Source: http://seclists.org/oss-sec/2017/q1/458
Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.
A crafted image posted early for another issue, causes a stack overflow.
The complete ASan output:
# mujstest $FILE
==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
WRITE of size 1453 at 0x7fff29560b00 thread T0
#0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
#1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:358:7
#2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)
Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in
frame
#0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:293
This frame has 7 object(s):
[32, 1056) 'path'
[1184, 2208) 'text' <== Memory access at offset 1056 partially underflows
this variable
[2336, 2340) 'w' <== Memory access at offset 1056 partially underflows
this variable
[2352, 2356) 'h' <== Memory access at offset 1056 partially underflows
this variable
[2368, 2372) 'x' <== Memory access at offset 1056 partially underflows
this variable
[2384, 2388) 'y' <== Memory access at offset 1056 partially underflows
this variable
[2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
f2 f2
0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32127==ABORTING
Affected version:
1.10a
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-6060
Reproducer:
https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main
Timeline:
2017-02-05: bug discovered and reported to upstream
2017-02-17: blog post about the issue
2017-02-17: CVE assigned via cveform.mitre.org
Note:
This bug was found with Address Sanitizer.
Permalink:
https://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42139.zip