Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

Fri, 12 Aug 2016 14:36:19 -0700 


Le 12/08/2016 à 22:44, Bastien ROUCARIES a écrit :

On Fri, Aug 12, 2016 at 6:16 PM, Guillaume Gimenez <pl...@blackmilk.fr> wrote:

Package: libmagick++-6.q16-5v5
Version: 8:6.8.9.9-7.2
Severity: important
File: libmagick++
Tags: patch

Dear Maintainer,

There is a bug in the locking implentation (RAII was the intended C++ idiom) 
that has been fixed upstream.

http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c

Unfortunately, the commit message is empty...

In the unfixed code, the mutex acquisition has no effect and doesn't prevent 
concurrent access to ref counters.

This bug generates a lot of crashes when Magick++ is used with multi-threaded 
applications


Do you have a small test case ?

If so it is a security bug. Could you ask for a CVE ?

Bastien


Of course here it is

I spotted this bug with a program I am developing
https://github.com/ploki/darkflow

Since it doesn’t look like a minimal test case I wrote this small test 
program which triggers the bug on im 6.8 but doesn’t on im 6.9 which has 
the fix applied.


$ cat bug.cc
#include <Magick++.h>
using namespace Magick;
int main(int argc, char **argv)
{
  Image plop("/usr/share/pixmaps/debian-logo.png");
#pragma omp parallel for
  for (int i = 0 ; i < 10000 ; ++i )
    {
      Image meh(plop);
    }
    return 0;
}
$ g++ -fopenmp $(pkg-config --cflags --libs Magick++) bug.cc -o bug
$ ./bug

bug: ../../magick/image.c:1106: DestroyImageInfo: Assertion 
`image_info->signature == 0xabacadabUL' failed.

Aborted
$ ./bug

bug: ../../magick/image.c:1106: DestroyImageInfo: Assertion 
`image_info->signature == 0xabacadabUL' failed.

terminate called after throwing an instance of 'Magick::ErrorOption'
  what():  Magick: mutex lock failed (Invalid argument)
Aborted

crash may vary depending on which race is triggered.

Regards,
Guillaume






-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE 
to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libmagick++-6.q16-5v5:amd64 depends on:
ii  libc6                  2.23-4
ii  libgcc1                1:6.1.1-10
ii  libmagickcore-6.q16-2  8:6.8.9.9-7.2
ii  libmagickwand-6.q16-2  8:6.8.9.9-7.2
ii  libstdc++6             6.1.1-10

libmagick++-6.q16-5v5:amd64 recommends no packages.

libmagick++-6.q16-5v5:amd64 suggests no packages.

























					Reply via email to