Closed Bug 1446068 Opened 7 years ago Closed 7 years ago

ZDI-CAN-5823 - Mozilla Firefox Audio Driver Out of Bounds (variant)

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 59+ verified
firefox59 blocking verified
firefox60 + verified
firefox61 + verified

People

(Reporter: abillings, Assigned: TD-Linux)

References

Details

(Keywords: csectype-bounds, sec-critical, Whiteboard: patch in 1446062)

Attachments

(2 files)

test.html
302 bytes, text/html
Details
out.ogg
34.79 KB, video/ogg
Details
Attached file POC as zip
Readme contents of bug from ZDI: Mozilla Firefox vorbis_book_decodevv_add OOB ============================================================= Mozilla Firefox has a vulnerability in the parsing of vorbis audio formats. here is the vulnerability long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch, oggpack_buffer *b,int n){ long i,j,entry; int chptr=0; if(book->used_entries>0){ for(i=offset/ch;i<(offset+n)/ch;){ entry = decode_packed_entry_number(book,b); if(entry==-1)return(-1); { const float *t = book->valuelist+entry*book->dim; for (j=0;j<book->dim;j++){ a[chptr++][i]+=t[j]; // out of bounds access, i can be greater than (offset+n)/ch if(chptr==ch){ chptr=0; i++; } } } } } return(0); }
Attached file test.html
POC test.html file
Attached video out.ogg
Audio file from 'audio' subdirectory under poc test.html file
Group: core-security → media-core-security
Group: media-core-security → core-security-release
FYI, this was NOT pwn2own 2018 bug that popped Firefox. This is just from the same researcher.
Flags: needinfo?(tdaede)
The original title looks like a minor info-leak from ZDI about the kernel bug used at pwn2own. This isn't an int overflow. Looks like the same as bug 1446062 just in a different function, so assigning to tdaede also.
Assignee: nobody → tdaede
Keywords: csectype-intoverflowcsectype-bounds, sec-critical
Summary: ZDI-CAN-5823 - Microsoft Windows win32k Integer Overflow → ZDI-CAN-5823 - Mozilla Firefox Audio Driver Out of Bounds (variant)
Flags: needinfo?(tdaede)
Indeed, I've asked xiphmont to review the first patch and if it's correct I'll post the equivalent patch to this bug.
Depends on: CVE-2018-5146
Whiteboard: patch in 1446062
The patch for bug 1446062 should fix this bug as well (plus another potential bug that hadn't yet been reported).
Can someone confirm that this bug is indeed fixed with the 1446062 fix?
I applied the patch from bug 1446062 to vorbis master branch and the issues is no longer reproducible with the attached testcase.
Fix from bug 1446062 has landed on m-central
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox61: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
We manage to reproduce the crash on Fennec 58.0.2 and 60.0b3 (API 16 and x86) with https://bug1446068.bmoattachments.org/attachment.cgi?id=8959245&t=rUCyIt0hcpHupr660RLZjU and based on the same attachment, we can confirm that builds 59.0.1 and 60.0b4 build 2 had no crashes. Devices: - Samsung Galaxy Tab 3 (Android 7.0) - Huawei MediaPad M2 (Android 5.1.1) - Pixel 2 (Android 8.1) - OnePlus 3 (Android 6.0.1) - Xiaomi Mi Pad 2 (Android 5.1 x86).
We can confirm this fix as well on the following OSes: - Windows 7 - Windows 8.1 - Windows 10 - Ubuntu (14.04, 16.04) - macOS 10.13 Tested on Firefox 59.0.1 (20180315233128), 52.7.2esr (20180315163333) and 60.0b4 (20180315232954) with https://bug1446068.bmoattachments.org/attachment.cgi?id=8959245&t=K65q14xx3oONMe5SNA6t9u.
status-firefox59: fixedverified
status-firefox60: fixedverified
status-firefox-esr52: fixedverified
Flags: qe-verify+
On mobile side, we tested on 61.0b3 with the following devices: Oneplus Two - Android 6.0.1, Prestigio Grace X5 - Android 4.4.2, Samsung Galaxy S8 - Android 8.0, Google Pixel(Android 8.1.0) and https://bug1446068.bmoattachments.org/attachment.cgi?id=8959245&t=SySIT41MzofHylgHoKghV6. We can confirm that the issue is fixed.
This bug is verified fixed on the desktop side too, on Beta 61.0b3 (20180507191226) running the following OSes: Win 10 x64, Ubuntu 16.04 x64 and macOS 10.13. We've used the test file mentioned in comment 12.
Status: RESOLVED → VERIFIED
status-firefox61: fixedverified
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: