[Pkg-gmagick-im-team] Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

Guillaume Gimenez guillaume at blackmilk.fr
Fri Aug 12 21:32:43 UTC 2016 


Le 12/08/2016 à 22:44, Bastien ROUCARIES a écrit :
> On Fri, Aug 12, 2016 at 6:16 PM, Guillaume Gimenez <ploki at blackmilk.fr> wrote:
>> Package: libmagick++-6.q16-5v5
>> Version: 8:6.8.9.9-7.2
>> Severity: important
>> File: libmagick++
>> Tags: patch
>>
>> Dear Maintainer,
>>
>> There is a bug in the locking implentation (RAII was the intended C++ idiom) that has been fixed upstream.
>>
>> http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c
>>
>> Unfortunately, the commit message is empty...
>>
>> In the unfixed code, the mutex acquisition has no effect and doesn't prevent concurrent access to ref counters.
>>
>> This bug generates a lot of crashes when Magick++ is used with multi-threaded applications
>
> Do you have a small test case ?
>
> If so it is a security bug. Could you ask for a CVE ?
>
> Bastien

Of course here it is

I spotted this bug with a program I am developing
https://github.com/ploki/darkflow
Since it doesn’t look like a minimal test case I wrote this small test 
program which triggers the bug on im 6.8 but doesn’t on im 6.9 which has 
the fix applied.

$ cat bug.cc
#include <Magick++.h>
using namespace Magick;
int main(int argc, char **argv)
{
   Image plop("/usr/share/pixmaps/debian-logo.png");
#pragma omp parallel for
   for (int i = 0 ; i < 10000 ; ++i )
     {
       Image meh(plop);
     }
     return 0;
}
$ g++ -fopenmp $(pkg-config --cflags --libs Magick++) bug.cc -o bug
$ ./bug
bug: ../../magick/image.c:1106: DestroyImageInfo: Assertion 
`image_info->signature == 0xabacadabUL' failed.
Aborted
$ ./bug
bug: ../../magick/image.c:1106: DestroyImageInfo: Assertion 
`image_info->signature == 0xabacadabUL' failed.
terminate called after throwing an instance of 'Magick::ErrorOption'
   what():  Magick: mutex lock failed (Invalid argument)
Aborted

crash may vary depending on which race is triggered.

Regards,
Guillaume



>>
>>
>> -- System Information:
>> Debian Release: stretch/sid
>>   APT prefers testing
>>   APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE to default locale: No such file or directory
>> locale: Cannot set LC_ALL to default locale: No such file or directory
>> ANSI_X3.4-1968)
>> Shell: /bin/sh linked to /bin/dash
>> Init: systemd (via /run/systemd/system)
>>
>> Versions of packages libmagick++-6.q16-5v5:amd64 depends on:
>> ii  libc6                  2.23-4
>> ii  libgcc1                1:6.1.1-10
>> ii  libmagickcore-6.q16-2  8:6.8.9.9-7.2
>> ii  libmagickwand-6.q16-2  8:6.8.9.9-7.2
>> ii  libstdc++6             6.1.1-10
>>
>> libmagick++-6.q16-5v5:amd64 recommends no packages.
>>
>> libmagick++-6.q16-5v5:amd64 suggests no packages.
>>

More information about the Pkg-gmagick-im-team mailing list