Bugzilla – Bug 983436
VUL-0: CVE-2016-5318: tiff: stackoverflow in thumbnail
Last modified: 2018-10-19 15:37:44 UTC
CVE-2016-5318 ##################################### 1) stack buffer overflow in thumbnail ##################################### Memory corruption bugs can be triggered when thumbnail function _TIFFVGetField handling maliciously crafted tiff file, it will cause the target application to crash. overview: alloc workflow: thumbnail.c:147 read workflow : --> thumbnail.c:124 // if (!cpIFD(in, out) || !TIFFWriteDirectory(out)) --> thumbnail.c:373 // cpTags(in, out) --> thumbnail.c:297 // cpTag(in, out, p->tag, p->count, p->type) --> thumbnail.c:152 // CopyField(tag, shortv) --> tif_dir.c:1158 // status = TIFFVGetField(tif, tag, ap); --> tif_dir.c:1174 // return (fip && (isPseudoTag(tag) || TIFFFieldSet(tif, fip->field_bit)) ? (*tif->tif_tagmethods.vgetfield)(tif, tag, ap) : 0); --> tif_dir.c:1053 // *va_arg(ap, uint32*) = (uint32)tv->count; my gdb log as follows: 1) gdb --args thumbnail poc1.tiff out.tiff // crash Program received signal SIGSEGV, Segmentation fault. 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 1073 *va_arg(ap, void **) = tv->value; (gdb) p tv->value $1 = (void *) 0x651240 (gdb) info registers rax 0x1 1 rbx 0x147 327 rcx 0x0 0 rdx 0x651240 6623808 rsi 0x147 327 rdi 0x7fffffffdc30 140737488346160 rbp 0x7fffffffdca8 0x7fffffffdca8 rsp 0x7fffffffdc70 0x7fffffffdc70 r8 0x3 3 r9 0x7ffff7acd7b8 140737348687800 r10 0x2 2 r11 0x0 0 r12 0x6512e0 6623968 r13 0x651120 6623520 r14 0x6605c0 6686144 r15 0x650010 6619152 rip 0x404c90 0x404c90 <_TIFFVGetField+4784> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) x/i $rip => 0x404c90 <_TIFFVGetField+4784>: mov %rdx,(%rax) (gdb) x/x $ebx 0x147: Cannot access memory at address 0x147 (gdb) bt #0 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 #1 0x0000000000407177 in TIFFGetField (tif=<optimized out>, tag=tag@entry=327) at tif_dir.c:1158 #2 0x00000000004023a9 in cpTag (in=in@entry=0x650930, out=out@entry=0x650010, tag=327, count=<optimized out>, type=<optimized out>) at thumbnail.c:152 #3 0x00000000004019fb in cpTags (out=<optimized out>, in=<optimized out>) at thumbnail.c:297 #4 cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:373 #5 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:124 (gdb) 2) gdb thumbnail b main b thumbnail.c:124 // 124, if (!cpIFD(in, out) || !TIFFWriteDirectory(out)), this function is called many times b thumbnail.c:373 b thumbnail.c:297 b thumbnail.c:152 // 152, CopyField(tag, shortv); b tif_dir.c:1158 // 1158, status = TIFFVGetField(tif, tag, ap), this function is called many times b tif_dir.c:1073 r poc1.tiff out.tiff (gdb) r poc1.tiff out.tiff Starting program: /usr/local/bin/thumbnail poc1.tiff out.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered. TIFFReadDirectory: Warning, Unknown field with tag 128 (0x80) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5888 (0x1700) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8960 (0x2300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 18247 (0x4747) encountered. TIFFReadDirectory: Warning, Unknown field with tag 327 (0x147) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5146 (0x141a) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "ModeNumber"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFReadDirectory: Warning, Ignoring ColorMap since BitsPerSample tag not found. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. ...... ...... Breakpoint 1, TIFFGetField (tif=0x650930, tag=tag@entry=305) at tif_dir.c:1158 1158 status = TIFFVGetField(tif, tag, ap); (gdb) bt #0 TIFFGetField (tif=0x650930, tag=tag@entry=305) at tif_dir.c:1158 #1 0x0000000000402231 in cpTag (in=in@entry=0x650930, out=out@entry=0x650010, tag=tag@entry=305, count=count@entry=65535, type=type@entry=TIFF_ASCII) at thumbnail.c:205 #2 0x000000000040192e in generateThumbnail (out=0x650010, in=0x650930) at thumbnail.c:645 #3 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:122 (gdb) c Continuing. Breakpoint 1, TIFFGetField (tif=0x650930, tag=tag@entry=270) at tif_dir.c:1158 1158 status = TIFFVGetField(tif, tag, ap); (gdb) bt #0 TIFFGetField (tif=0x650930, tag=tag@entry=270) at tif_dir.c:1158 #1 0x0000000000402231 in cpTag (in=in@entry=0x650930, out=out@entry=0x650010, tag=tag@entry=270, count=count@entry=65535, type=type@entry=TIFF_ASCII) at thumbnail.c:205 #2 0x0000000000401949 in generateThumbnail (out=0x650010, in=0x650930) at thumbnail.c:646 #3 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:122 ...... ...... Breakpoint 1, TIFFGetField (tif=tif@entry=0x650930, tag=tag@entry=259) at tif_dir.c:1158 1158 status = TIFFVGetField(tif, tag, ap); ...... ...... (gdb) c Continuing. Breakpoint 1, TIFFGetField (tif=0x650930, tag=tag@entry=327) at tif_dir.c:1158 1158 status = TIFFVGetField(tif, tag, ap); (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 1073 *va_arg(ap, void **) = tv->value; (gdb) c When tag=tag@entry=327 , crash happens 3) If we make a breakpoint in tif_dir.c:1073 Program received signal SIGSEGV, Segmentation fault. 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 1073 *va_arg(ap, void **) = tv->value; (gdb) bt #0 0x0000000000404c90 in _TIFFVGetField (tif=<optimized out>, tag=327, ap=0x7fffffffdca8) at tif_dir.c:1073 #1 0x0000000000407177 in TIFFGetField (tif=<optimized out>, tag=tag@entry=327) at tif_dir.c:1158 #2 0x00000000004023a9 in cpTag (in=in@entry=0x650930, out=out@entry=0x650010, tag=327, count=<optimized out>, type=<optimized out>) at thumbnail.c:152 #3 0x00000000004019fb in cpTags (out=<optimized out>, in=<optimized out>) at thumbnail.c:297 #4 cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:373 #5 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:124 (gdb) list tif_dir.c:1073 1068 if (fip->field_type == TIFF_ASCII 1069 || fip->field_readcount == TIFF_VARIABLE 1070 || fip->field_readcount == TIFF_VARIABLE2 1071 || fip->field_readcount == TIFF_SPP 1072 || tv->count > 1) { 1073 *va_arg(ap, void **) = tv->value; // tv->value 1074 ret_val = 1; 1075 } else { 1076 char *val = (char *)tv->value; 1077 assert( tv->count == 1 ); (gdb) memory error can be detected by asan and log as follows: ==31486==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfabce80 at pc 0x8058db9 bp 0xbfabcc98 sp 0xbfabcc8c WRITE of size 4 at 0xbfabce80 thread T0 #0 0x8058db8 in _TIFFVGetField /root/AFL/bin/tiff-4.0.6-ASAN/libtiff/tif_dir.c:1053 #1 0x8059dae in TIFFVGetField /root/AFL/bin/tiff-4.0.6-ASAN/libtiff/tif_dir.c:1174 #2 0x8059c25 in TIFFGetField /root/AFL/bin/tiff-4.0.6-ASAN/libtiff/tif_dir.c:1158 #3 0x80499b1 in cpTag /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:152 #4 0x804a0e6 in cpTags /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:297 #5 0x804a776 in cpIFD /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:373 #6 0x8049808 in main /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:124 #7 0xb70a0a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82) #8 0x80492d0 (/root/AFL/bin/tiff-4.0.6-ASAN/tools/crashes/thumbnail+0x80492d0) Address 0xbfabce80 is located in stack of thread T0 at offset 96 in frame #0 0x8049885 in cpTag /root/AFL/bin/tiff-4.0.6-ASAN/tools/thumbnail.c:147 This frame has 7 object(s): [32, 34) 'shortv1' [96, 98) 'shortv1' <== Memory access at offset 96 partially overflows this variable [160, 164) 'tr' [224, 228) 'tg' [288, 292) 'tb' [352, 356) 'doubleav' [416, 424) 'ifd8' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /root/AFL/bin/tiff-4.0.6-ASAN/libtiff/tif_dir.c:1053 _TIFFVGetField Shadow bytes around the buggy address: 0x37f57980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f57990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f579a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x37f579b0: f1 f1 04 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 0x37f579c0: 00 00 00 00 f1 f1 f1 f1 02 f4 f4 f4 f2 f2 f2 f2 =>0x37f579d0:[02]f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 0x37f579e0: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 0x37f579f0: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f3 f3 f3 f3 0x37f57a00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x37f57a10: 02 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x37f57a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==31486==ABORTING References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5318 http://seclists.org/oss-sec/2016/q2/486
Created attachment 679824 [details] poc1.tiff QA REPRODUCER: thumbnail poc1.tiff foo.tiff should not segfault.
bugbot adjusting priority
seems similar if not the same as bug 974621
SUSE-SU-2018:0073-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1017690,1069213,960341,969783,983436 CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-5318,CVE-2017-16232 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): tiff-4.0.9-44.7.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): tiff-4.0.9-44.7.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): tiff-4.0.9-44.7.1 SUSE Linux Enterprise Server 12-SP3 (src): tiff-4.0.9-44.7.1 SUSE Linux Enterprise Server 12-SP2 (src): tiff-4.0.9-44.7.1 SUSE Linux Enterprise Desktop 12-SP3 (src): tiff-4.0.9-44.7.1 SUSE Linux Enterprise Desktop 12-SP2 (src): tiff-4.0.9-44.7.1
openSUSE-SU-2018:0097-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1017690,1069213,960341,969783,983436 CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-5318,CVE-2017-16232 Sources used: openSUSE Leap 42.3 (src): tiff-4.0.9-24.1 openSUSE Leap 42.2 (src): tiff-4.0.9-17.9.1
Is this one already fixed?
According to our tracking SLE10/SLE11 are still missing.
It was solved for SLE12 by bumping the version to 4.0.9. For the other codestreams this needs to be fixed/backported. Original upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2561. It has been fixed upstream (along with several other CVEs) in the following upstream commit: https://gitlab.com/libtiff/libtiff/commit/6281927e03aed3fdaac4c25e1cd1a5ff7232bcd8 According to the commit message this fixes: - CVE-2016-10095 - CVE-2015-7554 - CVE-2016-5318 - CVE-2014-8128
BEFORE 12/tiff $ valgrind -q thumbnail poc1.tiff foo.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered. TIFFReadDirectory: Warning, Unknown field with tag 128 (0x80) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5888 (0x1700) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8960 (0x2300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 18247 (0x4747) encountered. TIFFReadDirectory: Warning, Unknown field with tag 327 (0x147) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5146 (0x141a) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "ModeNumber"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFReadDirectory: Warning, Ignoring ColorMap since BitsPerSample tag not found. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. rastersize=2176 TIFFFillStrip: Read error on strip 0; got 399 bytes, expected 2176. bpr=68, sy=0, bpr*sy=0 ==16699== Use of uninitialised value of size 8 ==16699== at 0x10A17D: setrow (thumbnail.c:525) ==16699== by 0x10A17D: setImage1 (thumbnail.c:581) ==16699== by 0x109985: setImage (thumbnail.c:591) ==16699== by 0x109985: generateThumbnail (thumbnail.c:633) ==16699== by 0x109985: main (thumbnail.c:122) ==16699== bpr=68, sy=0, bpr*sy=0 bpr=68, sy=0, bpr*sy=0 [...] bpr=68, sy=31, bpr*sy=2108 TIFFReadRawStrip: Read error at scanline 4294967295, strip 0; got 399 bytes, expected 2176. $ [no segfault or invalid read or write] 11/tiff $ valgrind -q thumbnail poc1.tiff foo.tiff TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 65535 (0xffff) encountered. TIFFReadDirectory: Warning, poc1.tiff: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 128 (0x80) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 5888 (0x1700) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 8960 (0x2300) encountered. TIFFReadDirectory: Warning, poc1.tiff: wrong data type 1024 for "Tag 5888"; tag ignored. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 18247 (0x4747) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 327 (0x147) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 5146 (0x141a) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 405 (0x195) encountered. TIFFReadDirectory: Warning, poc1.tiff: wrong data type 3 for "TileOffsets"; tag ignored. TIFFReadDirectory: Warning, poc1.tiff: wrong data type 3 for "Software"; tag ignored. MissingRequired: poc1.tiff: TIFF directory is missing required "StripOffsets" field. $ [no issues observed] PATCH see comment 8 12/tiff: patch already in 10sp3,11/tiff: needs to be fixed AFTER 11/tiff $ valgrind -q thumbnail poc1.tiff foo.tiff TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 65535 (0xffff) encountered. TIFFReadDirectory: Warning, poc1.tiff: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 128 (0x80) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 5888 (0x1700) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 8960 (0x2300) encountered. TIFFReadDirectory: Warning, poc1.tiff: wrong data type 1024 for "Tag 5888"; tag ignored. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 18247 (0x4747) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 327 (0x147) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 5146 (0x141a) encountered. TIFFReadDirectory: Warning, poc1.tiff: unknown field with tag 405 (0x195) encountered. TIFFReadDirectory: Warning, poc1.tiff: wrong data type 3 for "TileOffsets"; tag ignored. TIFFReadDirectory: Warning, poc1.tiff: wrong data type 3 for "Software"; tag ignored. MissingRequired: poc1.tiff: TIFF directory is missing required "StripOffsets" field. $ [no change] Even if we cannot verify with testcase, that the issue is fixed by the patch, we take into account that upstream tag the patch in comment 6 as fix for this CVE. Therefore, let us consider 11/tiff affected BEFORE and fixed AFTER this patch.
Will be submitted for 11/tiff and 10sp3/tiff.
I believe this is fixed in sr#162981 and sr#162982. Michael, after you review my changes and statements here, feel free to accept these submit requests and resubmit as maintenance request. In the same moment such maintenance request is created, bug can be assigned to security team immediately.
SR#164509 SLE-10-SP3 SR#164510 SLE-11
SUSE-SU-2018:1179-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1007280,1011107,1011845,1017688,1017690,1017691,1017692,1031255,1046077,1048937,1074318,960341,983436 CVE References: CVE-2015-7554,CVE-2016-10095,CVE-2016-10268,CVE-2016-3945,CVE-2016-5318,CVE-2016-5652,CVE-2016-9453,CVE-2016-9536,CVE-2017-11335,CVE-2017-17973,CVE-2017-9935 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.3.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.3.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2018-05-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64038
released