Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoS: Crash when loading crafted images #233

Open
evanrichter opened this issue Sep 15, 2022 · 0 comments
Open

DoS: Crash when loading crafted images #233

evanrichter opened this issue Sep 15, 2022 · 0 comments

Comments

@evanrichter
Copy link

I set up some simple fuzzing for sn0int in my fork, targeting image loading, and found a few issues you may find security relevant.

crashes.tar.gz

crash-16* and oom-47* cause allocation failure which immediately terminates the process, while crash-32* is an integer overflow. These issues should be fixed by the latest image crate version, so hopefully a dependency upgrade is simple.

oom-96* seems to be the same root cause as image-rs/image#1748 with mitigations added in this merge: image-rs/image-png#353, but I think sn0int will need to use the Limits api for that to take effect.

Stacktrace: oom-47988b9562c06a826c5503b6f65bc27a93f9cc62 
==541042== ERROR: libFuzzer: out-of-memory (malloc(13083149316))
    #17 0x557368c13063 in image::image::decoder_to_vec::h7cd41838256519f3 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/image.rs:490:19
    #18 0x557368ca2bf2 in image::dynimage::decoder_to_image::h75353bc00306555d /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/dynimage.rs:1117:23
    #19 0x557368c07cac in image::dynimage::DynamicImage::from_decoder::hc2a723107ae85155 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/dynimage.rs:194:9
    #20 0x557368c07cac in image::io::free_functions::load::hfb63e77f4780b588 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/io/free_functions.rs:67:36
    #21 0x557369186442 in image::dynimage::load_from_memory_with_format::h803ad8ee200dbbfa sn0int/sn0int-std/src/gfx/mod.rs:109:17
    #22 0x557369186442 in sn0int_std::gfx::load::h5df31f821b037c62 sn0int/sn0int-std/src/gfx/mod.rs:109:17
    #23 0x5573684218cc in rust_fuzzer_test_input sn0int/sn0int-std/fuzz/fuzz_targets/image_load.rs:8:13
Stacktrace: crash-16e09653a6ced483db6215e4a922a061b580846d 
==550165==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7544fa0000 bytes
    #7 0x560d2c1dcc4f in alloc::vec::from_elem::hbf6ab617103d0739 /rustc/9067d5277d10f0f32a49ec9c125a33828e26a32b/library/alloc/src/vec/mod.rs:2457:5
    #8 0x560d2c1dcc4f in image::image::decoder_to_vec::h62f36f795519b5f5 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/image.rs:490:19
    #9 0x560d2c279014 in image::dynimage::decoder_to_image::hc52467439a01cf50 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/dynimage.rs:1112:23
    #10 0x560d2c1d380f in image::dynimage::DynamicImage::from_decoder::h6775414ccbd6e795 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/dynimage.rs:194:9
    #11 0x560d2c1d380f in image::io::free_functions::load::hfb63e77f4780b588 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/io/free_functions.rs:79:36
    #12 0x560d2c752442 in image::dynimage::load_from_memory_with_format::h803ad8ee200dbbfa sn0int/sn0int-std/src/gfx/mod.rs:109:17
    #13 0x560d2c752442 in sn0int_std::gfx::load::h5df31f821b037c62 sn0int/sn0int-std/src/gfx/mod.rs:109:17
    #14 0x560d2b9ed8cc in rust_fuzzer_test_input sn0int/sn0int-std/fuzz/fuzz_targets/image_load.rs:11:13
Stacktrace: crash-32aed9132fadd27014d0d5f43ae9376f9b3f9cd7 
thread '<unnamed>' panicked at 'attempt to add with overflow', /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/webp/decoder.rs:114:25
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==550494== ERROR: libFuzzer: deadly signal
    #17 0x56256aacf0da in image::codecs::webp::decoder::WebPDecoder$LT$R$GT$::read_vp8_header::h77b76337098a5ab0 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/webp/decoder.rs:114:25
    #18 0x56256aad065a in image::codecs::webp::decoder::WebPDecoder$LT$R$GT$::read_metadata::h65b39a062aa3a0c6 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/webp/decoder.rs:138:23
    #19 0x56256aad065a in image::codecs::webp::decoder::WebPDecoder$LT$R$GT$::new::hbf1af4ab5a6d4d10 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/webp/decoder.rs:70:9
    #20 0x56256aa46b80 in image::io::free_functions::load::hfb63e77f4780b588 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/io/free_functions.rs:71:64
    #21 0x56256afc6442 in image::dynimage::load_from_memory_with_format::h803ad8ee200dbbfa sn0int/sn0int-std/src/gfx/mod.rs:109:17
    #22 0x56256afc6442 in sn0int_std::gfx::load::h5df31f821b037c62 sn0int/sn0int-std/src/gfx/mod.rs:109:17
    #23 0x56256a2618cc in rust_fuzzer_test_input sn0int/sn0int-std/fuzz/fuzz_targets/image_load.rs:11:13
Stacktrace: oom-9642df99e8a487afa7c072fc46aca9a64ed13707 
==568277== ERROR: libFuzzer: out-of-memory (malloc(3221291008))
    #15 0x563ce7fd89fc in alloc::vec::Vec$LT$T$C$A$GT$::resize::h011ee8981ffcda1b /rustc/9067d5277d10f0f32a49ec9c125a33828e26a32b/library/alloc/src/vec/mod.rs:2255:13
    #16 0x563ce7fd89fc in png::decoder::Reader$LT$R$GT$::allocate_out_buf::hf5e356b5ab2f9e6d /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.16.8/src/decoder/mod.rs:654:9
    #17 0x563ce7fdf989 in png::decoder::Reader$LT$R$GT$::init::he778edd779410d22 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.16.8/src/decoder/mod.rs:344:9
    #18 0x563ce7fe2bea in png::decoder::Decoder$LT$R$GT$::read_info::h5b0c1fa661cb8331 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.16.8/src/decoder/mod.rs:118:9
    #19 0x563ce854f9f6 in image::codecs::png::PngDecoder$LT$R$GT$::new::haba444bfcb43be3c /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/png.rs:131:31
    #20 0x563ce850091b in image::io::free_functions::load::hfb63e77f4780b588 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/io/free_functions.rs:65:63
    #21 0x563ce8a80a72 in image::dynimage::load_from_memory_with_format::h803ad8ee200dbbfa sn0int/sn0int-std/src/gfx/mod.rs:108:17
    #22 0x563ce8a80a72 in sn0int_std::gfx::load::h5df31f821b037c62 sn0int/sn0int-std/src/gfx/mod.rs:108:17
    #23 0x563ce7d1bcab in rust_fuzzer_test_input
This was referenced Sep 15, 2022
Open
Open
@kpcyrd kpcyrd changed the title denial of service bugs DoS: Crash when loading crafted images Sep 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@evanrichter