Closed Bug 1196525 Opened 4 years ago Closed 4 years ago

Stagefright - Integer Overflow vulnerability in allocFromUTF8

Categories

(Core :: Audio/Video, defect, P1)

defect

Tracking

()

RESOLVED INVALID

People

(Reporter: mozilla-bugs, Assigned: rillian)

Details

(Keywords: sec-other, Whiteboard: [keep hidden until we hear back from reporter, might reveal android bugs])

Attachments

(3 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36

Steps to reproduce:

I discovered another serious vulnerability in the Android code brought into firefox for libstagefright. 


Actual results:

An exploitable heap overflow.


Expected results:

An error should be returned and no ill behavior should be witnessed.
Component: Untriaged → Audio/Video
Product: Firefox → Core
Attached file advisory
Add the full advisory text.
Attached audio proof-of-concept file
Attached patch proposed patchSplinter Review
Oh, btw I used this for testing too:

==
<html>
<head>
<title>Stagefright via Browser demo</title>
<script>
function go() {
    var audio = document.getElementById('audio');
    audio.play();
}
</script></head>
<body onload='go()' bgcolor=black>
<audio width=100% controls>
 <source src="test.mp3?x=nocache">
</audio>
</body>
</html>
==
We don't use our stagefright for mp3
stagefright in the mozilla source tree is only used to parse the MP4 moov atom (metadata).
Well then. I guess I should look closer as to why this crashes Firefox on Android then.
Because we use Android's native stagefright framework. And that's where the vulnerability is, but there's nothing we can do about it.
Here's what I managed to get so far --

#0  __memcpy_base () at bionic/libc/arch-arm/krait/bionic/memcpy_base.S:108
#1  0x7d47fffc in MOZ_PNG_sig_cmp () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#2  0x7d481cb2 in MOZ_PNG_push_read_sig () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#3  0x7d4857cc in MOZ_PNG_process_data () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#4  0x7ca77364 in mozilla::image::nsPNGDecoder::WriteInternal(char const*, unsigned int) () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#5  0x7ca6e082 in mozilla::image::Decoder::Write(char const*, unsigned int) () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#6  0x7ca6e9e0 in mozilla::image::Decoder::Decode() () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#7  0x7ca6ea30 in mozilla::image::DecodePool::Decode(mozilla::image::Decoder*) () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#8  0x7ca70f1c in mozilla::image::DecodeWorker::Run() () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#9  0x7c6909e4 in nsThreadPool::Run() () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#10 0x7c68e510 in nsThread::ProcessNextEvent(bool, bool*) () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#11 0x7c69c106 in NS_ProcessNextEvent(nsIThread*, bool) () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#12 0x7c7cf936 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#13 0x7c7c0e7c in MessageLoop::RunInternal() () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#14 0x7c7c0f30 in MessageLoop::Run() () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#15 0x7c68ed7c in nsThread::ThreadFunc(void*) () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libxul.so
#16 0x7875fe9a in _pt_root () from /y/jdrake/work/stagefright/ff-dbg/jimdb-arm/lib/05b3a0f3/app/org.mozilla.fennec/assets/armeabi-v7a/libnss3.so
Bus error

Unfortenately the debugger crashed here :-/
OH BTW. ID3 data is parsed in MP4 too.
there may be a bug here, but it's not in stagefright (amazingly enough :) )
I beg to differ. I will provide an MP4 that triggers this problem shortly.
Okay, I see Mozilla's fork of libstagefright does not include the ID3 code. That makes me wonder why it's still in the tree at all...
Let me rephrase (it's late here)... I see Mozilla's fork of libstagefright does not call the ID3 code in MPEG4Extractor. I still wonder why it's still in the tree tho.
I guess at the time it was felt it would be easier to merge with upstream as required.

but we forked too much now.
Welp. My apologies for not looking closer before reporting. If it's all the same to you I'd like to keep this ticket open for now while I see if there are any other similar vectors. I have my doubts, as I'm sure you do, but I'd like to dig =)
I don't see anything! Sorry for the noise :(
Two sets of eyes is better than one :)
does comment 17 mean we can resolve this bug as "worksforme"?
Flags: needinfo?(mozilla-bugs)
Keywords: sec-other
Assignee: nobody → giles
Priority: -- → P1
Group: core-security → media-core-security
Yes, looks like this is a false alarm. Forks are confusing!
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
Joshua: since you're crashing in Android should we keep this hidden until there's an Android fix? Or is the bug public and just not delivered to your test machine yet?
Group: media-core-security → core-security-release
Whiteboard: [keep hidden until we hear back from reporter, might reveal android bugs]
This issue is still being coordinated with Google. I'd appreciate if we just left it closed forever since I'm embarrassed that I didn't pay more attention when testing :-/ HEH.
Flags: needinfo?(mozilla-bugs)
(In reply to Joshua J. Drake from comment #22)
> This issue is still being coordinated with Google. I'd appreciate if we just
> left it closed forever since I'm embarrassed that I didn't pay more
> attention when testing :-/ HEH.

Josh, is this CVE-2015-6602 by any chance? IE the issue discussed at https://blog.zimperium.com/zimperium-zlabs-is-raising-the-volume-new-vulnerability-processing-mp3mp4-media

jya - is there any chance this affects older FxOS versions? Not much we can do, but I'm testing at the moment to confirm.
Flags: needinfo?(ptheriault)
Flags: needinfo?(ptheriault)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.