1063327 - (CVE-2014-1578) OOB write in get_tile

Status: VERIFIED FIXED

(Core :: Audio/Video, defect)

Description

[Abhishek Arya]

Attachment: Testcase (webm depedency coming in next comment)

=================================================================
==24164==ERROR: AddressSanitizer: SEGV on unknown address 0x62efc607675c (pc 0x7fd5dda2a9a8 bp 0x7fd5b61c89a0 sp 0x7fd5b61c7500 T32)
    #0 0x7fd5dda2a9a7 in vp9_decode_frame media/libvpx/vp9/decoder/vp9_decodframe.c:51:3
    #1 0x7fd5dda36d0d in vp9_receive_compressed_data media/libvpx/vp9/decoder/vp9_onyxd_if.c:348:13
    #2 0x7fd5ddb04aa8 in vp9_decode media/libvpx/vp9/vp9_dx_iface.c:349:9
    #3 0x7fd5ddb06586 in vpx_codec_decode media/libvpx/vpx/src/vpx_decoder.c:127:11
    #4 0x7fd5daac6fb6 in mozilla::WebMReader::DecodeVideoFrame(bool&, long) content/media/webm/WebMReader.cpp:916:9
    #5 0x7fd5da7e0074 in mozilla::MediaDecoderReader::RequestVideoData(bool, long) content/media/MediaDecoderReader.cpp:167:10
    #6 0x7fd5da896b98 in nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), void, true>::Run() objdir-ff-asan/content/media/../../dist/include/nsThreadUtils.h:388:7
    #7 0x7fd5da871b12 in mozilla::MediaTaskQueue::Runner::Run() content/media/MediaTaskQueue.cpp:194:3
    #8 0x7fd5d500747a in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:220:7
    #9 0x7fd5d5007a3c in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:234:1
    #10 0x7fd5d4ffdc0a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:823:7
    #11 0x7fd5d5071e92 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #12 0x7fd5d5ca75d7 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:326:20
    #13 0x7fd5d5c348b0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #14 0x7fd5d4ff7b9b in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:350:5
    #15 0x7fd5e62ac780 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:212:5
    #16 0x7fd5ea9dbf6d in start_thread /build/buildd/eglibc-2.17/nptl/pthread_create.c:311
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
Thread T32 (Media Decode #2) created by T31 (Media Decode #1) here:
    #0 0x43a1be in __interceptor_pthread_create _asan_rtl_
    #1 0x7fd5e62a949f in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:453:14
    #2 0x7fd5e62a901a in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:544:12
    #3 0x7fd5d4ff9d3d in nsThread::Init() xpcom/threads/nsThread.cpp:455:19
    #4 0x7fd5d50039c3 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:269:17
    #5 0x7fd5d5005a06 in nsThreadPool::PutEvent(nsIRunnable*) xpcom/threads/nsThreadPool.cpp:101:3
    #6 0x7fd5d5007ff0 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) xpcom/threads/nsThreadPool.cpp:261:5
    #7 0x7fd5da872129 in mozilla::MediaTaskQueue::Runner::Run() content/media/MediaTaskQueue.cpp:225:19
    #8 0x7fd5d500747a in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:220:7
    #9 0x7fd5d5007a3c in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:234:1
    #10 0x7fd5d4ffdc0a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:823:7
    #11 0x7fd5d5071e92 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #12 0x7fd5d5ca75d7 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:326:20
    #13 0x7fd5d5c348b0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #14 0x7fd5d4ff7b9b in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:350:5
    #15 0x7fd5e62ac780 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:212:5
    #16 0x7fd5ea9dbf6d in start_thread /build/buildd/eglibc-2.17/nptl/pthread_create.c:311

Thread T31 (Media Decode #1) created by T30 (Media S~hine #1) here:
    #0 0x43a1be in __interceptor_pthread_create _asan_rtl_
    #1 0x7fd5e62a949f in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:453:14
    #2 0x7fd5e62a901a in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:544:12
    #3 0x7fd5d4ff9d3d in nsThread::Init() xpcom/threads/nsThread.cpp:455:19
    #4 0x7fd5d50039c3 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:269:17
    #5 0x7fd5d5005a06 in nsThreadPool::PutEvent(nsIRunnable*) xpcom/threads/nsThreadPool.cpp:101:3
    #6 0x7fd5d5007ff0 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) xpcom/threads/nsThreadPool.cpp:261:5
    #7 0x7fd5da8704ab in mozilla::MediaTaskQueue::DispatchLocked(mozilla::TemporaryRef<nsIRunnable>, mozilla::MediaTaskQueue::DispatchMode) content/media/MediaTaskQueue.cpp:53:17
    #8 0x7fd5da7e1045 in mozilla::MediaTaskQueue::Dispatch(mozilla::TemporaryRef<nsIRunnable>) content/media/MediaTaskQueue.cpp:34:10
    #9 0x7fd5da808273 in mozilla::MediaDecoderStateMachine::EnqueueDecodeMetadataTask() content/media/MediaDecoderStateMachine.cpp:1569:17
    #10 0x7fd5da80f494 in mozilla::MediaDecoderStateMachine::RunStateMachine() content/media/MediaDecoderStateMachine.cpp:2356:14
    #11 0x7fd5da819d5a in mozilla::MediaDecoderStateMachineScheduler::TimeoutExpired(int) content/media/MediaDecoderStateMachineScheduler.cpp:160:10
    #12 0x7fd5d500747a in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:220:7
    #13 0x7fd5d5007a3c in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:234:1
    #14 0x7fd5d4ffdc0a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:823:7
    #15 0x7fd5d5071e92 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #16 0x7fd5d5ca75d7 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:326:20
    #17 0x7fd5d5c348b0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #18 0x7fd5d4ff7b9b in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:350:5
    #19 0x7fd5e62ac780 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:212:5
    #20 0x7fd5ea9dbf6d in start_thread /build/buildd/eglibc-2.17/nptl/pthread_create.c:311

Thread T30 (Media S~hine #1) created by T0 here:
    #0 0x43a1be in __interceptor_pthread_create _asan_rtl_
    #1 0x7fd5e62a949f in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:453:14
    #2 0x7fd5e62a901a in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:544:12
    #3 0x7fd5d4ff9d3d in nsThread::Init() xpcom/threads/nsThread.cpp:455:19
    #4 0x7fd5d50039c3 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:269:17
    #5 0x7fd5d5005a06 in nsThreadPool::PutEvent(nsIRunnable*) xpcom/threads/nsThreadPool.cpp:101:3
    #6 0x7fd5d5007ff0 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) xpcom/threads/nsThreadPool.cpp:261:5
    #7 0x7fd5da818f22 in mozilla::MediaDecoderStateMachineScheduler::Schedule(long) content/media/MediaDecoderStateMachineScheduler.cpp:129:10
    #8 0x7fd5da7bc84b in mozilla::MediaDecoder::ScheduleStateMachineThread() content/media/MediaDecoderStateMachine.cpp:3001:10
    #9 0x7fd5da7c068a in mozilla::MediaDecoder::InitializeStateMachine(mozilla::MediaDecoder*) content/media/MediaDecoder.cpp:572:10
    #10 0x7fd5da53c88a in mozilla::dom::HTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) content/html/content/src/HTMLMediaElement.cpp:2674:17
    #11 0x7fd5da51e39f in mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) content/html/content/src/HTMLMediaElement.cpp:2624:12
    #12 0x7fd5da51ce0a in mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) content/html/content/src/HTMLMediaElement.cpp:350:7
    #13 0x7fd5d52167a4 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) netwerk/base/src/nsBaseChannel.cpp:737:14
    #14 0x7fd5d52691c6 in nsInputStreamPump::OnStateStart() netwerk/base/src/nsInputStreamPump.cpp:531:14
    #15 0x7fd5d52679d4 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:433:25
    #16 0x7fd5d4fb078f in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:88:9
    #17 0x7fd5d4ffdc0a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:823:7
    #18 0x7fd5d5071e92 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #19 0x7fd5d5ca50a4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #20 0x7fd5d5c348b0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #21 0x7fd5d9ced0f2 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164:3
    #22 0x7fd5dd40d242 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:280:19
    #23 0x7fd5dd543979 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4101:10
    #24 0x7fd5dd544a92 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4172:8
    #25 0x7fd5dd545a2c in XRE_main toolkit/xre/nsAppRunner.cpp:4386:16
    #26 0x4bdedd in main browser/app/nsBrowserApp.cpp:282:12
    #27 0x7fd5e9a03de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260

Comment 1

[Abhishek Arya]

static size_t get_tile(const uint8_t *const data_end,
                       int is_last,
                       struct vpx_internal_error_info *error_info,
                       const uint8_t **data) {
....

    size = read_be32(*data);    // size goes bad here since we read oob.
    *data += 4; // oob write.

Comment 2

[Abhishek Arya]

Attachment: Webm file

Comment 3

[Daniel Veditz [:dveditz]]

Don't we get the VP9 code from Google? Did Chrome have this issue (looks like we have an old copy)?

Comment 4

[Abhishek Arya]

(In reply to Daniel Veditz [:dveditz] from comment #3)
> Don't we get the VP9 code from Google? Did Chrome have this issue (looks
> like we have an old copy)?

We don't have get_tile and read_be32 functions. We had many security bugs fixed in vp9 bugs fixed in last one year. I don't seem to find similar crash around those lines. I recommend updating to latest trunk that Chrome uses, which should fix this and many others. Chromium side contact for libvpx is fgalligan [at] chromium [dot] org.

Comment 5

[Andrew McCreight [:mccr8]]

Tim, do you have some idea who could look at this?  Thanks.

Comment 6

[Ralph Giles (:rillian)]

We already have a bug open to bump libvpx to a recent snapshot. I'll update and see if this is resolved.

Comment 7

[Al Billings [:abillings - ex-MoCo]]

Ralph, what is the libvpx bug for bumping the version?

Comment 8

[Ralph Giles (:rillian)]

libvpx bump is bug 1063356. I haven't been able to get to it in the last week.

Comment 9

[David Bolter [:davidb] (NeedInfo me for attention)]

(In reply to Ralph Giles (:rillian) from comment #8)
> libvpx bump is bug 1063356. I haven't been able to get to it in the last
> week.

Please treat sec-criticals with some urgency.

Comment 10

[Ralph Giles (:rillian)]

Bug 1063356 has landed on m-c and I can no longer reproduce with the test case with that version.

We've had this vulnerable code since Dec 2013, though, so all recent versions will we affected. We could uplift the libvpx bump to Aurora, but I don't think that's the best approach for beta, release, esr?

Looking at a direct patch now.

Comment 11

[Ralph Giles (:rillian)]

Attachment: Direct fix: reject frames with invalid tile sizes.

Direct fix for the issue, suitable for uplift to release branches.

I can no longer reproduce the crash with the testcase after applying this patch to m-c.

Comment 12

[Ralph Giles (:rillian)]

Comment on attachment 8498569 [details] [diff] [review]
Direct fix: reject frames with invalid tile sizes.

[Security approval request comment]

> How easily could an exploit be constructed based on the patch?

I don't know. We write at exactly the offset from the buffer base that the file tells us to. Not sure if we can write something other than '4' though. I guess the answer to that is usually 'probably' through subsequent misbehaviour, table copying, etc.

> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Other than referencing a private bug no. I just say I'm rejecting invalid data.

> Which older supported branches are affected by this flaw?

Since Firefox 29.

> If not all supported branches, which bug introduced the flaw?

All branches after bug 918550 landed, and before bug 1063356 landed, which included an upstream fix in a general update. This patch is for Aurora, Beta, Release, ESR31.

> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

The same patch applies to all vulnerable branches.

> How likely is this patch to cause regressions; how much testing does it need?

Unlikely; we reject invalid data we tried to play before. Valid files shouldn't be affected.

Comment 13

[Al Billings [:abillings - ex-MoCo]]

Comment on attachment 8498569 [details] [diff] [review]
Direct fix: reject frames with invalid tile sizes.

sec-approval+ for trunk.
We're building the last Beta build on Oct 2 (today now) so this needs to get into trunk and then be nominated for Aurora and Beta if it is to go in. We're cutting this close but it seems low risk.

Comment 14

[Ralph Giles (:rillian)]

Comment on attachment 8498569 [details] [diff] [review]
Direct fix: reject frames with invalid tile sizes.

Approval Request Comment
[Feature/regressing bug #]: bug 918550
[User impact if declined]: Security vulnerability to malicious files.
[Describe test coverage new/current, TBPL]: Tested manually.
[Risks and why]: We reject some invalid files. No effect on valid files.
[String/UUID change made/needed]: None.

Comment 15

[Ralph Giles (:rillian)]

Comment on attachment 8498569 [details] [diff] [review]
Direct fix: reject frames with invalid tile sizes.

Approval Request Comment
[Feature/regressing bug #]: Bug 918550.
[User impact if declined]: Security vulnerability to malicious files.
[Describe test coverage new/current, TBPL]: Tested manually.
[Risks and why]: Small patch rejects some invalid files we previously tried to play. Risk is low.
[String/UUID change made/needed]: None.

Comment 16

[Ralph Giles (:rillian)]

I believe nightly is fixed by bug 1063356.

Comment 17

[Ralph Giles (:rillian)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/b2eb224bbb03

Comment 18

[Ralph Giles (:rillian)]

https://hg.mozilla.org/releases/mozilla-beta/rev/16aa4dfa9001

Comment 19

[Ryan VanderMeulen [:RyanVM]]

Can we get an esr31 nomination as well?

Comment 20

[Ralph Giles (:rillian)]

Comment on attachment 8498569 [details] [diff] [review]
Direct fix: reject frames with invalid tile sizes.

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-critical
User impact if declined: Security vulnerability to malicious web pages.
Fix Landed on Version: 33, 34
Risk to taking this patch (and alternatives if risky): Low. Patch simply rejects invalid files.
String or UUID changes made by this patch: None.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Comment 21

[Ralph Giles (:rillian)]

Turns out when I said m-c was fixed by bug 1063356, I was testing against subsequent patches I haven't been able to land because of build failures. I've backed out the partial fix and landed this patch.

https://hg.mozilla.org/integration/mozilla-inbound/rev/0d55b8666ca6

Comment 22

[Ralph Giles (:rillian)]

https://hg.mozilla.org/releases/mozilla-esr31/rev/6023f0b4f8ba

Comment 23

[Ralph Giles (:rillian)]

Do I need to do anything for b2g? I think recent firefox os is unaffected because software webm decoding is disabled in favour of hardware.

Comment 24

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/6c2f560e44c4
https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/a7f9278ad6ab

Comment 25

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/0d55b8666ca6

Comment 26

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-b2g32_v2_0m/rev/6c2f560e44c4

Comment 27

[Kamil Jozwiak [:kjozwiak]]

Reproduced the original issue several times using the following build:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1409960700/

Went through the following verification (Used Ubuntu 14.0.4.1 x64):

fx35: PASSED
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1412685533/

fx34: PASSED
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1412679952/

fx33: PASSED
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1412598973/

esr31: PASSED
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-esr31-linux64/1412665501/

Test Cases:

- Opened the poc in several windows/tabs
- Opened the poc in several private windows/tabs
- Opened the poc in several e10s windows/tabs (m-c only)

Comment 28

[Al Billings [:abillings - ex-MoCo]]

Attachment: inferno@chromium.org, 3000?, 2014-09-04, 2014-10-02, 2014-10-13, true