Closed Bug 1225292 Opened 9 years ago Closed 9 years ago

FFMPEG: use-of-uninitialized-value in [@ff_get_cpu_flags_x86]

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox45 --- affected

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: csectype-uninitialized, testcase)

Attachments

(2 files)

call_stack.txt
1.42 KB, text/plain
Details
dummy.mp3
2 bytes, audio/mpeg
Details
Attached file call_stack.txt 
Found fuzzing ffmpeg commit: 3692d859f45fa8765fa5a330e79108b03c17c6bd

Reproduced with the following command with MSan build:
./ffmpeg -nostats -loglevel 0 -i dummy.mp3 -f null -
Attached audio dummy.mp3 

    
    

    
  
Patched this locally to make progress fuzzing and hit many other uninitialized reads in this function.

I fixed these: (and likely others b/c I just initialized everything in that function to make progress)

MemorySanitizer: use-of-uninitialized-value /home/user/code/ffmpeg/libavutil/x86/cpu.c:106:9 in ff_get_cpu_flags_x86
MemorySanitizer: use-of-uninitialized-value /home/user/code/ffmpeg/libavutil/x86/cpu.c:137:13 in ff_get_cpu_flags_x86
MemorySanitizer: use-of-uninitialized-value /home/user/code/ffmpeg/libavutil/x86/cpu.c:165:9 in ff_get_cpu_flags_x86

    
    

    
  
note that those generates a lot of compilation warning as found with bug 1214462 when using the visual studio compiler

    
  
Blocks: fuzzing-ffmpeg

    
    

    
  
max_std_level and the other variables in ff_get_cpu_flags_x86() are set from ff_cpu_cpuid() which is build from external asm with yasm (unless thats disabled) clangs memory sanitizer seems not able to track this.
For testing with clang msan its probably needed to use --disable-yasm, this is a bad idea when not testing with msan though due to the likely significant speedloss.
valgrind should be able to search for uninitialized variables with enabled yasm, its alot slower though

this issue likely affects the other fuzzing bugs too

    
    

    
  
Thanks. I have verified that using --disable-yasm resolves this issue with MSan. I will keep this in mind when reviewing issues that are initialized by assembly.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID

    
    

    
  
Michael, any particular reasons ffmpeg requires yasm to compile assembly as opposed to using intrinsic assembly?

One of the issue for us is that our build are still stuck on an old version of yasm (1.1) and we had to disable avx2 as a consequence.

Using inline assembly would have allowed to easily bypass that problem and remove the dependency on yasm.

just a passing-by thought.

    
    

    
  
Not specifically to this (cpuid) code but more generally 
intrinsics have many problems. 
with yasm (or inline asm) the code one writes is the code one gets, with intrinsics a different compiler version or different moon phase and the code might run alot slower because the compiler failed to assign registers and starts spilling everything on the stack in a inner loop. Also i think there are portability issues. 
OTOH the big problem with inline asm is that it only works with gcc compatible compilers, yasm works with any compiler. Also our yasm code can be build with nasm in case that helps
Group: media-core-security

    
    

    
  
(In reply to Tyson Smith [:tsmith] from comment #5)
> Thanks. I have verified that using --disable-yasm resolves this issue with
> MSan. I will keep this in mind when reviewing issues that are initialized by
> assembly.

I don't think it makes much sense in fuzzing ffmpeg without yasm being enabled. As all you will be stressing is the C-code decoders and those are almost never used on a standard system: always the assembly optimised code. This is what makes ffmpeg awesome: the speed and how well crafted the assembly is.
Flags: needinfo?(twsmith)

    
    

    
  
(In reply to Jean-Yves Avenard [:jya] from comment #8)
> (In reply to Tyson Smith [:tsmith] from comment #5)
> > Thanks. I have verified that using --disable-yasm resolves this issue with
> > MSan. I will keep this in mind when reviewing issues that are initialized by
> > assembly.
> 
> I don't think it makes much sense in fuzzing ffmpeg without yasm being
> enabled. As all you will be stressing is the C-code decoders and those are
> almost never used on a standard system: always the assembly optimised code.
> This is what makes ffmpeg awesome: the speed and how well crafted the
> assembly is.

Yep I know and I am not. This was only to check for uninitiated memory usage in the the code base (no including the replaced asm) that I would be fuzzing.
Flags: needinfo?(twsmith)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: