Closed Bug 1787281 Opened 2 years ago Closed 2 years ago

heap-buffer-overflow in [@ av_packet_ref]

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- unaffected
firefox106 --- verified

People

(Reporter: tsmith, Assigned: padenot)

References

(Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files)

testcase.mp4
2.67 KB, video/mp4
Details
Bug 1787281 - Don't consume packet when decoding audio using ffvpx and getting EAGAIN. r?alwu
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1787281 - Add a test. r?alwu
48 bytes, text/x-phabricator-request
Details | Review
Attached video testcase.mp4

Found while fuzzing 20220825-ed1f1140d8bd (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.mp4 --time-limit 5

==19518==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600078217f at pc 0x55caae744787 bp 0x7f3f2f22d3c0 sp 0x7f3f2f22cb90
READ of size 523 at 0x61600078217f thread T96365 (MediaPD~oder #1)
    #0 0x55caae744786 in __asan_memcpy /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x7f3f22f2cea4 in av_packet_ref /builds/worker/checkouts/gecko/media/ffvpx/libavcodec/avpacket.c:446:13
    #2 0x7f3f22f9820f in avcodec_send_packet /builds/worker/checkouts/gecko/media/ffvpx/libavcodec/decode.c:592:15
    #3 0x7f3f4c6182a3 in mozilla::FFmpegAudioDecoder<46465650>::DoDecode(mozilla::MediaRawData*, unsigned char*, int, bool*, nsTArray<RefPtr<mozilla::MediaData> >&) /builds/worker/checkouts/gecko/dom/media/platforms/ffmpeg/FFmpegAudioDecoder.cpp:272:15
    #4 0x7f3f4c61c37d in mozilla::FFmpegDataDecoder<46465650>::DoDecode(mozilla::MediaRawData*, bool*, nsTArray<RefPtr<mozilla::MediaData> >&) /builds/worker/checkouts/gecko/dom/media/platforms/ffmpeg/FFmpegDataDecoder.cpp:193:10
    #5 0x7f3f4c61bb21 in mozilla::FFmpegDataDecoder<46465650>::ProcessDecode(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/ffmpeg/FFmpegDataDecoder.cpp:147:20
    #6 0x7f3f4c63234b in applyImpl<mozilla::FFmpegDataDecoder<46465650>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData *), StoreRefPtrPassByPtr<mozilla::MediaRawData>, 0UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #7 0x7f3f4c63234b in apply<mozilla::FFmpegDataDecoder<46465650>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData *)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #8 0x7f3f4c63234b in mozilla::detail::MethodCall<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData*), mozilla::FFmpegDataDecoder<46465650>, mozilla::MediaRawData*>::Invoke() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1518:47
    #9 0x7f3f4c631e5d in mozilla::detail::ProxyRunnable<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData*), mozilla::FFmpegDataDecoder<46465650>, mozilla::MediaRawData*>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1538:42
    #10 0x7f3f45bc54b6 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259:20
    #11 0x7f3f45bf01e2 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:310:14
    #12 0x7f3f45be2aee in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #13 0x7f3f45bec744 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #14 0x7f3f47343b35 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #15 0x7f3f471c4901 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #16 0x7f3f471c4901 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #17 0x7f3f471c4901 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #18 0x7f3f45bd9c38 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
    #19 0x7f3f6d8d8b7e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #20 0x7f3f6e52c608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #21 0x7f3f6e0f3132 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/7hcaswhRDZOb3M6v5tZYOg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220825222149-58735c4baea3.
The bug appears to have been introduced in the following build range:

Start: 498d812eb398285bb093ade3c2534e1400e3c7ee (20220823135059)
End: 654616a4627e7c9e54ec8cd261f783f2d252f7be (20220823150013)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=498d812eb398285bb093ade3c2534e1400e3c7ee&tochange=654616a4627e7c9e54ec8cd261f783f2d252f7be

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(padenot)
Regressed by: 1765480

Set release status flags based on info from the regressing bug 1765480

status-firefox104: --- → unaffected
status-firefox105: --- → unaffected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected

As a buffer overflow, I'll just go ahead and mark this sec-high.

Keywords: sec-high

ffmpeg update related.

Assignee: nobody → padenot
Flags: needinfo?(padenot)

Depends on D155971

Comment on attachment 9292265 [details]
Bug 1787281 - Don't consume packet when decoding audio using ffvpx and getting EAGAIN. r?alwu

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: This is a read of exactly one byte before an encoded media buffer. It's very unlikely to crash a regular build, but crashes with ASAN. It's always exactly one byte, this is not controllable.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: none
  • If not all supported branches, which bug introduced the flaw?: Bug 1765480
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: N/A
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely, it's very clear what happens.
  • Is Android affected?: Yes
Attachment #9292265 - Flags: sec-approval?
Attachment #9292269 - Flags: sec-approval?
Attachment #9292269 - Flags: sec-approval?

Comment on attachment 9292265 [details]
Bug 1787281 - Don't consume packet when decoding audio using ffvpx and getting EAGAIN. r?alwu

Approved to land and request uplift

Attachment #9292265 - Flags: sec-approval? → sec-approval+
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][reminder-test 2022-11-3]

This is Nightly-only, I'm just going to land this, no need to uplift.

Don't consume packet when decoding audio using ffvpx and getting EAGAIN. r=alwu
https://hg.mozilla.org/integration/autoland/rev/91c73125d1903d76e3aa31e7884554bb97db36d6
https://hg.mozilla.org/mozilla-central/rev/91c73125d190

Add a test. r=alwu
https://hg.mozilla.org/integration/autoland/rev/a9ccc61706a2b418de28397dcb8ca4c8a3296901
https://hg.mozilla.org/mozilla-central/rev/a9ccc61706a2

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox106: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220908123603-65e0896af25d.

Status: RESOLVED → VERIFIED
Flags: qe-verify+

I also verified that this is fixed using latest Nightly 107.0a1 asan fuzz (from today) and latest beta 106.0b8 asan fuzz build on Ubuntu 22.04.

status-firefox106: fixedverified
Flags: qe-verify+
Group: core-security-release

4 months ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2022-11-3] .

padenot, please refer to the original comment to better understand the reason for the reminder.

Flags: needinfo?(padenot)
Whiteboard: [bugmon:bisected,confirmed][reminder-test 2022-11-3] → [bugmon:bisected,confirmed]
Keywords: bugmon
Flags: needinfo?(padenot)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: