Bug 1205033 - (CVE-2022-44638) VUL-0: CVE-2022-44638: pixman: integer overflow in pixman_sample_floor_y leading to heap out-of-bounds write
(CVE-2022-44638)
VUL-0: CVE-2022-44638: pixman: integer overflow in pixman_sample_floor_y lead...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/347022/
CVSSv3.1:SUSE:CVE-2022-44638:8.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-04 08:38 UTC by Carlos López
Modified: 2022-11-28 14:23 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (1.58 KB, text/x-csrc)
2022-11-04 08:45 UTC, Alexander Bergmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-11-04 08:38:57 UTC
rh#2139988

In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.

https://gitlab.freedesktop.org/pixman/pixman/-/issues/63

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2139988
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44638
https://www.cve.org/CVERecord?id=CVE-2022-44638
http://www.cvedetails.com/cve/CVE-2022-44638/
https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
Comment 1 Carlos López 2022-11-04 08:40:39 UTC
Affected:
- SUSE:SLE-11-SP3:Update
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP4:Update
- openSUSE:Factory

Patch:
https://gitlab.freedesktop.org/pixman/pixman/-/commit/a1f88e842e0216a5b4df1ab023caebe33c101395
Comment 2 Alexander Bergmann 2022-11-04 08:45:19 UTC
Created attachment 862643 [details]
Reproducer

SLE-15-SP4 Reproducer:

$ gcc CVE-2022-44638-poc.c -I/usr/include/pixman-1/ -ldl -fsanitize=address -o CVE-2022-44638-poc

$ ./CVE-2022-44638-poc
=================================================================
==1197==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000009b1 at pc 0x7f5adb3eb1b8 bp 0x7ffe2bbb5900 sp 0x7ffe2bbb50b0
WRITE of size 10 at 0x61b0000009b1 thread T0
    #0 0x7f5adb3eb1b7  (/usr/lib64/libasan.so.4+0x5f1b7)
    #1 0x7f5ad748f7ca in pixman_rasterize_edges (/usr/lib64/libpixman-1.so.0.40.0+0x387ca)
    #2 0x7f5ad74b6e04 in pixman_rasterize_trapezoid (/usr/lib64/libpixman-1.so.0.40.0+0x5fe04)
    #3 0x400f1c in main (/root/poc+0x400f1c)
    #4 0x7f5adadc829c in __libc_start_main (/lib64/libc.so.6+0x3529c)
    #5 0x4008b9 in _start (/root/poc+0x4008b9)

Address 0x61b0000009b1 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.4+0x5f1b7) 
Shadow bytes around the buggy address:
  0x0c367fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fff8130: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
  0x0c367fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1197==ABORTING
Comment 5 Swamp Workflow Management 2022-11-21 14:24:44 UTC
SUSE-SU-2022:4148-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205033
CVE References: CVE-2022-44638
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    pixman-0.34.0-150000.7.5.1
openSUSE Leap 15.3 (src):    pixman-0.34.0-150000.7.5.1
SUSE Manager Server 4.1 (src):    pixman-0.34.0-150000.7.5.1
SUSE Manager Retail Branch Server 4.1 (src):    pixman-0.34.0-150000.7.5.1
SUSE Manager Proxy 4.1 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Server for SAP 15 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Server 15-LTSS (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Micro 5.2 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise Micro 5.1 (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    pixman-0.34.0-150000.7.5.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    pixman-0.34.0-150000.7.5.1
SUSE Enterprise Storage 7 (src):    pixman-0.34.0-150000.7.5.1
SUSE Enterprise Storage 6 (src):    pixman-0.34.0-150000.7.5.1
SUSE CaaS Platform 4.0 (src):    pixman-0.34.0-150000.7.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-11-23 20:22:04 UTC
SUSE-SU-2022:4206-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205033
CVE References: CVE-2022-44638
JIRA References: 
Sources used:
openSUSE Leap Micro 5.3 (src):    pixman-0.40.0-150400.3.3.1
openSUSE Leap 15.4 (src):    pixman-0.40.0-150400.3.3.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src):    pixman-0.40.0-150400.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    pixman-0.40.0-150400.3.3.1
SUSE Linux Enterprise Micro 5.3 (src):    pixman-0.40.0-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-11-28 14:23:54 UTC
SUSE-SU-2022:4249-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205033
CVE References: CVE-2022-44638
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    pixman-0.34.0-8.3.1
SUSE OpenStack Cloud 9 (src):    pixman-0.34.0-8.3.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    pixman-0.34.0-8.3.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    pixman-0.34.0-8.3.1
SUSE Linux Enterprise Server 12-SP5 (src):    pixman-0.34.0-8.3.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    pixman-0.34.0-8.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    pixman-0.34.0-8.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    pixman-0.34.0-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.