Closed Bug 1132468 (CVE-2015-0811) Opened 10 years ago Closed 9 years ago

[qcms] heap info leak

Categories

(Core :: Graphics: Color Management, defect)

Product:
Core
Component:
Graphics: Color Management
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox36 --- wontfix
firefox37 --- fixed
firefox38 --- fixed
firefox39 --- fixed
firefox-esr31 --- wontfix
b2g-v1.4 --- wontfix
b2g-v2.0 --- wontfix
b2g-v2.0M --- wontfix
b2g-v2.1 --- wontfix
b2g-v2.1S --- wontfix
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: groebert, Assigned: BenWa)

References

Details

(Keywords: sec-moderate, Whiteboard: [adv-main37+])

Attachments

(3 files, 1 obsolete file)

98c8e33029be249da9724c3836486677
211.06 KB, application/octet-stream
Details
11dcaacb804945e4574317fc56ebc5d3
546.35 KB, application/octet-stream
Details
patch v2
4.68 KB, patch
jrmuizel
: review+
lizzard
: approval-mozilla-aurora+
lizzard
: approval-mozilla-beta+
lizzard
: approval-mozilla-release-
lizzard
: approval-mozilla-esr31-
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36

Steps to reproduce:

Load sample 98c8e33029be249da9724c3836486677 or 11dcaacb804945e4574317fc56ebc5d3 in a transformation.


Actual results:

heap-buffer-overflow READ of size 4
lut_interp_linear_float third_party/qcms/src/transform_util.c:101:17

or

Program received signal SIGSEGV, Segmentation fault.
lut_interp_linear_float (value=1.35335546e+18, table=0x7ffff6a02050, length=0)
    at third_party/qcms/src/transform_util.c:101
101             value = table[upper]*(1. - (upper - value)) + table[lower]*(upper - value);

float lut_interp_linear_float(float value, float *table, size_t length)
{
        int upper, lower;
        value = value * (length - 1);

// If length is 0, value will have been adjusted to an arbitrary large float.


        upper = ceil(value);
        lower = floor(value);


        value = table[upper]*(1. - (upper - value)) + table[lower]*(upper - value);

// Here the ASAN alert or SIGSEGV occurs.

        return value;
}

Potentially this can be used for disclosing memory contents.

    
  
Component: Untriaged → GFX: Color Management
Product: Firefox → Core
Assignee: nobody → bgirard

    
    

    
  


  

        Attachment #8566813 -
        Flags: review?(jmuizelaar)

    
    

    
  
These sizes don't make any sense so I don't think they is any value in trying to support these profiles. Rejecting these at read time means that we avoid a lot of foot guns later.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

    
    

    
  
Comment on attachment 8566813 [details] [diff] [review]
patch - disallow 0 length in read_tag_lutmA

Review of attachment 8566813 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/qcms/iccread.c
@@ +585,5 @@
>  		for (i = 0; i < num_in_channels; i++) {
>  			clut_size *= read_u8(src, clut_offset + i);
> +			if (clut_size == 0) {
> +				invalid_source(src, "bad clut_size");
> +				return NULL;

Do you need to return here or can you just let things fall through?

@@ +609,5 @@
>  	for (i = 0; i < num_in_channels; i++) {
>  		lut->num_grid_points[i] = read_u8(src, clut_offset + i);
> +		if (lut->num_grid_points[i] == 0) {
> +			invalid_source(src, "bad grid_points");
> +			return NULL;

Looks like this leaks. You shouldn't return here just mark the source as invalid.

@@ +695,5 @@
>  		num_input_table_entries  = read_u16(src, offset + 48);
>  		num_output_table_entries = read_u16(src, offset + 50);
> +		if (num_input_table_entries == 0 || num_output_table_entries == 0) {
> +			invalid_source(src, "entries is 0");
> +			return NULL;

Same here. Does anything bad happen if these values are large?

        Attachment #8566813 -
        Flags: review?(jmuizelaar) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v2Splinter Review
      

    


  

        Attachment #8566813 -
        Attachment is obsolete: true

        Attachment #8568805 -
        Flags: review?(jmuizelaar)

        Attachment #8568805 -
        Flags: review?(jmuizelaar) → review+

    
    

    
  
Not sure what the process for landing a security patch is these days.
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/f1170bf063bd
Status: ASSIGNED → RESOLVED
Closed: 9 years ago

          status-firefox39:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39

    
    

    
  
Milan, can you please take care of what approval requests this needs? AFAICT, that'd be aurora/beta/esr31/b2g34.

          status-b2g-master:
          affectedfixed
Flags: needinfo?(milan)

    
    

    
  
Comment on attachment 8568805 [details] [diff] [review]
patch v2

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: Possible info leak
Fix Landed on Version: 39
Risk to taking this patch (and alternatives if risky): Low risk.  We do a quick exit if the data is bad.
String or UUID changes made by this patch: 

Not requesting uplift to the B2G 34 - we're not actually hitting the QCMS code in B2G, so no particular need to do it.  As this hits the beta channel, it will end up in B2G 37, which shouldn't hurt it.
Flags: needinfo?(milan)

        Attachment #8568805 -
        Flags: approval-mozilla-release?

        Attachment #8568805 -
        Flags: approval-mozilla-esr31?

        Attachment #8568805 -
        Flags: approval-mozilla-beta?

        Attachment #8568805 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8568805 [details] [diff] [review]
patch v2

Taking this for aurora and beta since it seems low risk, and we're still early in beta -- but not for ESR or release since it doesn't meet the criteria for ESR31 and does not look significant enough to do a second dot release for 36.

        Attachment #8568805 -
        Flags: approval-mozilla-release?

        Attachment #8568805 -
        Flags: approval-mozilla-release-

        Attachment #8568805 -
        Flags: approval-mozilla-esr31?

        Attachment #8568805 -
        Flags: approval-mozilla-esr31-

        Attachment #8568805 -
        Flags: approval-mozilla-beta?

        Attachment #8568805 -
        Flags: approval-mozilla-beta+

        Attachment #8568805 -
        Flags: approval-mozilla-aurora?

        Attachment #8568805 -
        Flags: approval-mozilla-aurora+
Whiteboard: [adv-main37+]
Alias: CVE-2015-0811

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: