Out-of-bounds memory access in IMB_flipy() due to large image dimensions #94629

Closed
opened 2022-01-04 12:37:30 +01:00 by Albin Eldstål-Ahrens · 9 comments

System Information
Operating system: Windows-10-10.0.19044-SP0 64 Bits
Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001

Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: 6844304dda
Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: 59a48cc43d
Worked: -

Short description of error
A loaded (and valid) image (ImBuf*) can be crafted such that an out-of-bounds read or write occurs when the image is flipped vertically. In at least one IMB loader, flipping is performed on image load and without further user input.

Cause
IMB_flipy() in source/blender/imbuf/intern/rotate.c is missing a bounds check after lines 48 and 71. As a result, a in ImBuf with large dimensions can cause bottomf to wrap around and point to an address before topf.

By tuning the dimensions of the image carefully, an attacker can choose exactly where bottomf points, and have data written there from the input image.

Notes
While the provided example is an HDR image, this issue is independent of the HDR parsing code and thus also of the fix in D11952.

Exact steps for others to reproduce the error
The following input file (an HDR image) illustrates the problem. Call imb_loadhdr() with flags=IB_rectfloat on it to trigger a crash in IMB_flipy().

segv_rotate_78.hdr

#?RADIANCE

-Y 96
-Y 9630838

To see the crash in the latest alpha build of Blender, follow these steps:

  1. Start with the default new project
  2. Open the material panel.
  3. Set the material "base color" of the default cube to "Image texture"
  4. Load the texture file segv_rotate_78.hdr.

Impact
An attacker-controlled out-of-bounds write can realistically be used to obtain code execution in the blender process. For example, a return address on the stack or a function pointer in a known location in memory can be overwritten.

Proposed mitigation
Fail if bottomf <= topf, in both codepaths. I'm not able to provide a trivial patch for this, since IMB_flipy() has not been designed with a failure mechanism. Someone better acquainted with the various users of flipy needs to weigh in on a proper fix.

**System Information** Operating system: Windows-10-10.0.19044-SP0 64 Bits Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001 **Blender Version** Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: `6844304dda` Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: `59a48cc43d` Worked: - **Short description of error** A loaded (and valid) image (`ImBuf*`) can be crafted such that an out-of-bounds read or write occurs when the image is flipped vertically. In at least one IMB loader, flipping is performed on image load and without further user input. **Cause** `IMB_flipy()` in `source/blender/imbuf/intern/rotate.c` is missing a bounds check after lines 48 and 71. As a result, a in ImBuf with large dimensions can cause `bottomf` to wrap around and point to an address before `topf`. By tuning the dimensions of the image carefully, an attacker can choose exactly where `bottomf` points, and have data written there from the input image. **Notes** While the provided example is an HDR image, this issue is independent of the HDR parsing code and thus also of the fix in [D11952](https://archive.blender.org/developer/D11952). **Exact steps for others to reproduce the error** The following input file (an HDR image) illustrates the problem. Call `imb_loadhdr()` with `flags=IB_rectfloat` on it to trigger a crash in `IMB_flipy()`. [segv_rotate_78.hdr](https://archive.blender.org/developer/F12788416/segv_rotate_78.hdr) ``` #?RADIANCE -Y 96 -Y 9630838 ``` To see the crash in the latest alpha build of Blender, follow these steps: 1. Start with the default new project 2. Open the material panel. 3. Set the material "base color" of the default cube to "Image texture" 4. Load the texture file `segv_rotate_78.hdr`. **Impact** An attacker-controlled out-of-bounds write can realistically be used to obtain code execution in the blender process. For example, a return address on the stack or a function pointer in a known location in memory can be overwritten. **Proposed mitigation** Fail if `bottomf <= topf`, in both codepaths. I'm not able to provide a trivial patch for this, since `IMB_flipy()` has not been designed with a failure mechanism. Someone better acquainted with the various users of `flipy` needs to weigh in on a proper fix.

Added subscriber: @eldstal

Added subscriber: @eldstal

Changed status from 'Needs Triage' to: 'Confirmed'

Changed status from 'Needs Triage' to: 'Confirmed'

The proposed fix is useful, but insufficient.

A large enough ibuf->x can also cause the size to overflow before the call to MEM_mallocN() for the linef buffer. The buffer ends up with an allocation of the wrong size, leading to a different out-of-bounds access in the loop that follows.

The proposed fix is useful, but insufficient. A large enough `ibuf->x` can also cause the size to overflow before the call to `MEM_mallocN()` for the `linef` buffer. The buffer ends up with an allocation of the wrong size, leading to a different out-of-bounds access in the loop that follows.

In addition, some dimensions such as x=844193 and y=6364 are such that bottomf wraps around and then passes topf, resulting in bottomf > topf which may look safe. During the loop, however, bottomf will eventually be decremented to fall below topf and once again trigger the fault.

In addition, some dimensions such as `x=844193` and `y=6364` are such that `bottomf` wraps around and then passes `topf`, resulting in `bottomf > topf` which may look safe. During the loop, however, `bottomf` will eventually be decremented to fall below `topf` and once again trigger the fault.

This issue was referenced by 63fdcbb588

This issue was referenced by 63fdcbb5889e31b5f07d8d5c8e923cc57900fe1b

This issue was referenced by e07f16776b

This issue was referenced by e07f16776bca5e9494e6b143170f31d5eeb160ce

This issue was referenced by 82858ca3f4

This issue was referenced by 82858ca3f4e6dc6f840af9306c350900abd491fc

Changed status from 'Confirmed' to: 'Resolved'

Changed status from 'Confirmed' to: 'Resolved'
Jesse Yurkovich self-assigned this 2022-01-07 07:24:12 +01:00

This vulnerability has been assigned CVE-2022-0545 by the Red Hat CNA.

This vulnerability has been assigned CVE-2022-0545 by the Red Hat CNA.
Sign in to join this conversation.
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#94629
No description provided.