Bug 2780 - A heap-buffer-overflow in function LZWDecodeCompat in libtiff4.0.9 (CVE-2018-8905)
: A heap-buffer-overflow in function LZWDecodeCompat in libtiff4.0.9 (CVE-2018-...
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 enhancement
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-03-17 08:22 by
Modified: 2018-05-12 08:33 (History)


Attachments
poc (316 bytes, application/octet-stream)
2018-03-17 08:25, xiaosatianyu@126.com
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2018-03-17 08:22:32
A heap-buffer-overflow in function LZWDecodeCompat at tif_lzw.c:763 when
using tiff2ps tool in the latest libtiff4.0.9 by a created tiff file.

tiffcp -i $FILE /tmp/foo

The asan report is :
=================================================================
==16709==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000af at pc 0x000000607a23 bp 0x7ffdee2dde50 sp 0x7ffdee2dde48
WRITE of size 1 at 0x6020000000af thread T0
    #0 0x607a22 in LZWDecodeCompat
/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_lzw.c:763:11
    #1 0x594aaa in TIFFReadScanline
/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_read.c:450:7
    #2 0x538620 in PSDataColorSeparate
/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c:2526:8
    #3 0x530900 in PSpage
/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c
    #4 0x52c7a6 in TIFF2PS
/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c
    #5 0x52ab7e in main
/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c:479:9
    #6 0x7f7c5cf7ff44 in __libc_start_main
/build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #7 0x41ca0b in _start
(/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff2ps-test/tiff2ps4.0.9+0x41ca0b)

0x6020000000af is located 1 bytes to the left of 8-byte region
[0x6020000000b0,0x6020000000b8)
allocated by thread T0 here:
    #0 0x4f5716 in __interceptor_malloc
/home/xiaosatianyu/workspace/git/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
    #1 0x5a69d7 in _TIFFmalloc
/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_unix.c:316:10

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_lzw.c:763:11
in LZWDecodeCompat
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff8010: fa fa 00 07 fa[fa]00 fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16709==ABORTING
------- Comment #1 From 2018-03-17 08:25:49 -------
Created an attachment (id=845) [details]
poc
------- Comment #2 From 2018-03-17 08:27:44 -------
(In reply to comment #0)
> A heap-buffer-overflow in function LZWDecodeCompat at tif_lzw.c:763 when
> using tiff2ps tool in the latest libtiff4.0.9 by a created tiff file.
> 
> tiffcp  $FILE 
> 
> The asan report is :
> =================================================================
> ==16709==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6020000000af at pc 0x000000607a23 bp 0x7ffdee2dde50 sp 0x7ffdee2dde48
> WRITE of size 1 at 0x6020000000af thread T0
>     #0 0x607a22 in LZWDecodeCompat
> /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_lzw.c:763:11
>     #1 0x594aaa in TIFFReadScanline
> /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_read.c:450:7
>     #2 0x538620 in PSDataColorSeparate
> /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c:2526:8
>     #3 0x530900 in PSpage
> /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c
>     #4 0x52c7a6 in TIFF2PS
> /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c
>     #5 0x52ab7e in main
> /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c:479:9
>     #6 0x7f7c5cf7ff44 in __libc_start_main
> /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
>     #7 0x41ca0b in _start
> (/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff2ps-test/tiff2ps4.0.9+0x41ca0b)
> 
> 0x6020000000af is located 1 bytes to the left of 8-byte region
> [0x6020000000b0,0x6020000000b8)
> allocated by thread T0 here:
>     #0 0x4f5716 in __interceptor_malloc
> /home/xiaosatianyu/workspace/git/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
>     #1 0x5a69d7 in _TIFFmalloc
> /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_unix.c:316:10
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_lzw.c:763:11
> in LZWDecodeCompat
> Shadow bytes around the buggy address:
>   0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 00 fa fa fa 00 fa
> =>0x0c047fff8010: fa fa 00 07 fa[fa]00 fa fa fa fa fa fa fa fa fa
>   0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==16709==ABORTING
------- Comment #3 From 2018-03-17 08:28:47 -------
the command is tiff2ps $File
------- Comment #4 From 2018-03-17 08:29:26 -------
the command is tiff2ps $File
------- Comment #5 From 2018-03-22 09:53:46 -------
This issue was assigned CVE-2018-8905
------- Comment #6 From 2018-04-05 13:04:12 -------
The source lines seem to have changed slightly since this bug was filed:

==11956== 
==11956== HEAP SUMMARY:
==11956==     in use at exit: 0 bytes in 0 blocks
==11956==   total heap usage: 51 allocs, 51 frees, 114,243 bytes allocated
==11956== 
==11956== All heap blocks were freed -- no leaks are possible
==11956== 
==11956== ERROR SUMMARY: 220 errors from 1 contexts (suppressed: 0 from 0)
==11956== 
==11956== 220 errors in context 1 of 1:
==11956== Invalid write of size 1
==11956==    at 0x4E8069F: LZWDecodeCompat (tif_lzw.c:761)
==11956==    by 0x4E94C91: TIFFReadScanline (tif_read.c:448)
==11956==    by 0x1114E4: PSDataColorSeparate (tiff2ps.c:2524)
==11956==    by 0x110A44: PSpage (tiff2ps.c:2354)
==11956==    by 0x10E7C0: TIFF2PS (tiff2ps.c:1610)
==11956==    by 0x10AB35: main (tiff2ps.c:477)
==11956==  Address 0x6319b7f is 1 bytes before a block of size 8 alloc'd
==11956==    at 0x4C2CEDF: malloc (vg_replace_malloc.c:299)
==11956==    by 0x4E9DA72: _TIFFmalloc (tif_unix.c:314)
==11956==    by 0x111476: PSDataColorSeparate (tiff2ps.c:2516)
==11956==    by 0x110A44: PSpage (tiff2ps.c:2354)
==11956==    by 0x10E7C0: TIFF2PS (tiff2ps.c:1610)
==11956==    by 0x10AB35: main (tiff2ps.c:477)
==11956== 
==11956== ERROR SUMMARY: 220 errors from 1 contexts (suppressed: 0 from 0)

I took a look at the code and it's pretty hideous. Best of luck to whomever
wants to take a crack at it.
------- Comment #7 From 2018-04-19 21:53:23 -------
I'm currently working on a patch, please take a look at the Debian bug tracker
for more info[0].

[0] https://bugs.debian.org/893806