec7000-0x7f88a4eea000   \/usr\/share\/locale\/it\/LC_MESSAGES\/libc.mo\r\n        0x7f88a4eea000-0x7f88a4f54000\r\n        0x7f88a4f54000-0x7f88a4f60000\r\n        0x7f88a4f60000-0x7f88a4f61000   \/lib64\/ld-2.22.so\r\n        0x7f88a4f61000-0x7f88a4f62000   \/lib64\/ld-2.22.so\r\n        0x7f88a4f62000-0x7f88a4f63000\r\n        0x7ffe83ea9000-0x7ffe83eca000   [stack]\r\n        0x7ffe83f49000-0x7ffe83f4b000   [vvar]\r\n        0x7ffe83f4b000-0x7ffe83f4d000   [vdso]\r\n        0xffffffffff600000-0xffffffffff601000   [vsyscall]\r\n==20592==End of process memory map.\r\n==20592==AddressSanitizer CHECK failed: \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183 \"((0 && \"unable to mmap\")) != (0)\" (0x0, 0x0)\r\n    #0 0x4c9aed in AsanCheckFailed \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_rtl.cc:67\r\n    #1 0x4d0623 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:159\r\n    #2 0x4d0811 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183\r\n    #3 0x4d984a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_posix.cc:122\r\n    #4 0x421bdf in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1033\r\n    #5 0x421bdf in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1302\r\n    #6 0x421bdf in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:368\r\n    #7 0x421bdf in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:718\r\n    #8 0x4c01b1 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:53\r\n    #9 0x7f88a479e12d in MagickMalloc \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/memory.c:156:10\r\n    #10 0x7f88a479e12d in MagickMallocArray \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/memory.c:347\r\n    #11 0x7f8899872d7a in ReadSGIImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/coders\/sgi.c:498:19\r\n    #12 0x7f88a4558b13 in ReadImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/constitute.c:1607:13\r\n    #13 0x7f88a4556a94 in PingImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/constitute.c:1370:9\r\n    #14 0x7f88a446bb25 in IdentifyImageCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/command.c:8375:17\r\n    #15 0x7f88a447197c in MagickCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/command.c:8865:17\r\n    #16 0x7f88a44e96fe in GMCommandSingle \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/command.c:17379:10\r\n    #17 0x7f88a44e7926 in GMCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/command.c:17432:16\r\n    #18 0x7f88a334461f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #19 0x418c88 in _init (\/usr\/bin\/gm+0x418c88)\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n1.3.25<\/p>\n
Fixed version:<\/strong>
\n1.3.26 (not yet released)<\/p>\n
Commit fix:<\/strong>
\nhttp:\/\/hg.code.sf.net\/p\/graphicsmagick\/code\/rev\/c53725cb5449<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-8684<\/p>\n
Timeline:<\/strong>
\n2016-09-09: bug discovered
\n2016-09-09: bug reported privately to upstream
\n2016-09-10: no upstream response
\n2016-09-15: blog post about the issue
\n2016-10-16: CVE Assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
graphicsmagick: memory allocation failure in MagickMalloc (memory.c)<\/a><\/p><\/blockquote>\n