An improper array index validation vulnerability exists in the TIF IP_planar_raster_unpack functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21833: TALOS-2021-1296 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the JPG Handle_JPEG420 functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

An out-of-bounds write vulnerability exists in the JPG Handle\_JPEG420 functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.9

**Product URLs**

https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-131 - Incorrect Calculation of Buffer Size

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

A specially crafted JPG file can lead to an out-of-bounds write in the handle_JPEG420 function, due to a buffer overflow caused by a missing size check for a buffer memory.

Trying to load a malformed JPG file, we end up in the following situation:

    This exception may be expected and handled.
    eax=08ee4c51 ebx=05d08c51 ecx=00000080 edx=0db17001 esi=10ab4fd1 edi=00000000
    eip=793c5eba esp=0019f5f8 ebp=0019f640 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
    igCore19d!IG_mpi_page_set+0xca16a:
    793c5eba 884aff          mov     byte ptr [edx-1],cl        ds:002b:0db17000=??
    

This write access violation is happening in the function handle_JPEG420, corresponding to the following pseudo-code, in LINE152:

    LINE1    dword __cdecl
    LINE2    handle_JPEG420(int param_1,int width,int height,int min_height,char *param_5,
    LINE3                  undefined *raster_buffer)
    LINE4    {
            [...]
    LINE29     iVar2 = *(int *)(param_5 + 0x7c);
    LINE30     pcVar5 = (char *)(min_height - 1U & 0x8000000f);
    LINE31     if ((int)pcVar5 < 0) {
    LINE32       pcVar5 = (char *)(((uint)(pcVar5 + -1) | 0xfffffff0) + 1);
    LINE33     }
    LINE34     pcVar6 = pcVar5;
    LINE35     if (min_height != 0) {
    LINE36       if (pcVar5 == NULL) {
    LINE37         pcVar12 = *(char **)(param_5 + 0x54);
    LINE38         local_8 = pcVar12 + iVar2;
    LINE39         pcVar6 = *(char **)(param_5 + 0xa4);
    LINE40         local_c = pcVar6 + iVar2;
    LINE41         local_10 = (char *)(*(int *)(param_5 + 0x58) + iVar2 * 7);
    LINE42         iVar7 = *(int *)(param_5 + 4);
    LINE43         param_5 = (char *)(*(int *)(param_5 + 0xa8) + iVar2 * 7);
    LINE44       }
    LINE45       else {
    LINE46         if (pcVar5 == (char *)0xf) {
    LINE47           local_8 = *(char **)(param_5 + 0x54);
    LINE48           local_c = *(char **)(param_5 + 0xa4);
    LINE49           pcVar12 = (char *)(*(int *)(param_5 + 0x58) + iVar2 * 7);
    LINE50           local_10 = (char *)(*(int *)(param_5 + 0x58) + *(int *)(param_5 + 0x7c) * 6);
    LINE51           pcVar6 = (char *)(iVar2 * 7 + *(int *)(param_5 + 0xa8));
    LINE52           iVar7 = (*(int *)(param_5 + 0x2c) * 0x10 - *(int *)(param_5 + 0x2c)) + *(int *)(param_5 + 8)
    LINE53           ;
    LINE54           param_5 = (char *)(*(int *)(param_5 + 0x7c) * 6 + *(int *)(param_5 + 0xa8));
    LINE55         }
    LINE56         else {
    LINE57           iVar7 = ((int)pcVar5 / 2) * iVar2;
    LINE58           pcVar12 = (char *)(*(int *)(param_5 + 0x54) + iVar7);
    LINE59           pcVar6 = (char *)(*(int *)(param_5 + 0xa4) + iVar7);
    LINE60           local_8 = pcVar12 + iVar2;
    LINE61           local_c = pcVar6 + iVar2;
    LINE62           local_10 = pcVar12 + -iVar2;
    LINE63           iVar7 = (int)pcVar5 * *(int *)(param_5 + 0x2c) + *(int *)(param_5 + 4);
    LINE64           param_5 = pcVar6 + -iVar2;
    LINE65         }
    LINE66       }
    LINE67       index = 0;
    LINE68       if (0 < width) {
    LINE69         uVar8 = (uint)pcVar5 & 0x80000001;
    LINE70         if ((int)uVar8 < 0) {
    LINE71           uVar8 = (uVar8 - 1 | 0xfffffffe) + 1;
    LINE72         }
    LINE73         iVar2 = -(int)pcVar6;
    LINE74         iVar3 = -(int)pcVar6;
    LINE75         iVar4 = -(int)pcVar6;
    LINE76         do {
    LINE77           iVar14 = -1;
    LINE78           if (index == 0) {
    LINE79             iVar14 = 0;
    LINE80           }
    LINE81           uVar11 = (uint)(index != width - 1U);
    LINE82           local_18 = local_10 + iVar4 + (int)pcVar6;
    LINE83           local_14 = param_5;
    LINE84           if (min_height == 1) {
    LINE85             local_18 = pcVar12;
    LINE86             local_14 = pcVar6;
    LINE87           }
    LINE88           local_20 = pcVar6 + (int)(local_8 + iVar2);
    LINE89           local_1c = pcVar6 + (int)(local_c + iVar3);
    LINE90           if (min_height == height + -1) {
    LINE91             local_20 = pcVar12;
    LINE92             local_1c = pcVar6;
    LINE93           }
    LINE94           uVar13 = index - 1;
    LINE95           if (index != width - 1U) {
    LINE96             uVar13 = index;
    LINE97           }
    LINE98           uVar9 = (uint)(byte)(*(char *)(index + iVar7) + 0x80);
    LINE99           if (uVar8 == 0) {
    LINE100            uVar13 = uVar13 & 0x80000001;
    LINE101            if ((int)uVar13 < 0) {
    LINE102              uVar13 = (uVar13 - 1 | 0xfffffffe) + 1;
    LINE103            }
    LINE104            if (uVar13 == 0) {
    LINE105              local_28 = (int)local_14[iVar14] +
    LINE106                         ((int)pcVar6[iVar14] + *pcVar6 * 3 + (int)*local_14) * 3 + 8 >> 4;
    LINE107              iVar10 = (int)local_18[iVar14];
    LINE108              iVar14 = ((int)pcVar12[iVar14] + *pcVar12 * 3 + (int)*local_18) * 3 + 8;
    LINE109            }
    LINE110            else {
    LINE111              iVar10 = local_14[uVar11] + 8 + ((int)pcVar6[uVar11] + *pcVar6 * 3 + (int)*local_14) * 3
    LINE112              ;
    LINE113              iVar14 = (int)pcVar12[uVar11] + *pcVar12 * 3 + (int)*local_18;
    LINE114  LAB_10135e43:
    LINE115              local_28 = iVar10 >> 4 & 0xff;
    LINE116              iVar10 = local_18[uVar11] + 8;
    LINE117              iVar14 = iVar14 * 3;
    LINE118            }
    LINE119          }
    LINE120          else {
    LINE121            uVar13 = uVar13 & 0x80000001;
    LINE122            if ((int)uVar13 < 0) {
    LINE123              uVar13 = (uVar13 - 1 | 0xfffffffe) + 1;
    LINE124            }
    LINE125            if (uVar13 != 0) {
    LINE126              iVar10 = local_1c[uVar11] + 8 + ((int)pcVar6[uVar11] + *pcVar6 * 3 + (int)*local_1c) * 3
    LINE127              ;
    LINE128              iVar14 = (int)pcVar12[uVar11] + *pcVar12 * 3 + (int)*local_20;
    LINE129              local_18 = local_20;
    LINE130              goto LAB_10135e43;
    LINE131            }
    LINE132            local_28 = (int)local_1c[iVar14] +
    LINE133                       ((int)pcVar6[iVar14] + *pcVar6 * 3 + (int)*local_1c) * 3 + 8 >> 4 & 0xff;
    LINE134            iVar10 = (int)local_20[iVar14];
    LINE135            iVar14 = ((int)pcVar12[iVar14] + *pcVar12 * 3 + (int)*local_20) * 3 + 8;
    LINE136          }
    LINE137          if (uVar13 == 1) {
    LINE138            param_5 = param_5 + 1;
    LINE139            pcVar6 = pcVar6 + 1;
    LINE140            pcVar12 = pcVar12 + 1;
    LINE141          }
    LINE142          uVar11 = iVar14 + iVar10 >> 4 & 0xff;
    LINE143          sVar1 = *(short *)(&DAT_1026fb80 + uVar11 * 2);
    LINE144          iVar14 = *(int *)(&DAT_10270180 + (local_28 & 0xff) * 4);
    LINE145          iVar10 = *(int *)(&DAT_1026fd80 + uVar11 * 4);
    LINE146                      /*  */
    LINE147          *raster_buffer =
    LINE148               *(undefined *)
    LINE149                ((int)*(short *)(&DAT_1026f980 + (local_28 & 0xff) * 2) + uVar9 + param_1);
    LINE150          raster_buffer[1] =
    LINE151               *(undefined *)(((int)(uVar9 * 0x10000 + iVar14 + iVar10) >> 0x10) + param_1);
    LINE152          raster_buffer[2] = *(undefined *)(uVar9 + (int)sVar1 + param_1);
    LINE153          index = index + 1;
    LINE154          raster_buffer = raster_buffer + 3;
    LINE155        } while ((int)index < width);
    LINE156      }
    LINE157    }
    LINE158    return (dword)pcVar6;
    LINE159  }
    

The raster_buffer looks to be a table of three integers to store data, as we can see from LINE147 to LINE154. The index of this table is controlled by the width variable (corresponding to size_X below), meaning the table should be at least width*3 in size. The size of raster_buffer is computed into the function IGDIBStd::compute_raster_size with the following pseudo-code:

    LINE160  uint __thiscall IGDIBStd::compute_raster_size(HIGDIBINFO this)
    LINE161  {
    LINE162    longlong lVar1;
    LINE163    uint uVar2;
    LINE164    ulonglong uVar3;
    LINE165    
    LINE166    lVar1 = (longlong)(int)(this->mys_struct_table_color).ptr_bits_per_channel_table *
    LINE167            (longlong)(int)(this->mys_struct_table_color).ptr_channel_count;
    LINE168    uVar3 = __allmul((uint)lVar1,(uint)((ulonglong)lVar1 >> 0x20),this->size_X,
    LINE169                     (int)this->size_X >> 0x1f);
    LINE170    lVar1 = (longlong)(uVar3 + 0x1f) >> 3;
    LINE171    uVar2 = (uint)lVar1 & 0xfffffffc;
    LINE172    if ((-1 < lVar1) && ((0 < (int)((longlong)(uVar3 + 0x1f) >> 0x23) || (0x7ffffffe < uVar2)))) {
    LINE173      wrapper_thow_exception
    LINE174                ((undefined *)0xfffffe6f,NULL,NULL,NULL,(undefined **)0x1022fa38,(undefined *)0x29);
    LINE175    }
    LINE176    return uVar2;
    LINE177  }
    

We can see here effectively the size is depending of three variables: ptr_bits_per_channel_table, ptr_channel_count and size_X (corresponding to width above).  
Theses values are set earlier in the execution while parsing the SOF0 JPEG tag and they correspond respectively to component number, precision and width of the values present into this tag, and are read directly from the file.  
To trigger the crash, an invalid image number of component from SOF0 tag and specific Spectral selection values from SOS tag must be set.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.mSec
        Value: 2593
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 32299
    
        Key  : Analysis.Init.CPU.mSec
        Value: 2093
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 47455
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 175
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 168234
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 46
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 793c5eba (igCore19d!IG_mpi_page_set+0x000ca16a)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 0db17000
    Attempt to write to address 0db17000
    
    FAULTING_THREAD:  0001096c
    
    PROCESS_NAME:  Fuzzme.exe
    
    WRITE_ADDRESS:  0db17000 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000001
    
    EXCEPTION_PARAMETER2:  0db17000
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019f640 793c7c39     79500680 000000fd 00004101 igCore19d!IG_mpi_page_set+0xca16a
    0019f6f0 793c3501     0c222f60 0019f9a8 0e172720 igCore19d!IG_mpi_page_set+0xcbee9
    0019f774 793b4139     00004101 0e172720 0c222f60 igCore19d!IG_mpi_page_set+0xc77b1
    0019f97c 793b00bf     0c222f60 0019f9a8 00000000 igCore19d!IG_mpi_page_set+0xb83e9
    0019fa08 793c70b5     00000003 793c3030 0e172720 igCore19d!IG_mpi_page_set+0xb436f
    0019fa24 793c6edd     0e172720 0c222f60 0000ffda igCore19d!IG_mpi_page_set+0xcb365
    0019fa48 793c5021     0e172720 0c222f60 0019fa70 igCore19d!IG_mpi_page_set+0xcb18d
    0019fa68 793c677a     0019ffc0 1000001d 0e162f70 igCore19d!IG_mpi_page_set+0xc92d1
    0019faa8 792d10d9     1000001d 0e162f70 00000001 igCore19d!IG_mpi_page_set+0xcaa2a
    0019fae0 79310557     00000000 0e162f70 0019fb30 igCore19d!IG_image_savelist_get+0xb29
    0019fd5c 7930feb9     00000000 05454f68 00000001 igCore19d!IG_mpi_page_set+0x14807
    0019fd7c 792a5777     00000000 05454f68 00000001 igCore19d!IG_mpi_page_set+0x14169
    0019fd9c 00498a3a     05454f68 0019fe0c 004801a4 igCore19d!IG_load_file+0x47
    0019fe14 00498e36     05454f68 0019fe8c 004801a4 Fuzzme!fuzzme+0x4a
    0019fee4 004daa53     00000005 05344ef8 0534df20 Fuzzme!main+0x376
    0019ff04 004da8a7     849468e5 004801a4 004801a4 Fuzzme!invoke_main+0x33
    0019ff60 004da73d     0019ff70 004daad8 0019ff80 Fuzzme!__scrt_common_main_seh+0x157
    0019ff68 004daad8     0019ff80 75e8fa29 00346000 Fuzzme!__scrt_common_main+0xd
    0019ff70 75e8fa29     00346000 75e8fa10 0019ffdc Fuzzme!mainCRTStartup+0x8
    0019ff80 77207a4e     00346000 2f1bf266 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77207a1e     ffffffff 772288f5 00000000 ntdll!__RtlUserThreadStart+0x2f
    0019ffec 00000000     004801a4 00346000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  igCore19d!IG_mpi_page_set+ca16a
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igCore19d.dll!IG_mpi_page_set
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 10
    
    IMAGE_VERSION:  19.9.0.0
    
    FAILURE_ID_HASH:  {39ff52ad-9054-81fd-3e4d-ef5d82e4b2c1}
    
    Followup:     MachineOwner
    ---------
    

**Timeline**

2021-04-28 - Vendor Disclosure  
2021-05-31 - Vendor Patched  
2021-06-01 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2021-21824: TALOS-2021-1289 || Cisco Talos Intelligence Group

A memory corruption vulnerability exists in the PNG png_palette_process functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide malicious inputs to trigger this vulnerability.

CVE-2021-21808: TALOS-2021-1276 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the PSD read_icc_icCurve_data functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an integer overflow that, in turn, leads to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A heap-based buffer overflow vulnerability exists in the PSD read\_icc\_icCurve\_data functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an integer overflow that, in turn, leads to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.9

**Product URLs**

https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

A specially crafted PSD file can lead to an out-of-bounds write in read_icc_icCurve_data function, due to a buffer overflow caused by an integer overflow while allocating memory.  
Trying to load a malformed PSD file, we end up in the following situation:

    (bbb0.dfa0): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=0dc6cff8 ebx=6ba28620 ecx=00000000 edx=00000002 esi=0019f38c edi=0c25aff8
    eip=699204fd esp=0019f2dc ebp=0019f370 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    igCore19d!IG_cpm_profiles_reset+0x56ed:
    699204fd f20f114cd0f8    movsd   mmword ptr [eax+edx*8-8],xmm1 ds:002b:0dc6d000=????????????????
    

The crash is happening in function read_icc_icCurve_data in LINE50 during a do-while loop (from LINE48 to LINE54) controlled by the curve_data->count:

    LINE1   dword read_icc_icCurve_data(uint **param_1,curve_type_data *curve_data)
    LINE2   {
    LINE3     uint size;
    LINE4     uint *buffer_for_curves_values;
    LINE5     undefined extraout_DL;
    LINE6     dword return_status;
    LINE7     uint index;
    LINE8     undefined4 uVar1;
    LINE9     int iVar2;
    LINE10    uint *puVar3;
    LINE11    uint *puVar4;
    LINE12    undefined uVar5;
    LINE13    char local_88 [128];
    LINE14    uint local_8;
    LINE15    
    LINE16    local_8 = DAT_102bcea8 ^ (uint)&stack0xfffffffc;
    LINE17    uVar5 = 0;
    LINE18    if (param_1[1] < &DAT_00000004) {
    LINE19                      /* char * _Format for sprintf */
    LINE20                      /* char * _Dest for sprintf */
    LINE21      sprintf(local_88,"Unexpected end of data while reading tag:%Xh, type:%s",param_1[3],"icCurve");
    LINE22      iVar2 = AF_err_record_set("..\\..\\..\\..\\Common\\Core\\ICCProfile.c",0x31b,-1,0,param_1[1],4,
    LINE23                                local_88);
    LINE24      uVar5 = (undefined)iVar2;
    LINE25    }
    LINE26    else {
    LINE27                      /* get count value from tag */
    LINE28      size = rotate_bytes(**param_1);
    LINE29      curve_data->count = size;
    LINE30      *param_1 = *param_1 + 1;
    LINE31      param_1[1] = param_1[1] + -1;
    LINE32    }
    LINE33    if (param_1[1] < (uint *)(curve_data->count * 2)) {
    LINE34                      /* char * _Format for sprintf */
    LINE35                      /* char * _Dest for sprintf */
    LINE36      sprintf(local_88,"Unexpected end of data while reading tag:%Xh, type:%s",param_1[3],"icCurve");
    LINE37      puVar4 = (uint *)(curve_data->count * 2);
    LINE38      puVar3 = param_1[1];
    LINE39      iVar2 = -1;
    LINE40      uVar1 = 0x336;
    LINE41    }
    LINE42    else {
    LINE43      buffer_for_curves_values = (uint *)AF_memm_alloc((uint)param_1[2],curve_data->count << 3);
    LINE44      curve_data->buffer_actual_curve_values = buffer_for_curves_values;
    LINE45      if (buffer_for_curves_values != NULL) {
    LINE46        index = 0;
    LINE47        if (curve_data->count != 0) {
    LINE48          do {
    LINE49            index = index + 1;
    LINE50            *(double *)(curve_data->buffer_actual_curve_values + index * 2 + -2) =
    LINE51                 (double)(uint)(*(ushort *)*param_1 >> 8) * 0.00390625 +
    LINE52                 (double)(uint)(*(ushort *)*param_1 & 0xff);
    LINE53            *param_1 = (uint *)((int)*param_1 + 2);
    LINE54          } while (index < curve_data->count);
    LINE55        }
    LINE56        param_1[1] = (uint *)((int)param_1[1] + curve_data->count * -2);
    LINE57        return_status = kind_of_fastfail(local_8 ^ (uint)&stack0xfffffffc,(char)index,uVar5);
    LINE58        return return_status;
    LINE59      }
    LINE60                      /* char * _Format for sprintf */
    LINE61                      /* char * _Dest for sprintf */
    LINE62      sprintf(local_88,"Out of memory while reading tag:%Xh, type:%s",param_1[3],"icCurve");
    LINE63      puVar4 = param_1[1];
    LINE64      puVar3 = NULL;
    LINE65      iVar2 = -1000;
    LINE66      uVar1 = 0x325;
    LINE67    }
    LINE68    AF_err_record_set("..\\..\\..\\..\\Common\\Core\\ICCProfile.c",uVar1,iVar2,0,puVar3,puVar4,
    LINE69                      local_88);
    LINE70    return_status = kind_of_fastfail(local_8 ^ (uint)&stack0xfffffffc,extraout_DL,uVar5);
    LINE71    return return_status;
    LINE72  }
    

The size for the memory buffer buffer_for_curves_values, allocated in LINE43, is computed by curve_data->count << 3 and is prone to an integer overflow.  
In the proof-of-concept, the curve_data->count is read from the file and has value “0x80000001”. The multiplication at LINE43 results in the value “8”, hence a buffer of only 8 bytes is allocated.

    0:000> !heap -p -a eax
        address 0dc6cff8 found in
        _DPH_HEAP_ROOT @ 3ed1000
        in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                     bc602d8:          dc6cff8                8 -          dc6c000             2000
        6e3aa8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240
        7777ef0e ntdll!RtlDebugAllocateHeap+0x00000039
        776e6150 ntdll!RtlpAllocateHeap+0x000000f0
        776e57fe ntdll!RtlpAllocateHeapInternal+0x000003ee
        776e53fe ntdll!RtlAllocateHeap+0x0000003e
        6ba1dcff MSVCR110!malloc+0x00000049
        699361de igCore19d!AF_memm_alloc+0x0000001e
        69920475 igCore19d!IG_cpm_profiles_reset+0x00005665
        6991c4f2 igCore19d!IG_cpm_profiles_reset+0x000016e2
        6991fb42 igCore19d!IG_cpm_profiles_reset+0x00004d32
        6991f628 igCore19d!IG_cpm_profiles_reset+0x00004818
        69919990 igCore19d!IG_gctrl_item_set+0x00005bc0
        699290c6 igCore19d!IG_cpm_profiles_reset+0x0000e2b6
        69a2c79d igCore19d!IG_mpi_page_set+0x000f0a4d
        69a2bb32 igCore19d!IG_mpi_page_set+0x000efde2
        69a2b5aa igCore19d!IG_mpi_page_set+0x000ef85a
        699110d9 igCore19d!IG_image_savelist_get+0x00000b29
        69950557 igCore19d!IG_mpi_page_set+0x00014807
        6994feb9 igCore19d!IG_mpi_page_set+0x00014169
        698e5777 igCore19d!IG_load_file+0x00000047
        00498a3a Fuzzme!fuzzme+0x0000004a [C:\Users\etach\Documents\work\gitlab\ImageGear\Fuzzme\Fuzzme.cpp @ 282]
        00498e36 Fuzzme!main+0x00000376 [C:\Users\etach\Documents\work\gitlab\ImageGear\Fuzzme\Fuzzme.cpp @ 477]
        004daa53 Fuzzme!invoke_main+0x00000033 [d:\agent\_work\57\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
        004da8a7 Fuzzme!__scrt_common_main_seh+0x00000157 [d:\agent\_work\57\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
        004da73d Fuzzme!__scrt_common_main+0x0000000d [d:\agent\_work\57\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 331]
        004daad8 Fuzzme!mainCRTStartup+0x00000008 [d:\agent\_work\57\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp @ 17]
        763afa29 KERNEL32!BaseThreadInitThunk+0x00000019
        777076b4 ntdll!__RtlUserThreadStart+0x0000002f
        77707684 ntdll!_RtlUserThreadStart+0x0000001b
    

The count value is directly read from the file from the icc curv tag data of the PSD file. An adequate value chosen for the count leads to the integer overflow, which in turn leads to allocating a very small buffer which can lead to an out-of-bounds write. Note that the contents written out of bounds are read from the file and are thus under the attacker’s control.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.mSec
        Value: 3233
    
        Key  : Analysis.DebugAnalysisProvider.CPP
        Value: Create: 8007007e on DESKTOP-4DAOCFH
    
        Key  : Analysis.DebugData
        Value: CreateObject
    
        Key  : Analysis.DebugModel
        Value: CreateObject
    
        Key  : Analysis.Elapsed.mSec
        Value: 34473
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 187
    
        Key  : Analysis.System
        Value: CreateObject
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 975007
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 197
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    ADDITIONAL_XML: 1
    
    OS_BUILD_LAYERS: 1
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 699204fd (igCore19d!IG_cpm_profiles_reset+0x000056ed)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 0dc6d000
    Attempt to write to address 0dc6d000
    
    FAULTING_THREAD:  0000dfa0
    
    PROCESS_NAME:  Fuzzme.exe
    
    WRITE_ADDRESS:  0dc6d000 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000001
    
    EXCEPTION_PARAMETER2:  0dc6d000
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019f370 6991c4f2     0019f38c 0c25aff8 0f092f94 igCore19d!IG_cpm_profiles_reset+0x56ed
    0019f428 6991fb42     0f092f94 0000000e 72545243 igCore19d!IG_cpm_profiles_reset+0x16e2
    0019f4d8 6991f628     0f092f94 0000000e 72545243 igCore19d!IG_cpm_profiles_reset+0x4d32
    0019f510 69919990     00000000 00000004 1000001f igCore19d!IG_cpm_profiles_reset+0x4818
    0019f538 699290c6     1000001f 0f092dd0 00000230 igCore19d!IG_gctrl_item_set+0x5bc0
    0019f550 69a2c79d     0c1d0f40 0f092dd0 00000230 igCore19d!IG_cpm_profiles_reset+0xe2b6
    0019f614 69a2bb32     0019fb30 1000001e 09468f60 igCore19d!IG_mpi_page_set+0xf0a4d
    0019f650 69a2b5aa     0019fb30 0019f678 0019f6a0 igCore19d!IG_mpi_page_set+0xefde2
    0019faa8 699110d9     0019fb30 0946cfe0 00000001 igCore19d!IG_mpi_page_set+0xef85a
    0019fae0 69950557     00000000 0946cfe0 0019fb30 igCore19d!IG_image_savelist_get+0xb29
    0019fd5c 6994feb9     00000000 054d4f88 00000001 igCore19d!IG_mpi_page_set+0x14807
    0019fd7c 698e5777     00000000 054d4f88 00000001 igCore19d!IG_mpi_page_set+0x14169
    0019fd9c 00498a3a     054d4f88 0019fe0c 004801a4 igCore19d!IG_load_file+0x47
    0019fe14 00498e36     054d4f88 0019fe8c 004801a4 Fuzzme!fuzzme+0x4a
    0019fee4 004daa53     00000005 05414f20 0541df20 Fuzzme!main+0x376
    0019ff04 004da8a7     c4e97d5b 004801a4 004801a4 Fuzzme!invoke_main+0x33
    0019ff60 004da73d     0019ff70 004daad8 0019ff80 Fuzzme!__scrt_common_main_seh+0x157
    0019ff68 004daad8     0019ff80 763afa29 00224000 Fuzzme!__scrt_common_main+0xd
    0019ff70 763afa29     00224000 763afa10 0019ffdc Fuzzme!mainCRTStartup+0x8
    0019ff80 777076b4     00224000 a834ca50 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77707684     ffffffff 7772742d 00000000 ntdll!__RtlUserThreadStart+0x2f
    0019ffec 00000000     004801a4 00224000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  igCore19d!IG_cpm_profiles_reset+56ed
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igCore19d.dll!IG_cpm_profiles_reset
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 10
    
    IMAGE_VERSION:  19.9.0.0
    
    FAILURE_ID_HASH:  {749e662e-5382-aab8-f02d-cecd73653ce6}
    
    Followup:     MachineOwner
    ---------
    

**Timeline**

2021-03-16 - Vendor Disclosure

2021-05-31 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2021-21795: TALOS-2021-1264 || Cisco Talos Intelligence Group

Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors Software Developer Guidance Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Processors may allow information disclosure.  Intel is releasing updated software developer prescriptive guidance to address these potential vulnerabilities.

**Vulnerability Details:**

CVEID:  CVE-2021-0086

Description: Observable response discrepancy in floating-point operations for some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2021-0089

Description: Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

All Intel® Processor families.

**Recommendations:**

For CVE-2021-0086  Intel recommends that affected software including web browser JavaScript engine that runs on Intel® Processors follow one of the below guidelines: 

•       Process isolation.

•       Use alternatives to NaN-boxing techniques (eg. Dedicated type tag).

•       Constraining FP results before potential type-confused usage.

Additional technical details can be found here.

For CVE-2021-0089 Intel recommends that affected software that runs on Intel® Processors follow one of the below guidelines:

•       Process isolation.

•       Place serializing operations between code gen and execution.

•       Place LFENCE-semantic operations between code gen and execution.

•       Options include LFENCE, SYSCALL/SYSRET

Additional technical details can be found here.

**Acknowledgements:**

Intel would like to thank Enrico Barberis, Hany Ragab, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/08/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0089: INTEL-SA-00516

Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2021.1 IPU – BIOS Advisory**

Intel ID:

INTEL-SA-00463

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service

Severity rating:

HIGH

Original release:

06/08/2021

Last revised:

06/08/2021

**Summary: **

Potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow escalation of privilege or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2020-12357

Description: Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8670

Description: Race condition in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8700

Description: Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12359

Description: Insufficient control flow management in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.1 High

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12358

Description: Out of bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

CVEID: CVE-2021-0095

Description: Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID: CVE-2020-12360

Description: Out of bounds read in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2020-24486

Description: Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

·       2nd Generation Intel® Xeon® Scalable Processors

·       Intel® Xeon® Scalable Processors

·       Intel® Xeon® Processor D Family

·       Intel® Xeon® Processor E Family

·       Intel® Xeon® Processor E7 v4 Family

·       Intel® Xeon® Processor E3 v6 Family

·       Intel® Xeon® Processor E3 v5 Family

·       Intel® Xeon® Processor E5 v4 Family

·       Intel® Xeon® Processor E5 v3 Family

·       Intel® Xeon® Processor W Family

·       Intel® Core™ Processors with Intel® Hybrid Technology

·       11th Generation Intel® Core™ Processors

·       10th Generation Intel® Core™ Processors

·       8th Generation Intel® Core™ Processors

·       7th Generation Intel® Core™ Processors

·       6th Generation Intel® Core™ processors

·       Intel® Core™ X-series Processors

**Recommendations:**

Intel recommends that users of the affected products update to the latest firmware version provided by the system manufacturer that addresses these issues.

**Acknowledgements:**

Intel would like to thank NVIDIA Product Security Team (CVE-2020-24486) and Intel employee Hareesh Khattri (CVE-2020-12357) for their reports.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/08/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-8700: INTEL-SA-00463

An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.

CVE-2019-25045

In FreeBSD 13.0-STABLE before n245764-876ffe28796c, 12.2-STABLE before r369857, 13.0-RELEASE before p1, and 12.2-RELEASE before p7, a system call triggering a fault could cause SMAP protections to be disabled for the duration of the system call. This weakness could be combined with other kernel bugs to craft an exploit.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:11.smap Security Advisory The FreeBSD Project Topic: SMAP bypass Category: core Module: amd64 Announced: 2021-05-26 Credits: I lost my dog if you see him please contact me at @m00nbsd. Affects: FreeBSD 12.2 and later. Corrected: 2021-05-26 19:18:54 UTC (stable/13, 13.0-STABLE) 2021-05-26 19:31:50 UTC (releng/13.0, 13.0-RELEASE-p1) 2021-05-26 19:30:31 UTC (stable/12, 12.2-STABLE) 2021-05-26 20:40:20 UTC (releng/12.2, 12.2-RELEASE-p7) CVE Name: CVE-2021-29628 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Supervisor Mode Access Prevention (SMAP) is a security feature implemented by contemporary Intel and AMD CPUs. When enabled, it ensures that accesses to user memory by the kernel trigger a page fault and a subsequent kernel panic. This helps mitigate the security implications of kernel bugs that permit an attacker to read from or write to user memory from the kernel. The kernel may legitimately need to copy data between userspace and the kernel. To enable this, SMAP is temporarily disabled in the subroutines which handle this copying, so only small, specially designated portions of the kernel should be executed with SMAP disabled. II. Problem Description The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses. Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode. III. Impact This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit. IV. Workaround No workaround is available. On hardware that does not implement SMAP, the bug is inconsequential as the mitigation does not exist in the first place. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch.asc # gpg --verify smap.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 876ffe28796c stable/13-n245764 releng/13.0/ f32130a1955e releng/13.0-n244739 stable/12/ r369857 releng/12.2/ r369863 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmCu6vIACgkQ05eS9J6n 5cJagg//Yy30r/Dq2rgoY7p31CoF/jXDDqNEhqyJTcWoDY2M5THXBficHxWW68lE YLfndQRgz4oT7QNgxgnW0PYa0iHLiNFxZoI8lOcILpvHereXy0gEvLVPCstY7NY9 +jZnY7seLfSH+Y+VS5sjXbveMSMxovKzpp1rOrHVxJK7YeGY7YDqsK9pQ8Jk+4pE XlhOvhugL0qE4Fxj4qI5ClGmqDvyNXxlGWWwVtzZV2jYN1bdmZ0g88+HgJI1FcUr E2KIk1XwVidhQC8GJk9v7D/Bg4nYdq59Dozv4tu9IFfPkV+xl3qbgtXN5qJ0bp+u Y3NCEgq8Aoz60Xebulw1XBfvJFkLqUEthenYKtMSc9hN+QgAM9c9eQreRawTNezK aUSl+hUt9D6oVHh1Ki+OIhAgF+pAKN+7ARfcn2Ot57/TNbO1T9/C5mMd/hhQOkyj wJwj3nSLkUVQTNR9ntyyIj44XFRijtzG4foAJDuozfzC+hD82jSgXpCGnLwH6Gyx n0yIM1LbDZWrvAJ9W+uQmGJ1nv12Tzt24cDCSQ+zJjuTNfCso3bQ9b/IrXomBAwp waYpEOujzjaM7XdI9F4vb69XGX9mbKO67MoXgwlVowaRvVUBM0jAkaRo1gknF1sO CXLuogbOomTHcutlBsXtF0FBphLFx7YA8w4jtWnjnFW7wBzZ5dQ= =/4r7 -----END PGP SIGNATURE-----

CVE-2021-29628

Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl to escalate privileges on affected devices. An attacker must first obtain the ability to execute low-privileged code on the target device in order to exploit this vulnerability.

**Summary**

A privilege escalation vulnerability exists in the tdts.ko chrdev\_ioctl\_handle functionality of Trend Micro, Inc. Home Network Security 6.1.567. A specially crafted ioctl can lead to increased privileges. An attacker can issue an ioctl to trigger this vulnerability.

**Tested Versions**

Trend Micro, Inc. Home Network Security 6.1.567

**Product URLs**

https://www.trendmicro.com/en\_us/forHome/products/homenetworksecurity.html

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

The Home Network Security Station is a device used to monitor and protect home networks from security threats as well as offer simple network management features. The Station provides vulnerability scanning, web threat protection, intrusion prevention, as well as device-based access control for all devices on a home network.

This vulnerability is caused by the lack of input validation on a user’s ioctl request from user land. The upper 16 bits from the ioctl request (AND with 0x3FFF, so 14 bits total) are blindly used as input to __memzero to a stack-based buffer in kernel space. The stack-based buffer is smaller than the maximum ioctl request copy size of 0x3FFF and thus overflows. A user can leverage this to write \\x00 to a large portion of the kernel stack causing a kernel panic and in turn, a denial of service. This could potentially also be leveraged into a privilege escalation vulnerability.

    chrdev_ioctl_handle:
    0000074c  10402de9   push    {r4, lr} {__saved_lr} {__saved_r4}
    00000750  5034e7e7   ubfx    r3, r0, #0x8, #0x8
    00000754  be0053e3   cmp     r3, #0xbe
    00000758  1800e013   mvnne   r0, #0x18  {0xffffffe7}
    0000075c  38d04de2   sub     sp, sp, #0x38
    00000760  2900001a   bne     0x80c
    
    // Check that the bits 8-15 are 0xbe in the IOCTL request
    00000764  ff0010e3   tst     r0, #0xff
    00000768  1500e003   mvneq   r0, #0x15  {0xffffffea}
    0000076c  2600000a   beq     0x80c
    
    00000770  0d20a0e1   mov     r2, sp {var_40}
    00000774  000050e3   cmp     r0, #0
    00000778  7f3dc2e3   bic     r3, r2, #0x1fc0 {var_40}
    // Extract the size of the buffer encoded in the IOCTL request
    0000077c  5028ede7   ubfx    r2, r0, #0x10, #0xe
    00000780  3f30c3e3   bic     r3, r3, #0x3f
    00000784  380000ba   blt     0x86c
    
    // Sanity checks to make sure that the encoded size is not negative
    0000086c  084093e5   ldr     r4, [r3,  #0x8]
    00000870  020091e0   add.s   r0, r1, r2
    00000874  0400d030   sbc.slo r0, r0, r4
    00000878  0040a033   movlo   r4, #0
    0000087c  000054e3   cmp     r4, #0
    00000880  c3ffff0a   beq     0x794
    
    00000794  083093e5   ldr     r3, [r3,  #0x8]
    00000798  020091e0   add.s   r0, r1, r2
    0000079c  0300d030   sbc.slo r0, r0, r3
    000007a0  0030a033   movlo   r3, #0
    000007a4  000053e3   cmp     r3, #0
    000007a8  2a00000a   beq     0x858
    
    // Ensure that r2 is not zero
    000007ac  000052e3   cmp     r2, #0
    000007b0  3400001a   bne     0x888
    
    // Vulnerable __memzero with user provided length and set size stack-buffer
    00000888  0d00a0e1   mov     r0, sp {var_40}
    0000088c  0210a0e1   mov     r1, r2
    00000890  b16901eb   bl      __memzero
    

**Crash Information**

    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = 8faac000
    [00000000] pgd=6b222831, pte=00000000, ppte=00000000
    Internal error: Oops: 80000017 [#1] SMP ARM
    Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    CPU: 0 PID: 1539 Comm: poc2 Tainted: P           O 3.10.70 #2
    task: 8f966000 ti: 8fad2000 task.ti: 8fad2000
    PC is at 0x0
    LR is at 0x0
    pc : [<00000000>]    lr : [<00000000>]    psr: 00000013
    sp : 8fad3f28  ip : 00000000  fp : 7efffc24
    r10: 00000000  r9 : 8fad2000  r8 : 8fae9540
    r7 : 00000003  r6 : 8fae9540  r5 : ffffffff  r4 : 00000000
    r3 : 00000000  r2 : 00000000  r1 : ffffffff  r0 : fffffff2
    Flags: nzcv  IRQs on  FIQs on  Mode SVC32  ISA ARM  Segment user
    Control: 10c53c7d  Table: 6faac06a  DAC: 00000015
    Process poc2 (pid: 1539, stack limit = 0x8fad2238)
    Stack: (0x8fad3f28 to 0x8fad4000)
    3f20:                   00000000 00000000 00000000 00000000 00000000 00000000
    3f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3f80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fa0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    Code: bad PC value
    ---[ end trace 7b9adcd427e025e9 ]---
    Dec  2 21:12:17 Diamond user.alert kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000
    Dec  2 21:12:17 Diamond user.alert kernel: pgd = 8faac000
    Dec  2 21:12:17 Diamond user.alert kernel: [00000000] pgd=6b222831, pte=00000000, ppte=00000000
    Dec  2 21:12:17 Diamond user.emerg kernel: Internal error: Oops: 80000017 [#1] SMP ARM
    Dec  2 21:12:17 Diamond user.warn kernel: Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    Dec  2 21:12:17 Diamond user.warn kernel: CPU: 0 PID: 1539 Comm: poc2 Tainted: P           O 3.10.70 #2
    Dec  2 21:12:17 Diamond user.warn kernel: task: 8f966000 ti: 8fad2000 task.ti: 8fad2000
    Dec  2 21:12:17 Diamond user.warn kernel: PC is at 0x0
    Dec  2 21:12:17 Diamond user.warn kernel: LR is at 0x0
    Dec  2 21:12:17 Diamond user.warn kernel: pc : [<00000000>]    lr : [<00000000>]    psr: 00000013Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = 8fa68000
    [00000000] pgd=6f924831, pte=00000000, ppte=00000000
    Internal error: Oops: 80000017 [#2] SMP ARM
    Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    CPU: 0 PID: 559 Comm: syslogd Tainted: P      D    O 3.10.70 #2
    task: 8f92c3c0 ti: 8fa60000 task.ti: 8fa60000
    PC is at 0x0
    LR is at calltimerfn.isra.35+0x24/0x84
    pc : [<00000000>]    lr : [<8002cabc>]    psr: 60000113
    sp : 8fa61d90  ip : 00000000  fp : 00000004
    r10: 00000001  r9 : 80548894  r8 : 805140c0
    r7 : 00000000  r6 : 00000100  r5 : 8fa60000  r4 : 8fa60010
    r3 : 8fa61d90  r2 : 00000000  r1 : 00000000  r0 : 00000000
    Flags: nZCv  IRQs on  FIQs on  Mode SVC32  ISA ARM  Segment user
    Control: 10c53c7d  Table: 6fa6806a  DAC: 00000015
    Process syslogd (pid: 559, stack limit = 0x8fa60238)
    Stack: (0x8fa61d90 to 0x8fa62000)
    1d80:                                     00000000 00000022 8f8059c0 80548080
    1da0: 8fa61db0 00000000 00200200 8002cc9c 8fa61db0 8fa61db0 ffffbfcc 00000101
    1dc0: 80514084 00000004 8fa60000 00000100 8fa60018 80026d2c 00000001 00015220
    1de0: 00000000 805106c0 80547e40 0000000a ffffbfcd 805140c0 80526524 00400040
    1e00: 00000000 60000193 00000022 00000000 f8200100 8f1d7e00 8f86f410 a0000013
    1e20: 8f87e061 80026ea4 80510cc4 800270e0 80510cc4 8000ee44 f820010c 8051a7f8
    1e40: 8fa61e60 8000857c 803aaf18 60000013 ffffffff 8fa61e94 8f1d7e00 8000db80
    1e60: 8f86f410 60000013 00000070 00006adc 00000000 8f819000 00000000 00000061
    1e80: 8f1d7e00 8f86f410 a0000013 8f87e061 00000000 8fa61ea8 801daac8 803aaf18
    1ea0: 60000013 ffffffff 801daa18 00000062 8f87e000 8f1d7e00 8fa00a70 8fa60010
    1ec0: 8fa00800 803c1ab8 8fae99c0 801c4b2c 00000000 8f87e000 00000000 8f1d7f4c
    1ee0: 8ad51000 00000000 8f92c3c0 800480dc 8f1d7f50 8f1d7f50 00000041 00000062
    1f00: 8f1d7e00 000be334 00000062 8fae99c0 00000000 8fa60000 8fa60000 801c1a04
    1f20: 8f442080 801c4860 8f1d2380 00000062 00000000 8fae99c0 00000062 000be334
    1f40: 8fa61f80 801c1bac 00000062 00000000 7ef0ac14 800bf350 8ad51000 8fae99c8
    1f60: 8f442080 8fae99c0 000be334 00000000 00000000 00000000 00000062 800bf8c4
    1f80: 00000000 00000000 00000000 000bde08 00000062 000be334 00000004 8000e0e8
    1fa0: 8fa60000 8000df40 000bde08 00000062 00000005 000be334 00000062 00000000
    1fc0: 000bde08 00000062 000be334 00000004 00000001 000bde40 00000062 7ef0ac14
    1fe0: 00000000 7ef0ab54 0001d488 76f0100c 60000010 00000005 00000000 00000000
    [<8002cabc>] (calltimerfn.isra.35+0x24/0x84) from [<8002cc9c>] (runtimersoftirq+0x180/0x204)
    [<8002cc9c>] (runtimersoftirq+0x180/0x204) from [<80026d2c>] (dosoftirq+0x108/0x1e0)
    [<80026d2c>] (dosoftirq+0x108/0x1e0) from [<80026ea4>] (dosoftirq+0x50/0x58)
    [<80026ea4>] (dosoftirq+0x50/0x58) from [<800270e0>] (irqexit+0x5c/0x94)
    [<800270e0>] (irqexit+0x5c/0x94) from [<8000ee44>] (handleIRQ+0x44/0x90)
    [<8000ee44>] (handleIRQ+0x44/0x90) from [<8000857c>] (gichandleirq+0x2c/0x5c)
    [<8000857c>] (gichandleirq+0x2c/0x5c) from [<8000db80>] (irqsvc+0x40/0x50)
    Exception stack(0x8fa61e60 to 0x8fa61ea8)
    1e60: 8f86f410 60000013 00000070 00006adc 00000000 8f819000 00000000 00000061
    1e80: 8f1d7e00 8f86f410 a0000013 8f87e061 00000000 8fa61ea8 801daac8 803aaf18
    1ea0: 60000013 ffffffff
    [<8000db80>] (irqsvc+0x40/0x50) from [<803aaf18>] (rawspinunlockirqrestore+0x1c/0x20)
    [<803aaf18>] (rawspinunlockirqrestore+0x1c/0x20) from [<801daac8>] (uartwrite+0xb0/0xd0)
    [<801daac8>] (uartwrite+0xb0/0xd0) from [<801c4b2c>] (nttywrite+0x2cc/0x450)
    [<801c4b2c>] (nttywrite+0x2cc/0x450) from [<801c1a04>] (ttywrite+0x10c/0x2b4)
    [<801c1a04>] (ttywrite+0x10c/0x2b4) from [<800bf350>] (vfswrite+0xb0/0x194)
    [<800bf350>] (vfswrite+0xb0/0x194) from [<800bf8c4>] (SySwrite+0x3c/0x78)
    [<800bf8c4>] (SySwrite+0x3c/0x78) from [<8000df40>] (retfastsyscall+0x0/0x30)
    Code: bad PC value
    ---[ end trace 7b9adcd427e025ea ]---
    Kernel panic - not syncing: Fatal exception in interrupt***
    

**Timeline**

2021-01-22 - Vendor Disclosure  
2021-04-06 - 75+ day follow up  
2021-04-20 - Talos granted timeline extension for disclosure  
2021-05-20 - Vendor Patched  
2021-05-24 - Public Release

Discovered by Carl Hurd and Kelly Leuschner of Cisco Talos.

CVE-2021-32457: TALOS-2021-1230 || Cisco Talos Intelligence Group

A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.

*   _To_: debian-lts-announce@lists.debian.org
*   _Subject_: \[SECURITY\] \[DLA 2494-1\] linux security update
*   _From_: Ben Hutchings <benh@debian.org\>
*   _Date_: Fri, 18 Dec 2020 13:14:03 +0100
*   _Message-id_: <\[🔎\] X9ydCyUsbWug4irr@decadent.org.uk\>
*   _Mail-followup-to_: debian-lts@lists.debian.org
*   _Reply-to_: debian-lts@lists.debian.org

\-------------------------------------------------------------------------
Debian LTS Advisory DLA-2494-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Ben Hutchings
December 18, 2020                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : linux
Version        : 4.9.246-2
CVE ID         : CVE-2020-0427 CVE-2020-8694 CVE-2020-14351 CVE-2020-25645 
                 CVE-2020-25656 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 
                 CVE-2020-25705 CVE-2020-27673 CVE-2020-27675 CVE-2020-28974

Several vulnerabilities have been discovered in the Linux kernel that
may lead to the execution of arbitrary code, privilege escalation,
denial of service or information leaks.

CVE-2020-0427

    Elena Petrova reported a bug in the pinctrl subsystem that can
    lead to a use-after-free after a device is renamed.  The security
    impact of this is unclear.

CVE-2020-8694

    Multiple researchers discovered that the powercap subsystem
    allowed all users to read CPU energy meters, by default.  On
    systems using Intel CPUs, this provided a side channel that could
    leak sensitive information between user processes, or from the
    kernel to user processes.  The energy meters are now readable only
    by root, by default.

    This issue can be mitigated by running:

        chmod go-r /sys/devices/virtual/powercap/\*/\*/energy\_uj

    This needs to be repeated each time the system is booted with
    an unfixed kernel version.

CVE-2020-14351

    A race condition was discovered in the performance events
    subsystem, which could lead to a use-after-free.  A local user
    permitted to access performance events could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.

    Debian's kernel configuration does not allow unprivileged users to
    access peformance events by default, which fully mitigates this
    issue.

CVE-2020-25645

    A flaw was discovered in the interface driver for GENEVE
    encapsulated traffic when combined with IPsec. If IPsec is
    configured to encrypt traffic for the specific UDP port used by the
    GENEVE tunnel, tunneled data isn't correctly routed over the
    encrypted link and sent unencrypted instead.

CVE-2020-25656

    Yuan Ming and Bodong Zhao discovered a race condition in the
    virtual terminal (vt) driver that could lead to a use-after-free.
    A local user with the CAP\_SYS\_TTY\_CONFIG capability could use this
    to cause a denial of service (crash or memory corruption) or
    possibly for privilege escalation.

CVE-2020-25668

    Yuan Ming and Bodong Zhao discovered a race condition in the
    virtual terminal (vt) driver that could lead to a use-after-free.
    A local user with access to a virtual terminal, or with the
    CAP\_SYS\_TTY\_CONFIG capability, could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.

CVE-2020-25669

    Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd)
    that could lead to a use-after-free.  On a system using this
    driver, a local user could use this to cause a denial of service
    (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25704

    kiyin(尹亮) discovered a potential memory leak in the performance
    events subsystem.  A local user permitted to access performance
    events could use this to cause a denial of service (memory
    exhaustion).

    Debian's kernel configuration does not allow unprivileged users to
    access peformance events by default, which fully mitigates this
    issue.

CVE-2020-25705

    Keyu Man reported that strict rate-limiting of ICMP packet
    transmission provided a side-channel that could help networked
    attackers to carry out packet spoofing.  In particular, this made
    it practical for off-path networked attackers to "poison" DNS
    caches with spoofed responses ("SAD DNS" attack).

    This issue has been mitigated by randomising whether packets are
    counted against the rate limit.

CVE-2020-27673 / XSA-332

    Julien Grall from Arm discovered a bug in the Xen event handling
    code.  Where Linux was used in a Xen dom0, unprivileged (domU)
    guests could cause a denial of service (excessive CPU usage or
    hang) in dom0.

CVE-2020-27675 / XSA-331

    Jinoh Kang of Theori discovered a race condition in the Xen event
    handling code.  Where Linux was used in a Xen dom0, unprivileged
    (domU) guests could cause a denial of service (crash) in dom0.

CVE-2020-28974

    Yuan Ming discovered a bug in the virtual terminal (vt) driver
    that could lead to an out-of-bounds read.  A local user with
    access to a virtual terminal, or with the CAP\_SYS\_TTY\_CONFIG
    capability, could possibly use this to obtain sensitive
    information from the kernel or to cause a denial of service
    (crash).

    The specific ioctl operation affected by this bug
    (KD\_FONT\_OP\_COPY) has been disabled, as it is not believed that
    any programs depended on it.

For Debian 9 stretch, these problems have been fixed in version
4.9.246-2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

**Attachment: signature.asc**  
_Description:_ PGP signature

**Reply to:**

*   debian-lts-announce@lists.debian.org
*   Ben Hutchings (on-list)
*   Ben Hutchings (off-list)

*   Prev by Date: **\[SECURITY\] \[DLA 2499-1\] sympa security update**
*   Next by Date: **\[SECURITY\] \[DLA 2467-2\] lxml regression update**
*   Previous by thread: **\[SECURITY\] \[DLA 2499-1\] sympa security update**
*   Next by thread: **\[SECURITY\] \[DLA 2467-2\] lxml regression update**
*   Index(es):
    *   **Date**
    *   **Thread**

Tag

#intel