Closed
Bug 1203078
(CVE-2015-7217)
Opened 9 years ago
Closed 9 years ago
Heap overflow and DoS with TGA files in gdk-pixbuf affecting Firefox
Categories
(Core :: Widget: Gtk, defect)
Tracking
()
VERIFIED
FIXED
mozilla43
People
(Reporter: gustavo.grieco, Assigned: lsalzman)
References
Details
(5 keywords, Whiteboard: [gfx-noted][adv-main43+])
Attachments
(4 files, 2 obsolete files)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150826185918
Steps to reproduce:
Hello,
We found a heap overflow and a DoS in the gdk-pixbuf implementation triggered by the scaling of tga file. At least, these issues are affecting gdk-pixbuf 2.30 and 2.31 in x86_64 (we tested in a fully updated Ubuntu 14.04). Please find attached the two test cases as well as a minimal example of a vulnerable program: it is just a call to gdk_pixbuf_new_from_file_at_size.
As the last gdk-pixbuf vulnerability (https://bugzilla.gnome.org/show_bug.cgi?id=752297), this one also affects many programs including Firefox and Chromium since they are using gdk-pixbuf primitives to implement file pickers. To reproduce this issue in Firefox, you should attach one of the uncompressed tga or try to open them (using ctrl+O). The heap overflow PoC works in a fully updated Firefox 40 and it does *not* seem to depend on memory conditions (it was tested on my netbook as well as my desktop computer) so it is an interesting case from the exploitability perspective. Fortunately, Firefox 41 (beta) mitigates this heap overflow since images with large sizes are *not* scaled and the vulnerable code is not used (https://hg.mozilla.org/integration/mozilla-inbound/rev/10e77092a656). The DoS will work in all Firefox versions. The best way of solve these issues is to disable the TGA preview (i don't think people will complain about it).
Actual results:
It crashed. A detailed backtrace of the heap overflow is here:
Starting program: pixbuf_vuln_poc overflow.tga
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148, dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0,
dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4, dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60,
src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1, x_init=<optimized out>, x_step=x_step@entry=9629110,
src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974
974
(gdb) bt
#0 scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148, dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0,
dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4, dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60,
src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1, x_init=<optimized out>, x_step=x_step@entry=9629110,
src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974
#1 0x00002aaaaace5698 in pixops_process (dest_buf=<optimized out>, render_x0=0, render_y0=<optimized out>, render_x1=<optimized out>,
render_y1=<optimized out>, dest_rowstride=<optimized out>, dest_channels=4, dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627,
src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1, scale_x=<optimized out>, scale_y=<optimized out>, check_x=0, check_y=0,
check_size=0, color1=0, color2=0, filter=0x7ffffffedc90, line_func=0x2aaaaace3c10 <scale_line>, pixel_func=0x2aaaaace49a0 <scale_pixel>)
at pixops.c:1366
#2 0x00002aaaaace5f09 in _pixops_scale_real (interp_type=PIXOPS_INTERP_BILINEAR, interp_type@entry=PIXOPS_INTERP_NEAREST,
scale_y=0,0068091545299791946, scale_x=0,0068060281964025283, src_has_alpha=1, src_channels=4, src_rowstride=90508, src_height=26435,
src_width=22627, src_buf=0x2aaaad14f010 "", dest_has_alpha=1, dest_channels=4, dest_rowstride=616, render_y1=<optimized out>, render_x1=154,
render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:2230
#3 _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=154, dest_height=dest_height@entry=180, dest_rowstride=616, dest_channels=4,
dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627, src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1,
dest_x=dest_x@entry=0, dest_y=dest_y@entry=0, dest_region_width=dest_region_width@entry=154, dest_region_height=dest_region_height@entry=180,
offset_x=offset_x@entry=0, offset_y=<optimized out>, scale_x=scale_x@entry=0,0068060281964025283, scale_y=scale_y@entry=0,0068091545299791946,
interp_type=interp_type@entry=PIXOPS_INTERP_BILINEAR) at pixops.c:2285
#4 0x00002aaaaacdda2d in gdk_pixbuf_scale (src=0x618000, dest=0x618050, dest_x=0, dest_y=0, dest_width=154, dest_height=180, offset_x=0,
offset_y=<optimized out>, scale_x=0,0068060281964025283, scale_y=0,0068091545299791946, interp_type=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:147
#5 0x00002aaaaacde07a in gdk_pixbuf_scale_simple (src=src@entry=0x618000, dest_width=154, dest_height=dest_height@entry=180,
interp_type=interp_type@entry=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:321
#6 0x00002aaaaacdf340 in get_scaled_pixbuf (scaled=0x616440, pixbuf=0x618000) at gdk-pixbuf-scaled-anim.c:138
#7 0x00002aaaaacdae88 in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe36b "overflow.tga", width=<optimized out>, height=<optimized out>,
preserve_aspect_ratio=<optimized out>, error=0x7fffffffdee0) at gdk-pixbuf-io.c:1377
#8 0x00000000004007b8 in main ()
(gdb) x/i $rip
=> 0x2aaaaace3dd0 <scale_line+448>: movzbl 0x3(%rcx),%edx
(gdb) info registers
rax 0x0 0
rbx 0x94 148
rcx 0x2aaa2d6d51c4 46910394945988
rdx 0x0 0
rsi 0x4 4
rdi 0x2aab3c468c10 46914939030544
rbp 0x2aab3c468e60 0x2aab3c468e60
rsp 0x7ffffffeda18 0x7ffffffeda18
r8 0x0 0
r9 0x0 0
r10 0x0 0
r11 0x0 0
r12 0x0 0
r13 0x63ce60 6540896
r14 0x2aab3c468c10 46914939030544
r15 0x94 148
rip 0x2aaaaace3dd0 0x2aaaaace3dd0 <scale_line+448>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
And the backtrace of the DoS here:
Starting program: pixbuf_vuln_poc DoS.tga
[Depuración de hilo usando libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at io-tga.c:367
367
(gdb) bt
#0 0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at io-tga.c:367
#1 parse_data_for_row (err=0x7ffffffede28, ctx=0x614ca0) at io-tga.c:413
#2 gdk_pixbuf__tga_load_increment (data=0x614ca0, buffer=<optimized out>, size=<optimized out>, err=0x7ffffffede28) at io-tga.c:922
#3 0x00002aaaaacdca45 in gdk_pixbuf_loader_load_module (loader=loader@entry=0x60f200, image_type=image_type@entry=0x0,
error=error@entry=0x7ffffffede28) at gdk-pixbuf-loader.c:445
#4 0x00002aaaaacdd2b8 in gdk_pixbuf_loader_close (loader=loader@entry=0x60f200, error=error@entry=0x7fffffffdef0) at gdk-pixbuf-loader.c:810
#5 0x00002aaaaacdae2a in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe370 "DoS.tga", width=<optimized out>, height=<optimized out>,
preserve_aspect_ratio=<optimized out>, error=0x7fffffffdef0) at gdk-pixbuf-io.c:1372
#6 0x00000000004007b8 in main ()
(gdb) x/i $rip
=> 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612>: mov 0x8(%rdx),%rdx
(gdb) info registers
rax 0x6163e0 6382560
rbx 0x614ca0 6376608
rcx 0x7 7
rdx 0x0 0
rsi 0x611b02 6363906
rdi 0x618000 6389760
rbp 0x7ffffffede28 0x7ffffffede28
rsp 0x7ffffffedd80 0x7ffffffedd80
r8 0x616200 6382080
r9 0x6163e7 6382567
r10 0x8 8
r11 0x2aaaaaf05c10 46912500685840
r12 0x0 0
r13 0x0 0
r14 0x15 21
r15 0xb 11
rip 0x2aaaacf4c384 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
||
Comment 3•9 years ago
|
||
Related to bug 1184787 and/or bug 1184009?
Group: firefox-core-security → core-security
Component: Untriaged → Widget: Gtk
Product: Firefox → Core
|
|
||
Updated•9 years ago
|
Flags: needinfo?(lsalzman)
|
|
Reporter | |
Comment 4•9 years ago
|
||
Firefox backtraces (they won't add more information, nevertheless it is nice to have them)
overflow.tga
Program received signal SIGSEGV, Segmentation fault.
scale_line (weights=weights@entry=0x2aab67d5bc00, n_x=148, n_y=148, dest=dest@entry=0x2aaad3b975d0 'Z' <repetidos 200 veces>...,
dest_x=dest_x@entry=0, dest_end=dest_end@entry=0x2aaad3b97834 'Z' <repetidos 200 veces>..., dest_channels=dest_channels@entry=4,
dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x2aaad0ecc800, src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1,
x_init=<optimized out>, x_step=x_step@entry=9629110, src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0,
color2=color2@entry=0) at pixops.c:974
974 pixops.c: No existe el archivo o el directorio.
(gdb) bt
#0 scale_line (weights=weights@entry=0x2aab67d5bc00, n_x=148, n_y=148, dest=dest@entry=0x2aaad3b975d0 'Z' <repetidos 200 veces>...,
dest_x=dest_x@entry=0, dest_end=dest_end@entry=0x2aaad3b97834 'Z' <repetidos 200 veces>..., dest_channels=dest_channels@entry=4,
dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x2aaad0ecc800, src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1,
x_init=<optimized out>, x_step=x_step@entry=9629110, src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0,
color2=color2@entry=0) at pixops.c:974
#1 0x00002aaab474d698 in pixops_process (dest_buf=<optimized out>, render_x0=0, render_y0=<optimized out>, render_x1=<optimized out>,
render_y1=<optimized out>, dest_rowstride=<optimized out>, dest_channels=4, dest_has_alpha=1, src_buf=0x2aaad8a00000 "", src_width=22627,
src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1, scale_x=<optimized out>, scale_y=<optimized out>, check_x=0, check_y=0,
check_size=0, color1=0, color2=0, filter=0x7ffffffead50, line_func=0x2aaab474bc10 <scale_line>, pixel_func=0x2aaab474c9a0 <scale_pixel>)
at pixops.c:1366
#2 0x00002aaab474df09 in _pixops_scale_real (interp_type=PIXOPS_INTERP_BILINEAR, interp_type@entry=4294880656, scale_y=0,0068091545299791946,
scale_x=0,0068060281964025283, src_has_alpha=1, src_channels=4, src_rowstride=90508, src_height=26435, src_width=22627,
src_buf=0x2aaad8a00000 "", dest_has_alpha=1, dest_channels=4, dest_rowstride=616, render_y1=<optimized out>, render_x1=154,
render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:2230
#3 _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=154, dest_height=dest_height@entry=180, dest_rowstride=616, dest_channels=4,
dest_has_alpha=1, src_buf=0x2aaad8a00000 "", src_width=22627, src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1,
dest_x=dest_x@entry=0, dest_y=dest_y@entry=0, dest_region_width=dest_region_width@entry=154, dest_region_height=dest_region_height@entry=180,
offset_x=offset_x@entry=0, offset_y=<optimized out>, scale_x=scale_x@entry=0,0068060281964025283, scale_y=scale_y@entry=0,0068091545299791946,
interp_type=interp_type@entry=PIXOPS_INTERP_BILINEAR) at pixops.c:2285
#4 0x00002aaab4745a2d in gdk_pixbuf_scale (src=0x2aaad6d4db20, dest=0x2aaad5445770, dest_x=0, dest_y=0, dest_width=154, dest_height=180, offset_x=0,
offset_y=<optimized out>, scale_x=0,0068060281964025283, scale_y=0,0068091545299791946, interp_type=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:147
#5 0x00002aaab474607a in gdk_pixbuf_scale_simple (src=src@entry=0x2aaad6d4db20, dest_width=154, dest_height=dest_height@entry=180,
interp_type=interp_type@entry=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:321
#6 0x00002aaab4747340 in get_scaled_pixbuf (scaled=0x2aaad710a300, pixbuf=0x2aaad6d4db20) at gdk-pixbuf-scaled-anim.c:138
#7 0x00002aaab4742e88 in gdk_pixbuf_new_from_file_at_scale (filename=0x2aaad31dd180 "/tmp/tgatest/overflow.tga", width=<optimized out>,
height=<optimized out>, preserve_aspect_ratio=<optimized out>, error=0x0) at gdk-pixbuf-io.c:1377
#8 0x00002aaaaec728fa in ?? () from /usr/lib/firefox/libxul.so
#9 0x00002aaab315f3b8 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#10 0x00002aaab3170d3d in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#11 0x00002aaab3178a29 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#12 0x00002aaab3179212 in g_signal_emit_by_name () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00002aaab315f3b8 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#14 0x00002aaab3170d3d in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#15 0x00002aaab3178a29 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#16 0x00002aaab3179212 in g_signal_emit_by_name () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#17 0x00002aaab315f3b8 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#18 0x00002aaab3170d3d in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#19 0x00002aaab3178a29 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#20 0x00002aaab3179212 in g_signal_emit_by_name () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#21 0x00002aaab377e0e7 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#22 0x00002aaab37813f0 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#23 0x00002aaab315f5e7 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#24 0x00002aaab3178088 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#25 0x00002aaab3178ce2 in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#26 0x00002aaab38c92be in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#27 0x00002aaab38ccb86 in gtk_tree_view_set_cursor_on_cell () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#28 0x00002aaab3782fb6 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#29 0x00002aaab3162372 in g_cclosure_marshal_VOID__POINTERv () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#30 0x00002aaab315f5e7 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#31 0x00002aaab3178088 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#32 0x00002aaab3178ce2 in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#33 0x00002aaab379461a in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#34 0x00002aaab3f536e7 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#35 0x00002aaab3f868db in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#36 0x00002aaab3f868f9 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#37 0x00002aaab33e8ce5 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#38 0x00002aaab33e9048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#39 0x00002aaab33e90ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#40 0x00002aaaaec72638 in ?? () from /usr/lib/firefox/libxul.so
#41 0x00002aaaaec5d47b in ?? () from /usr/lib/firefox/libxul.so
#42 0x00002aaaaec5d5aa in ?? () from /usr/lib/firefox/libxul.so
#43 0x00002aaaadcc81d7 in ?? () from /usr/lib/firefox/libxul.so
#44 0x00002aaaadcd95d0 in ?? () from /usr/lib/firefox/libxul.so
#45 0x00002aaaade88df1 in ?? () from /usr/lib/firefox/libxul.so
#46 0x00002aaaade79905 in ?? () from /usr/lib/firefox/libxul.so
#47 0x00002aaaaec558b1 in ?? () from /usr/lib/firefox/libxul.so
#48 0x00002aaaaf15dcbc in ?? () from /usr/lib/firefox/libxul.so
#49 0x00002aaaaf18f35c in ?? () from /usr/lib/firefox/libxul.so
#50 0x00002aaaaf18f64d in ?? () from /usr/lib/firefox/libxul.so
#51 0x00002aaaaf18f8cd in XRE_main () from /usr/lib/firefox/libxul.so
#52 0x0000555555558711 in _start ()
DoS.tga:
Program received signal SIGSEGV, Segmentation fault.
0x00002aaad8401384 in parse_data_for_row_pseudocolor (ctx=0x2aaad5040a00) at io-tga.c:367
367 io-tga.c: No existe el archivo o el directorio.
#0 0x00002aaad8401384 in parse_data_for_row_pseudocolor (ctx=0x2aaad5040a00) at io-tga.c:367
#1 parse_data_for_row (err=0x0, ctx=0x2aaad5040a00) at io-tga.c:413
#2 gdk_pixbuf__tga_load_increment (data=0x2aaad5040a00, buffer=<optimized out>, size=<optimized out>, err=0x0) at io-tga.c:922
#3 0x00002aaab47411e1 in generic_load_incrementally (module=0x2aaac68ae9d0, f=0x2aaad8042000, error=0x0) at gdk-pixbuf-io.c:998
#4 0x00002aaab4742b42 in gdk_pixbuf_new_from_file (filename=0x2aaad806b180 "/tmp/tgatest/DoS.tga", error=0x0) at gdk-pixbuf-io.c:1096
#5 0x00002aaaaec72906 in ?? () from /usr/lib/firefox/libxul.so
#6 0x00002aaab315f3b8 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#7 0x00002aaab3170d3d in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#8 0x00002aaab3178a29 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#9 0x00002aaab3179212 in g_signal_emit_by_name () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#10 0x00002aaab315f3b8 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#11 0x00002aaab3170d3d in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#12 0x00002aaab3178a29 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00002aaab3179212 in g_signal_emit_by_name () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#14 0x00002aaab315f3b8 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#15 0x00002aaab3170d3d in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#16 0x00002aaab3178a29 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#17 0x00002aaab3179212 in g_signal_emit_by_name () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#18 0x00002aaab377e0e7 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#19 0x00002aaab37813f0 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#20 0x00002aaab315f5e7 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#21 0x00002aaab3178088 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#22 0x00002aaab3178ce2 in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#23 0x00002aaab38c92be in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#24 0x00002aaab38cd868 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#25 0x00002aaab37d5815 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#26 0x00002aaab315f3b8 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#27 0x00002aaab3170afb in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#28 0x00002aaab31786f9 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#29 0x00002aaab3178ce2 in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#30 0x00002aaab38e5684 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#31 0x00002aaab37d3fc4 in gtk_propagate_event () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#32 0x00002aaab37d437b in gtk_main_do_event () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#33 0x00002aaab42d21ec in ?? () from /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0
#34 0x00002aaab33e8e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#35 0x00002aaab33e9048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#36 0x00002aaab33e90ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#37 0x00002aaaaec72638 in ?? () from /usr/lib/firefox/libxul.so
#38 0x00002aaaaec5d47b in ?? () from /usr/lib/firefox/libxul.so
#39 0x00002aaaaec5d57c in ?? () from /usr/lib/firefox/libxul.so
#40 0x00002aaaadcc81d7 in ?? () from /usr/lib/firefox/libxul.so
#41 0x00002aaaadcd95d0 in ?? () from /usr/lib/firefox/libxul.so
#42 0x00002aaaade88da2 in ?? () from /usr/lib/firefox/libxul.so
#43 0x00002aaaade79905 in ?? () from /usr/lib/firefox/libxul.so
#44 0x00002aaaaec558b1 in ?? () from /usr/lib/firefox/libxul.so
#45 0x00002aaaaf15dcbc in ?? () from /usr/lib/firefox/libxul.so
#46 0x00002aaaaf18f35c in ?? () from /usr/lib/firefox/libxul.so
#47 0x00002aaaaf18f64d in ?? () from /usr/lib/firefox/libxul.so
#48 0x00002aaaaf18f8cd in XRE_main () from /usr/lib/firefox/libxul.so
#49 0x0000555555558711 in _start ()
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(lsalzman)
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #3)
> Related to bug 1184787 and/or bug 1184009?
I will look into this and try to evaluate what is going on. I would just advise caution before jumping to conclusions as to how security critical this is, as in the end it only seems to be affecting the file picker on Linux.
Whiteboard: [gfx-noted]
|
||
Updated•9 years ago
|
Keywords: csectype-bounds
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
|
Assignee | |
Comment 6•9 years ago
|
||
The crash happens because pseudocolor TGAs access the colormap, but do not actually verify the colormap was allocated before they do so. So a TGA crafted to use pseudocolor but indicate no colormap will cause the file picker to crash.
The only sane workaround for right now is to just avoid previews of TGAs, as noted.
In the future we probably just want to get rid of gdk-pixbuf's internal image loaders entirely and use our image lib, but for now this will have to do.
It is possible to imagine there might be other format bugs in their image loaders, and rather than fight the image loader hydra with a thousand heads, it would be better to just obviate the need to use it.
But again, for now, a spot fix at least for this issue...
Attachment #8659571 -
Flags: review?(andrew)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → lsalzman
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8659571 [details] [diff] [review]
don't load tgas with gtk file picker
Review of attachment 8659571 [details] [diff] [review]:
-----------------------------------------------------------------
We already have a mechanism for disabling GDK-PixBuf loaders from bug 1197059;
https://mxr.mozilla.org/mozilla-central/source/widget/gtk/nsAppShell.cpp#110
I think we should change the logic there to disable the tga loader as well. The GDK-PixBuf module name we're looking for is just 'tga'.
Attachment #8659571 -
Flags: review?(andrew) → review-
|
|
Assignee | |
Comment 8•9 years ago
|
||
Better version that uses the pre-existing gdk-pixbuf format disabling code as requested by Andrew.
Attachment #8659571 -
Attachment is obsolete: true
Attachment #8659580 -
Flags: review?(andrew)
|
|
||
Comment 9•9 years ago
|
||
Comment on attachment 8659580 [details] [diff] [review]
disable tga loading with gdk-pixbuf
Review of attachment 8659580 [details] [diff] [review]:
-----------------------------------------------------------------
Looks good to me, thanks!
Attachment #8659580 -
Flags: review?(andrew) → review+
|
|
Assignee | |
Comment 10•9 years ago
|
||
Comment on attachment 8659580 [details] [diff] [review]
disable tga loading with gdk-pixbuf
[Security approval request comment]
> How easily could an exploit be constructed based on the patch?
Fairly easily, just make a pseudocolor TGA and zero out the colormap field. This could then only be used to hypothetically access the first 0..1028 bytes of memory in the address space, which will almost certainly just crash. Effectively this is just a null pointer dereference so wouldn't be a very useful exploit.
> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The patch wouldn't tell you what type of TGA to construct to expose the problem, but it does highlight that there are problems with the TGA code. If you're willing to waste a lot of time and use a fuzzer you might be able to guess.
> Which older supported branches are affected by this flaw?
Everything down to and including 38.
> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Patch depends on a previous recent commit (376965bcb1f7, as of August 26, 2015) by Andrew Comminos in bug 1197059, so it could only be backported if his fix was also backported.
> How likely is this patch to cause regressions; how much testing does it need?
Unlikely, just adds one extra name check to an existing format disabling mechanism.
Attachment #8659580 -
Flags: sec-approval?
|
||
Updated•9 years ago
|
OS: Unspecified → Linux
|
|
||
Updated•9 years ago
|
Group: core-security → gfx-core-security
status-firefox40:
--- → wontfix
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox43:
--- → affected
status-firefox-esr38:
--- → affected
Depends on: CVE-2015-7216
|
|
||
Comment 11•9 years ago
|
||
Comment on attachment 8659580 [details] [diff] [review]
disable tga loading with gdk-pixbuf
Is this sufficient? For instance I notice another project is blocking these and in addition the "icns" format:
https://github.com/linuxmint/cinnamon-desktop/commit/f7927e9a8201761b6654955739e87b93d3695169
I've been having trouble finding a list of image formats that are typically supported, but as Gustavo points out in email libtiff has been having a bad time lately and who knows about other formats. A better approach would be to whitelist formats we think are likely to be stable and well tested enough. As a quick guess perhaps we only want jpeg, gif, and png, as common "web" formats. Maybe add ico and bmp as common Windows formats that sometimes get shared.
(yes, we've had bugs in even those formats, and Gustavo also mentioned a bug in one of them that doesn't appear to affect Firefox... but unless we want to turn off the feature entirely that's probably a minimal set. I personally would love to just turn off that feature, or have a switch so more security-focused Firefox variants like the Tor Browser can do so.)
Flags: needinfo?(lsalzman)
|
|
Assignee | |
Comment 12•9 years ago
|
||
Different approach - whitelisting. This whitelists only the common image formats our image lib focuses on (the ones Daniel mentioned): jpeg, png, gif, bmp, ico. Anything else, not worth the hassle or the risk given the crop of vulnerabilities that are turning up. Hopefully this addresses Daniel's concerns.
Attachment #8659580 -
Attachment is obsolete: true
Attachment #8659580 -
Flags: sec-approval?
Flags: needinfo?(lsalzman)
Attachment #8659725 -
Flags: review?(dveditz)
Attachment #8659725 -
Flags: review?(andrew)
|
|
||
Comment 13•9 years ago
|
||
Comment on attachment 8659725 [details] [diff] [review]
whitelist gdk-pixbuf image formats
Review of attachment 8659725 [details] [diff] [review]:
-----------------------------------------------------------------
Looks good to me.
Attachment #8659725 -
Flags: review?(andrew) → review+
|
|
Assignee | |
Comment 14•9 years ago
|
||
Try run for whitelist patch: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2e3d7310997a
|
|
||
Comment 15•9 years ago
|
||
Comment on attachment 8659725 [details] [diff] [review]
whitelist gdk-pixbuf image formats
Review of attachment 8659725 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks, this is much safer.
-Dan Veditz
::: widget/gtk/nsAppShell.cpp
@@ +111,5 @@
> GSList* pixbufFormats = gdk_pixbuf_get_formats();
> for (GSList* iter = pixbufFormats; iter; iter = iter->next) {
> GdkPixbufFormat* format = static_cast<GdkPixbufFormat*>(iter->data);
> gchar* name = gdk_pixbuf_format_get_name(format);
> + if (strcmp(name, "jpeg") &&
I couldn't find a documented list of what format strings gdk_pixbuf uses (and don't have a linux to try it on). I was guessing "jpeg" given the use of "jpeg2000" but I hope you've confirmed it's this and not "jpg".
Attachment #8659725 -
Flags: review?(dveditz) → review+
|
|
Assignee | |
Comment 16•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #15)
> Comment on attachment 8659725 [details] [diff] [review]
> whitelist gdk-pixbuf image formats
>
> Review of attachment 8659725 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> Thanks, this is much safer.
> -Dan Veditz
>
> ::: widget/gtk/nsAppShell.cpp
> @@ +111,5 @@
> > GSList* pixbufFormats = gdk_pixbuf_get_formats();
> > for (GSList* iter = pixbufFormats; iter; iter = iter->next) {
> > GdkPixbufFormat* format = static_cast<GdkPixbufFormat*>(iter->data);
> > gchar* name = gdk_pixbuf_format_get_name(format);
> > + if (strcmp(name, "jpeg") &&
>
> I couldn't find a documented list of what format strings gdk_pixbuf uses
> (and don't have a linux to try it on). I was guessing "jpeg" given the use
> of "jpeg2000" but I hope you've confirmed it's this and not "jpg".
Yes, I checked the source code for each gdk-pixbuf loader to confirm the name of the formats and then tested locally to make sure the files showed up in the preview window.
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
|
||
Comment 17•9 years ago
|
||
Keywords: checkin-needed
|
|
Assignee | |
Comment 18•9 years ago
|
||
A note here regarding bug 1205741: the GNOME documentation lists PNG, XPM, and SVG as its supported icon formats. Indeed, we ran into several themes where SVG not being loaded was an issue. We just need to keep an eye on the security status of SVG loading and gdk-pixbuf and librsvg2 (which provides it) in the future.
|
|
||
Comment 19•9 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
|
|
Reporter | |
Comment 20•9 years ago
|
||
(In reply to Lee Salzman [:eihrul] from comment #18)
> We just need to keep an eye on the
> security status of SVG loading and gdk-pixbuf and librsvg2 (which provides
> it) in the future.
We are aiming our fuzzer to SVG right now..
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Updated•9 years ago
|
|
|
||
Updated•9 years ago
|
Whiteboard: [gfx-noted] → [gfx-noted][adv-main43+]
|
||
Comment 21•9 years ago
|
||
I was unable to reproduce this issue on Firefox 40 RC build 5, Firefox 43.0a1 (2015-09-15) and Firefox 41.0.2 build 2 under Ubuntu 12.04 64-bit, Ubuntu 14.04 32-bit and Ubuntu 14.04 64-bit.
Gustavo, since you've reproduced this bug, could you please confirm that it's fixed now?
Flags: needinfo?(gustavo.grieco)
|
|
Reporter | |
Comment 22•9 years ago
|
||
Sure, i will have the results for tomorrow. Is it ok?
|
|
||
Updated•9 years ago
|
Alias: CVE-2015-7217
|
|
Reporter | |
Comment 23•9 years ago
|
||
I can confirm TGA images are no longer previewed in Firefox 43.09b. This issue is fixed, great job!
Flags: needinfo?(gustavo.grieco)
|
|
||
Comment 24•9 years ago
|
||
Thanks Gustavo for your testing!
Based on Comment 23, I am marking this bug as Verified Fixed.
Status: RESOLVED → VERIFIED
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•