SIGSEGV in cmsIT8LoadFromMem

[anfedotoff]

Hi!
We were doing some fuzzing using AFLplusplus with symbolic execution tool Sydr and found an interesting issue. Here is the ASAN report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==26==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f29ea37fcb1 bp 0x7ffdb2453180 sp 0x7ffdb2452938 T0)
==26==The signal is caused by a WRITE memory access.
==26==Hint: address points to the zero page.
    #0 0x7f29ea37fcb1  /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:369
    #1 0x2f6e61 in __asan_memcpy /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #2 0x33ed0d in AllocString /lcms/src/cmscgats.c:1190:14
    #3 0x340bd3 in SetDataFormat /lcms/src/cmscgats.c:1562:28
    #4 0x340bd3 in DataFormatSection /lcms/src/cmscgats.c:1957:18
    #5 0x340bd3 in ParseIT8 /lcms/src/cmscgats.c:2197:26
    #6 0x335d3b in cmsIT8LoadFromMem /lcms/src/cmscgats.c:2438:10
    #7 0x335d3b in LLVMFuzzerTestOneInput /lcms/./cmsIT8_load_fuzzer.c:26:22
    #8 0x335d3b in main /afl.cc:36:9
    #9 0x7f29ea2e8082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x276b0d in _start (/lcms_afl/cmsIT8_load_fuzzer+0x276b0d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:369 
==26==ABORTING

I'll try explain what is happening. We use cmsIT8LoadFromMem to load input data from memory. At some stage of parsing ( DataFormatSection) a large memory object is failed to be allocated using AllocChunk. This situation could possible lead to CWE-123 (write-what-where). I think, there is a bug in AllocChunk. The problem is because the ptr pointer became malformed at this line. The address where we try to write data in memcpy (0x000000000008) is an aligned size of next chunk to allocate. In theory, we could control address on 32-bit systems, and do arbitrary write.
If you interested in debugging this issue, I could send an input and instructions by email for you.

[mm2]

Thanks for pointing out. It is now fixed by c67fbea
Fortunately the CGATS parser is used only by tools and not used by the color engine itself, so it is impossible to use this for an exploit since the ICC profile handling does not use this code. But anyway it is good to have checks even in the tools, so thank you.

Please note a CVE makes NO sense here because as said this code is used only by tools and not in the color engine so it is impossible to craft an ICC profile to trigger this behavior in any color engine client.

Thanks again

[anfedotoff]

Thanks for fast reply!
Okey, I understood that it is impossible to exploit in real life. I checked fix again. It still crashes:(, but address has changed to 0x000000000029.

==13==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000029 (pc 0x7f1aa3847c1a bp 0x7fff4fa73c80 sp 0x7fff4fa73438 T0)
==13==The signal is caused by a WRITE memory access.
==13==Hint: address points to the zero page.
    #0 0x7f1aa3847c1a  /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:314
    #1 0x2f6e61 in __asan_memcpy /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #2 0x33ee5d in AllocString /lcms/src/cmscgats.c:1194:14
    #3 0x340d23 in SetDataFormat /lcms/src/cmscgats.c:1566:28
    #4 0x340d23 in DataFormatSection /lcms/src/cmscgats.c:1961:18
    #5 0x340d23 in ParseIT8 /lcms/src/cmscgats.c:2201:26
    #6 0x335d3b in cmsIT8LoadFromMem /lcms/src/cmscgats.c:2442:10
    #7 0x335d3b in LLVMFuzzerTestOneInput /lcms/./cmsIT8_load_fuzzer.c:26:22
    #8 0x335d3b in main /afl.cc:36:9
    #9 0x7f1aa37b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x276b0d in _start (/lcms_afl/cmsIT8_load_fuzzer+0x276b0d)

So, I think, I free to send you input. I made a small fix, that helps. Please check #330.
crash-8a953d2223ebbf71c4dd0c99b2f7cbd3d57e8627.txt

[anfedotoff]

Fixed by this commit.