1446068 - ZDI-CAN-5823 - Mozilla Firefox Audio Driver Out of Bounds (variant)

Status: VERIFIED FIXED

(Core :: Audio/Video, defect)

Description

[Al Billings [:abillings - ex-MoCo]]

Attachment: POC as zip

Readme contents of bug from ZDI:

Mozilla Firefox vorbis_book_decodevv_add OOB
=============================================================
Mozilla Firefox has a vulnerability in the parsing of vorbis audio formats.

here is the vulnerability

long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch,
                              oggpack_buffer *b,int n){

  long i,j,entry;
  int chptr=0;
  if(book->used_entries>0){
    for(i=offset/ch;i<(offset+n)/ch;){
      entry = decode_packed_entry_number(book,b);
      if(entry==-1)return(-1);
      {
        const float *t = book->valuelist+entry*book->dim;
        for (j=0;j<book->dim;j++){
          a[chptr++][i]+=t[j]; // out of bounds access, i can be greater than (offset+n)/ch
          if(chptr==ch){
            chptr=0;
            i++;
          }
        }
      }
    }
  }
  return(0);
}

Comment 1

[Al Billings [:abillings - ex-MoCo]]

Attachment: test.html

POC test.html file

Comment 2

[Al Billings [:abillings - ex-MoCo]]

Attachment: out.ogg

Audio file from 'audio' subdirectory under poc test.html file

Comment 3

[Al Billings [:abillings - ex-MoCo]]

FYI, this was NOT pwn2own 2018 bug that popped Firefox. This is just from the same researcher.

Comment 4

[Daniel Veditz [:dveditz]]

The original title looks like a minor info-leak from ZDI about the kernel bug used at pwn2own. This isn't an int overflow.

Looks like the same as bug 1446062 just in a different function, so assigning to tdaede also.

Comment 5

[Thomas Daede [:TD-Linux]]

Indeed, I've asked xiphmont to review the first patch and if it's correct I'll post the equivalent patch to this bug.

Comment 6

[Jean-Marc Valin]

The patch for bug 1446062 should fix this bug as well (plus another potential bug that hadn't yet been reported).

Comment 7

[Jean-Marc Valin]

Can someone confirm that this bug is indeed fixed with the 1446062 fix?

Comment 8

[Tyson Smith [:tsmith]]

I applied the patch from bug 1446062 to vorbis master branch and the issues is no longer reproducible with the attached testcase.

Comment 9

[Daniel Veditz [:dveditz]]

Fix from bug 1446062 has landed on m-central

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/1dfbedb54c39abae38da9329f4a79571fee74661
https://hg.mozilla.org/releases/mozilla-release/rev/3db9e3d52b17563efca181ccbb50deb8660c59ae
https://hg.mozilla.org/releases/mozilla-esr52/rev/494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a

Comment 11

[Sorina Florean [:sflorean]]

We manage to reproduce the crash on Fennec 58.0.2 and 60.0b3 (API 16 and x86) with https://bug1446068.bmoattachments.org/attachment.cgi?id=8959245&t=rUCyIt0hcpHupr660RLZjU and based on the same attachment, we can confirm that builds 59.0.1 and 60.0b4 build 2 had no crashes.
Devices: 
- Samsung Galaxy Tab 3 (Android 7.0)
- Huawei MediaPad M2 (Android 5.1.1) 
- Pixel 2 (Android 8.1) 
- OnePlus 3 (Android 6.0.1) 
- Xiaomi Mi Pad 2 (Android 5.1 x86).

Comment 12

[Ciprian Georgiu, Desktop QA]

We can confirm this fix as well on the following OSes: 
- Windows 7
- Windows 8.1
- Windows 10
- Ubuntu (14.04, 16.04)
- macOS 10.13

Tested on Firefox 59.0.1 (20180315233128), 52.7.2esr (20180315163333) and 60.0b4 (20180315232954) with https://bug1446068.bmoattachments.org/attachment.cgi?id=8959245&t=K65q14xx3oONMe5SNA6t9u.

Comment 13

[Sorina Florean [:sflorean]]

On mobile side, we tested on 61.0b3 with the following devices: Oneplus Two - Android 6.0.1, Prestigio Grace X5 - Android 4.4.2, Samsung Galaxy S8 - Android 8.0, Google Pixel(Android 8.1.0) and https://bug1446068.bmoattachments.org/attachment.cgi?id=8959245&t=SySIT41MzofHylgHoKghV6. We can confirm that the issue is fixed.

Comment 14

[Ciprian Georgiu, Desktop QA]

This bug is verified fixed on the desktop side too, on Beta 61.0b3 (20180507191226) running the following OSes: Win 10 x64, Ubuntu 16.04 x64 and macOS 10.13. We've used the test file mentioned in comment 12.