Bug 1186718 (CVE-2015-4493)

Stagefright: heap-buffer-overflow crash [@stagefright::ESDS::parseESDescriptor]

VERIFIED FIXED in Firefox 40

Status

()

defect
--
critical
VERIFIED FIXED
4 years ago
4 years ago

People

(Reporter: tsmith, Assigned: jya)

Tracking

(Blocks 1 bug, {crash, csectype-bounds, sec-high})

unspecified
mozilla42
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox39 wontfix, firefox40+ fixed, firefox41+ fixed, firefox42+ fixed, firefox-esr31 unaffected, firefox-esr3840+ fixed, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S fixed, b2g-v2.2 fixed, b2g-v2.2r fixed, b2g-master fixed)

Details

(Whiteboard: [adv-main40+][adv-esr38.2+][post-critsmash-triage])

Attachments

(1 attachment)

Reporter

Description

4 years ago
Looks similar to Bug 1184871 but it's a heap-buffer-overflow not UAF.

==8659==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6080003bfe2d at pc 0x7f6d64764423 bp 0x7f6cde479850 sp 0x7f6cde479848
READ of size 1 at 0x6080003bfe2d thread T819 (MediaPl~back #1)
    #0 0x7f6d64764422 in parseESDescriptor /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp:157
    #1 0x7f6d64744dd5 in parse /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp:121
    #2 0x7f6d6474fb60 in GetTrackInfo /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/binding/MP4Metadata.cpp:198
    #3 0x7f6d69322a70 in MP4TrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:206
    #4 0x7f6d693217a1 in GetTrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:145
    #5 0x7f6d68ef7a26 in OnDemuxerInitDone /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/MediaFormatReader.cpp:309
    #6 0x7f6d68f6d1f6 in RejectValue /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:433
    #7 0x7f6d68f6add2 in DoResolveOrReject /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:383
    #8 0x7f6d68f6a77f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:316
    #9 0x7f6d68e6dd0a in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:180
    #10 0x7f6d69005995 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/TaskQueue.cpp:257
    #11 0x7f6d649253d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
    #12 0x7f6d6492578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
    #13 0x7f6d6491f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #14 0x7f6d6498df1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #15 0x7f6d651f755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #16 0x7f6d6518345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #17 0x7f6d6491b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
    #18 0x7f6d73148135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #19 0x7f6d7666fe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
    #20 0x7f6d7576c31c in ?? /build/buildd/eglibc-2.15/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:112

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c108006ff70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108006ff80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108006ff90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108006ffa0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108006ffb0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
=>0x0c108006ffc0: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c108006ffd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108006ffe0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108006fff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080070000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080070010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
Thread T819 (MediaPl~back #1) created by T0 here:
    #0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
    #1 0x7f6d73144abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f6d7314463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f6d6491cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7f6d64922cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7f6d649243be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
    #6 0x7f6d64925c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
    #7 0x7f6d690040f9 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
    #8 0x7f6d68fc8bec in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/mozilla/TaskQueue.h:47
    #9 0x7f6d68e6d67c in DispatchTaskGroup /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:232
    #10 0x7f6d68e6c322 in ~AutoTaskDispatcher /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:87
    #11 0x7f6d68e6b471 in reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/Maybe.h:373
    #12 0x7f6d68e6b610 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:621
    #13 0x7f6d69ec5125 in assign_assuming_AddRef /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/widget/../dist/include/nsCOMPtr.h:336
    #14 0x7f6d69ec5ccd in AfterProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.h:95
    #15 0x7f6d6491f7a0 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:881
    #16 0x7f6d6498df1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #17 0x7f6d651f65e9 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #18 0x7f6d6518345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #19 0x7f6d69ec38d7 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
    #20 0x7f6d6bc200f8 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:280
    #21 0x7f6d6bd28e17 in XRE_mainRun /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4288
    #22 0x7f6d6bd29e75 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4385
    #23 0x7f6d6bd2acf5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4474
    #24 0x48a6e4 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
    #25 0x7f6d7569976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226

==8659==ABORTING
Adding bug 1184871 to "See Also" crashes in the same function but different stacks.
See Also: → 1184871
Assignee

Updated

4 years ago
Assignee: nobody → jyavenard
Assignee

Comment 2

4 years ago
Attachment #8639010 - Flags: review?(ajones)
Assignee

Updated

4 years ago
Blocks: 1184871
See Also: 1184871
Attachment #8639010 - Flags: review?(ajones) → review+
Assignee

Comment 3

4 years ago
Comment on attachment 8639010 [details] [diff] [review]
Ensure ESDS have valid size.



[Security approval request comment]
>How easily could an exploit be constructed based on the patch?

Craft special MP4 with an invalid ESDS atom.

>Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No. Was careful to use a commit message only describing the outcome ; not the reason for doing so.

> Which older supported branches are affected by this flaw?

35 and all using libstagefright, affects ESR38.

> If not all supported branches, which bug introduced the flaw?

We have several bugs at play, introducing different flaws.
libstagefright was introduced in bug 908503. However it was only made active by default on windows for FF 35 (bug 1057879)

> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Patch will apply on all branches.

> How likely is this patch to cause regressions; how much testing does it need?

Can't think of any.
Attachment #8639010 - Flags: sec-approval?
Assignee

Comment 4

4 years ago
Comment on attachment 8639010 [details] [diff] [review]
Ensure ESDS have valid size.

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined:  Crashes
Fix Landed on Version: Not yet. Wanting to do them all within a very short timeframe.
Risk to taking this patch (and alternatives if risky): Very low
String or UUID changes made by this patch: None

Approval Request Comment
[Feature/regressing bug #]: 908503
[User impact if declined]: Crashes
[Describe test coverage new/current, TreeHerder]: try run, local test
[Risks and why]: Very low
[String/UUID change made/needed]: None
Attachment #8639010 - Flags: approval-mozilla-esr38?
Attachment #8639010 - Flags: approval-mozilla-beta?
Attachment #8639010 - Flags: approval-mozilla-aurora?
There's no sec rating on this bug. The fix looks straightforward but I don't know if we need this in 40 beta8 and ESR38. What rating do you think this bug should have?
It's not clear how much data this can scoop up into playback to be read later. Conservatively I'm going to say "lots" and call it sec-high, but it might really be more sec-moderate.
Keywords: sec-high
Comment on attachment 8639010 [details] [diff] [review]
Ensure ESDS have valid size.

sec-approval = dveditz
Attachment #8639010 - Flags: sec-approval? → sec-approval+
Comment on attachment 8639010 [details] [diff] [review]
Ensure ESDS have valid size.

Now that we have sec-approval, let's get this on all active Firefox branches.
Attachment #8639010 - Flags: approval-mozilla-esr38?
Attachment #8639010 - Flags: approval-mozilla-esr38+
Attachment #8639010 - Flags: approval-mozilla-beta?
Attachment #8639010 - Flags: approval-mozilla-beta+
Attachment #8639010 - Flags: approval-mozilla-aurora?
Attachment #8639010 - Flags: approval-mozilla-aurora+
Assignee

Comment 13

4 years ago
It's not as high as bug 1185115, but it's probably even more easily exploitable (which will result in a crash on 32 bits system)
https://hg.mozilla.org/mozilla-central/rev/a674c7019cb5
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Whiteboard: [adv-main40+][adv-esr38.2+]
Whiteboard: [adv-main40+][adv-esr38.2+] → [adv-main40+][adv-esr38.2+][post-critsmash-triage]
Reporter

Comment 16

4 years ago
I haven't seen this issue since I updated to a build with the fix.
Status: RESOLVED → VERIFIED
Alias: CVE-2015-4493
Duplicate of this bug: 1181731

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.