Having trouble with making my Drive folder public, so I just attached them
instead.
Fuzzer result #3 is an integer overflow in libguac, not just guacenc, so
it's probably more serious than the others.
The others are from guacenc. Possibly not as immediately urgent, but the
ones that bottom out in Cairo might be of interest with the idea that an
attacker could send an arbitrary PNG.
I don't have a fuzzer running for guacd itself, just guacenc. I could set
one up for guacd if there's interest. I'm sure it would find more
interesting results than the guacenc one did.
-- Morgon
On Tue, Mar 17, 2020 at 11:44 AM Morgon Kanter <[email protected]> wrote:
> I don't have the expertise to know if they are issues with the upstream
> Cairo libs or not -- that's just where the memory allocations happen. I'm
> merely a dumb user of someone else's genius :-)
>
> I'll put them in a Google Drive folder of the format {stacktrace1.txt,
> sample1.guac} for each one. Will reply with the folder once it's ready.
>
> Cheers,
> -- Morgon
>
> On Mon, Mar 16, 2020 at 7:55 PM Nick Couchman <[email protected]> wrote:
>
>> On Mon, Mar 16, 2020 at 4:21 PM Morgon Kanter <[email protected]>
>> wrote:
>>
>> > Our fuzzer for guacenc has uncovered a number of integer overflows,
>> stack
>> > overflows, and direct memory leaks -- usually centered around Cairo. How
>> > would you like us to report them? I can provide backtraces of the stack
>> and
>> > minimal test cases that should reproduce the issues.
>> >
>> > Thanks,
>> > -- Morgon
>> >
>>
>> If the findings represent security issues (doubtful for something like
>> guacenc, but something to think about nonetheless), then please report
>> them
>> to the security list:
>>
>> http://guacamole.apache.org/faq/#security
>>
>> Otherwise, here is fine. Are the issues in the actual guacenc
>> implementation, or in the upstream cairo libraries? If the issues are in
>> the upstream cairo libraries then reporting them here won't really do any
>> good - they'll need to be reported upstream. Once we determine that there
>> actually is a bug in the Guacamole code you can open a JIRA issue for the
>> bug(s) and then we (you, us, whoever) can work on resolving them with
>> changes to the code.
>>
>> -Nick
>>
>
Memory leak.
Bottoms out in Cairo. This one confused me a lot when I tried to investigate it.
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x55bb9569303d in malloc
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x55bb9579e9d0 in read_png
third_party/cairo/v1_12_16/src/cairo-png.c:827:20
#2 0x55bb9579f2fc in cairo_image_surface_create_from_png_stream
third_party/cairo/v1_12_16/src/cairo-png.c:978:12
#3 0x55bb956b48c1 in guacenc_png_decoder
third_party/guacamole_server/src/guacenc/png.c:95:9
#4 0x55bb956af58a in guacenc_image_stream_end
third_party/guacamole_server/src/guacenc/image-stream.c:129:32
#5 0x55bb956adf3a in guacenc_read_instructions
third_party/guacamole_server/src/guacenc/encode.c:66:13
#6 0x55bb956adbd0 in guacenc_encode
third_party/guacamole_server/src/guacenc/encode.c:145:9
#7 0x55bb956ac03b in LLVMFuzzerTestOneInput
third_party/guacamole_server/guacenc_fuzzer.cc:41:3
#8 0x55bb99913296 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long)
third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#9 0x55bb998fd9d9 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long)
third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
#10 0x55bb99902bce in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
Integer overflow.
Our system's diagnostic message is at the top.
third_party/guacamole_server/src/guacenc/parse.c:85:23: runtime error: signed
integer overflow: 5114682988985455812 * 10 cannot be represented in type 'long'
#0 0x556d18b56d3e in guacenc_parse_timestamp
third_party/guacamole_server/src/guacenc/parse.c:85:23
#1 0x556d18b557ef in guacenc_handle_sync
third_party/guacamole_server/src/guacenc/instruction-sync.c:40:32
#2 0x556d18b520f1 in guacenc_handle_instruction
third_party/guacamole_server/src/guacenc/instructions.c:60:24
#3 0x556d18b5058a in guacenc_read_instructions
third_party/guacamole_server/src/guacenc/encode.c:66:13
#4 0x556d18b50220 in guacenc_encode
third_party/guacamole_server/src/guacenc/encode.c:145:9
#5 0x556d18b4e97b in LLVMFuzzerTestOneInput
third_party/guacamole_server/guacenc_fuzzer.cc:41:3
#6 0x556d1d13e686 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long)
third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#7 0x556d1d129fba in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long)
third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
#8 0x556d1d12f3b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776:9
#9 0x556d1d120dd2 in main
third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#10 0x7f637b272bbc in __libc_start_main
(/usr/grte/v4/lib64/libc.so.6+0x38bbc)
#11 0x556d18a9d5a8 in _start src/csu/../sysdeps/x86_64/start.S:108
Stack overflow.
#0 0x55db90296bb8 in guacenc_display_get_layer
third_party/guacamole_server/src/guacenc/display-layers.c:30
#1 0x55db90296d58 in guacenc_display_get_depth
third_party/guacamole_server/src/guacenc/display-layers.c:74:9
#2 0x55db90296d63 in guacenc_display_get_depth
third_party/guacamole_server/src/guacenc/display-layers.c:77:12
#3 0x55db90296d63 in guacenc_display_get_depth
third_party/guacamole_server/src/guacenc/display-layers.c:77:12
...etc
Integer overflow.
Our system's diagnostic message is at the top.
third_party/guacamole_server/src/guacenc/buffer.c:89:44: runtime error: signed
integer overflow: 4 * 1314276340 cannot be represented in type 'int'
#0 0x563fcdff2f6c in guacenc_buffer_resize
third_party/guacamole_server/src/guacenc/buffer.c:89:44
#1 0x563fcdff310b in guacenc_buffer_fit
third_party/guacamole_server/src/guacenc/buffer.c:135:16
#2 0x563fcdff73a3 in guacenc_handle_rect
third_party/guacamole_server/src/guacenc/instruction-rect.c:52:9
#3 0x563fcdff40f1 in guacenc_handle_instruction
third_party/guacamole_server/src/guacenc/instructions.c:60:24
#4 0x563fcdff258a in guacenc_read_instructions
third_party/guacamole_server/src/guacenc/encode.c:66:13
#5 0x563fcdff2220 in guacenc_encode
third_party/guacamole_server/src/guacenc/encode.c:145:9
#6 0x563fcdff097b in LLVMFuzzerTestOneInput
third_party/guacamole_server/guacenc_fuzzer.cc:41:3
#7 0x563fd25e0686 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long)
third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#8 0x563fd25cbfba in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long)
third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
#9 0x563fd25d13b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776:9
#10 0x563fd25c2dd2 in main
third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#11 0x7f1894e1cbbc in __libc_start_main
(/usr/grte/v4/lib64/libc.so.6+0x38bbc)
#12 0x563fcdf3f5a8 in _start src/csu/../sysdeps/x86_64/start.S:108
Integer overflow.
Diagnostic message from our system is included at the top.
third_party/guacamole_server/src/libguac/parser.c:82:46: runtime error: signed
integer overflow: 864811111 * 10 cannot be represented in type 'int'
#0 0x55c6392c2819 in guac_parser_append
third_party/guacamole_server/src/libguac/parser.c:82:46
#1 0x55c6392c2f2a in guac_parser_read
third_party/guacamole_server/src/libguac/parser.c:181:22
#2 0x55c6392b8711 in guacenc_read_instructions
third_party/guacamole_server/src/guacenc/encode.c:65:13
#3 0x55c6392b8450 in guacenc_encode
third_party/guacamole_server/src/guacenc/encode.c:145:9
#4 0x55c6392b68bb in LLVMFuzzerTestOneInput
third_party/guacamole_server/guacenc_fuzzer.cc:41:3
#5 0x55c63d544fe6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long)
third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:554:15
#6 0x55c63d52f6b9 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long)
third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
#7 0x55c63d5348be in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
#8 0x55c63d54daf2 in main
third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#9 0x7f66c1a9bbbc in __libc_start_main
(/usr/grte/v4/lib64/libc.so.6+0x38bbc)
This was a timeout - don't have a stack trace.
Direct leak from _cairo_pattern_create_solid
Direct leak of 160 byte(s) in 1 object(s) allocated from:
#0 0x558bf8d3697d in __interceptor_malloc
/proc/self/cwd/third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x558bf8e2c6f0 in _cairo_pattern_create_solid cairo-pattern.c:605:12
#2 0x558bf8e2c8e9 in _cairo_pattern_create_in_error cairo-pattern.c:628:15
#3 0x558bf8e2cbcc in INT_cairo_pattern_create_for_surface
cairo-pattern.c:734:9
#4 0x558bf8d83ada in _cairo_default_context_set_source_surface
cairo-default-context.c:330:15
#5 0x558bf8d66f51 in cairo_set_source_surface cairo.c:762:14
#6 0x558bf8d5559f in guacenc_display_flatten guacenc/display-flatten.c:196:9
#7 0x558bf8d55029 in guacenc_display_sync guacenc/display-sync.c:44:9
#8 0x558bf8d568fa in guacenc_handle_sync guacenc/instruction-sync.c:43:12
#9 0x558bf8d531f1 in guacenc_handle_instruction guacenc/instructions.c:60:24
#10 0x558bf8d5168a in guacenc_read_instructions guacenc/encode.c:66:13
#11 0x558bf8d51320 in guacenc_encode guacenc/encode.c:145:9
#12 0x558bf8d4fa7b in LLVMFuzzerTestOneInput
/proc/self/cwd/third_party/guacamole_server/guacenc_fuzzer.cc:41:3
#13 0x558bfd33f786 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long)
/proc/self/cwd/third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#14 0x558bfd32b0ba in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long)
/proc/self/cwd/third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
#15 0x558bfd3304b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
/proc/self/cwd/third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776:9
#16 0x558bfd321ed2 in main
/proc/self/cwd/third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#17 0x7f322bb31bbc in __libc_start_main
#18 0x558bf8c9e6a8 in _start src/sysdeps/x86_64/start.S:108
