Closed Bug 1294769 Opened 8 years ago Closed 6 years ago

gmp-clearkey AnnexB::ConvertFrameInPlace potential out of bounds write

Categories

(Core :: Audio/Video: GMP, defect, P3)

Product:
Core
Component:
Audio/Video: GMP
Version:
52 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- unaffected
firefox54 --- unaffected

People

(Reporter: kernxploit, Assigned: mozbugz)

References

Details

(Keywords: csectype-bounds, sec-moderate) 

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160623154057

Steps to reproduce:

AnnexB::ConvertFrameInPlace does not verify "nalLen" loaded from the input buffer data. This might cause an integer overflow in
i += nalLen + 4;
so it could pass the bounds check
i < aBuffer.size() - 4 - sizeof(kAnnexBDelimiter) + 1
This results in a memcpy
memcpy(&aBuffer[i], kAnnexBDelimiter, sizeof(kAnnexBDelimiter));
which might be outside the buffer.

https://github.com/cpearce/gmp-clearkey/blob/master/src/AnnexB.cpp#L27

Maybe I am just overlooking something and this data is already checked anywhere?
Could you take a look, Gerald?
Group: core-security → media-core-security
Flags: needinfo?(gsquelart)
The analysis in comment 0 seems correct to me: nalLen is not sanity-checked, and then could produce an overflow and subsequent OOB reads&writes.
So it would probably be a good idea to fix that potential issue anyway.

Now, as to the actual risk in Firefox: Prior to that decoding,
- There is a conversion *from* Annex B in H264Converter, which means in this case *we* write NAL lengths so they should be correct&safe.
- In non-Annex B cases, NAL lengths might be (implicitly or explicitly) checked during demuxing, but I'm not sure.

Chris, would you happen to know the answer? NI:me back if you want me to investigate further.
(Or Jean-Yves might also know, as I think he's worked on NALs a lot.)
Flags: needinfo?(gsquelart) → needinfo?(cpearce)
I'm pretty sure if the NAL has an invalid length, we'll fail to read it in H264::DecodeNALUnit() in the parent process, and so we'd never end up sending a bad NAL to the GMP process.

It would be good practice to check the nal length here for certain regardless.
Flags: needinfo?(cpearce)
Confirmed in that we at least want to add belt-and-suspenders, even if this can't happen at the moment per comment 3

Tentatively marking as moderate given comment 3
Status: UNCONFIRMED → NEW
Rank: 25
Ever confirmed: true
Keywords: csectype-bounds, sec-moderate
Priority: -- → P2
We had the same issue in the media/libstagefright/binding code. The AnnexB was rewritten with ByteReader to prevent all out of bound access. Maybe we can just resync the code there (I believe they have common ancestry)
jya, cpearce, gerald - can we do one of these things and get this off our plate?  Doesn't sound like some belt-and-suspenders checks here would be tough.
Flags: needinfo?(jyavenard)
Flags: needinfo?(gsquelart)
Flags: needinfo?(cpearce)
Effectively fixed by bug 1318965, which removed media/gmp-clearkey/0.1/AnnexB.cpp.
Assignee: nobody → gsquelart
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 1318965
Flags: needinfo?(jyavenard)
Flags: needinfo?(gsquelart)
Flags: needinfo?(cpearce)
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Group: media-core-security → core-security-release
Is there something we can safely backport to ESR52 for this or should we wontfix?
Flags: needinfo?(gsquelart)
Sorry for the delay in responding to the NI.

I think it wouldn't be possible to backport a fix from bug 1318965, as it's super big (and the actual solution there just removed the whole file!)
And I don't want to just wontfix it, in case it's an actually-exploitable issue.

A small patch to catch the overflow in ESR52 should be easy, I'll work on it so it's ready for the next dot release...
Flags: needinfo?(gsquelart)
Reopening bug, so it's less likely to be forgotten (by me).
Status: RESOLVED → REOPENED
status-firefox54: --- → unaffected
Resolution: FIXED → ---
Version: unspecified → 52 Branch
Mass change P3->P4 to align with new Mozilla triage process.
Priority: P2 → P3
Since the last 52 ESR ship has sailed I think we can close this.
Status: REOPENED → RESOLVED
Closed: 7 years ago6 years ago
Resolution: --- → FIXED
Have you decided if that was an "actually-exploitable issue"?
I believe this was never exploitable, due to what clearkey is, and also where the issue was; we were just considering some added safety checks.  Chris? Gerald?
Right. I too think it's not exploitable, but I didn't dive deep enough to prove it for sure.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.