librsvg

eog crashed with SIGSEGV in rsvg_filter_primitive_render()

Bug #825497 reported by smpahlman
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
librsvg
Fix Released
Critical
librsvg (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

eog/librsvg crashes when attempting to call NULL while opening the attached reproducer. Marking initially as vuln since i did not check whether the call address can be changed to something else than just NULL. Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d81b70 (LWP 17083)]
0x00000000 in ?? ()
(gdb) bt
#0 0x00000000 in ?? ()
#1 0x002b7d08 in rsvg_filter_primitive_render (ctx=0x8357b28,
    self=<optimized out>) at rsvg-filter.c:85
#2 rsvg_filter_render (self=0x82e57f8, source=0x82ce4f8, context=0x82ddfd0,
    bounds=0x82f9140, channelmap=0x2cf6cb "2103") at rsvg-filter.c:499
#3 0x002ca0e7 in rsvg_cairo_pop_render_stack (ctx=0x82ddfd0)
    at rsvg-cairo-draw.c:970
#4 rsvg_cairo_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-cairo-draw.c:1023
#5 0x002c71cf in rsvg_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-base.c:2049
#6 0x002c3df3 in _rsvg_node_text_type_children (ctx=0x82ddfd0, x=0xb7d80b80,
    y=0xb7d80b88, lastwasspace=0xb7d80b9c, self=<optimized out>)
    at rsvg-text.c:188
#7 0x002c40d9 in _rsvg_node_text_draw (self=0x82ffe50, ctx=0x82ddfd0,
    dominate=0) at rsvg-text.c:254
#8 0x002bdd54 in rsvg_node_draw (self=0x82ffe50, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#9 0x002be1c7 in _rsvg_node_draw_children (self=0x82ff7e8, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:87
#10 0x002bdd54 in rsvg_node_draw (self=0x82ff7e8, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#11 0x002be1c7 in _rsvg_node_draw_children (self=0x82fec40, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:87
#12 0x002bdd54 in rsvg_node_draw (self=0x82fec40, ctx=0x82ddfd0, dominate=0)
---Type <return> to continue, or q <return> to quit---
    at rsvg-structure.c:69
#13 0x002be0bf in rsvg_node_svg_draw (self=0x82ec768, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:326
#14 0x002bdd54 in rsvg_node_draw (self=0x82ec768, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#15 0x002be1c7 in _rsvg_node_draw_children (self=0x8306a80, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:87
#16 0x002bdd54 in rsvg_node_draw (self=0x8306a80, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#17 0x002be0bf in rsvg_node_svg_draw (self=0x82e8940, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:326
#18 0x002bdd54 in rsvg_node_draw (self=0x82e8940, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#19 0x002cb804 in rsvg_handle_render_cairo_sub (handle=0x80eb738, cr=0xa98520,
    id=0x0) at rsvg-cairo-render.c:234
#20 0x002cbd53 in rsvg_handle_get_pixbuf_sub (handle=0x80eb738, id=0x0)
    at rsvg.c:101
#21 0x002cbe53 in rsvg_handle_get_pixbuf (handle=0x80eb738) at rsvg.c:137
#22 0x08062a91 in eog_image_load ()
#23 0x08066424 in ?? ()
#24 0x080676a4 in eog_job_run ()
#25 0x080650e1 in ?? ()
#26 0x00e39444 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#27 0x00ee3d31 in start_thread (arg=0xb7d81b70) at pthread_create.c:304
#28 0x00fc9e3e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
Backtrace stopped: Not enough registers or memory available to unwind further

ProblemType: Crash
DistroRelease: Ubuntu 11.10
Package: eog 3.1.4-0ubuntu2
ProcVersionSignature: Ubuntu 3.0-3.4-generic 3.0.0-rc5
Uname: Linux 3.0-3-generic i686
Architecture: i386
Date: Fri Aug 12 23:53:54 2011
Disassembly: => 0x0: Cannot access memory at address 0x0
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Alpha i386 (20110705.1)
ProcCmdline: eog sample.svg
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
SegvAnalysis:
 Segfault happened at: 0x0: Cannot access memory at address 0x0
 PC (0x00000000) not located in a known VMA region (needed executable region)!
 Stack memory exhausted (SP below stack segment)
SegvReason: executing NULL VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 ?? ()
 rsvg_filter_primitive_render (ctx=0xa03e438, self=<optimized out>) at rsvg-filter.c:85
 rsvg_filter_render (self=0x9fe10f0, source=0x9fb44f8, context=0x9fb7118, bounds=0x9fceba0, channelmap=0x4a56cb "2103") at rsvg-filter.c:499
 rsvg_cairo_pop_render_stack (ctx=0x9fb7118) at rsvg-cairo-draw.c:970
 rsvg_cairo_pop_discrete_layer (ctx=0x9fb7118) at rsvg-cairo-draw.c:1023
Title: eog crashed with SIGSEGV in rsvg_filter_primitive_render()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

See original description

CVE References

Revision history for this message
smpahlman (sauli-pahlman) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 ?? ()
 rsvg_filter_primitive_render (ctx=0xa03e438, self=<optimized out>) at rsvg-filter.c:85
 rsvg_filter_render (self=0x9fe10f0, source=0x9fb44f8, context=0x9fb7118, bounds=0x9fceba0, channelmap=0x4a56cb "2103") at rsvg-filter.c:499
 rsvg_cairo_pop_render_stack (ctx=0x9fb7118) at rsvg-cairo-draw.c:970
 rsvg_cairo_pop_discrete_layer (ctx=0x9fb7118) at rsvg-cairo-draw.c:1023

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in librsvg (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Jamie Strandboge (jdstrand)
Changed in librsvg (Ubuntu):
assignee: nobody → Kees Cook (kees)
Revision history for this message
Kees Cook (kees) wrote :

When building nodes, librsvg will take all nodes, regardless of name. if a name is unknown, it makes it a group (RsvgNodeGroup) -- see rsvg_standard_element_start(). However, the filter renderer checks for names, not object types, so if a name starts with "fe", it treats it as a filter (RsvgFilterPrimitive), and rsvg_filter_primitive_render() will end up trying to call ->render() off the edge of the allocated RsvgNodeGroup.

There needs to be some way to identify the child node type without relying on ->super.type->str, since it could be anything.

It seems that ->render can line up with the contents of RsvgState, but it depends on the g_malloc behavior of the other program threads, so exploitation would likely be unstable, but possible:

(gdb) p ((RsvgNodeGroup*)0x7c1ea0)->super->state->personal_affine
$37 = {1, 0, 0, 1, 0, 0}
(gdb) set var ((RsvgFilterPrimitive*)0x7c1ea0)->render = 0xffffffffffffffff
(gdb) p ((RsvgNodeGroup*)0x7c1ea0)->super->state->personal_affine
$38 = {1, 0, -nan(0xfffffffffffff), 1, 0, 0}
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xffffffffffffffff in ?? ()

Revision history for this message
Kees Cook (kees) wrote :

CVE-2011-3146

Revision history for this message
Kees Cook (kees) wrote :

I have emailed upstream with details. Thanks again for the report!

Revision history for this message
Kees Cook (kees) wrote :

Attaching upstream fix, scheduled for Sep 6th.

Jamie Strandboge (jdstrand)
Changed in librsvg (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in librsvg:
importance: Unknown → Critical
status: Unknown → Fix Released
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Kees Cook (kees)
visibility: private → public
Changed in librsvg (Ubuntu):
assignee: Kees Cook (kees) → nobody
Kees Cook (kees)
Changed in librsvg (Ubuntu):
status: Triaged → Fix Released
joopbraak (joopbraak)
description: updated
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.