LG G4 MRA58K - 'liblg_parser_mkv.so' Bad Allocation Calls

EDB-ID: 41981
Author: Google Security Research
Published: 2017-05-09
CVE: N/A
Type: Dos
Platform: Android
Aliases: N/A
Advisory/Source: Link
Tags: Denial of Service (DoS)
Vulnerable App: N/A

  
In both of the following functions
mkvparser::AudioTrack::AudioTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)
mkvparser::VideoTrack::VideoTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)

During EBML node parsing the EBML element_size is used unvalidated to allocate a
stack buffer to store the element contents. Since calls to alloca simply compile
to a subtraction from the current stack pointer, for large sizes this can result
in memory corruption and potential remote-code-execution in the mediaserver
process.

Tested on an LG-G4 with the latest firmware available for my device; MRA58K.

See attached for crash samples and the original unmodified file.

(audio_track.mkv)

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 16668, tid: 16986, name: pd_session >>> /system/bin/mediaserver <<<
AM write failed: Broken pipe
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2e924108
r0 c01db33f r1 efd34940 r2 0000022c r3 2e924118
r4 f1449d80 r5 eeaff4d0 r6 eeaff470 r7 eeaff458
r8 f144f228 r9 00000000 sl 0000022c fp 00000000
ip 00000000 sp 2e924108 lr efd2afeb pc efd2b2c0 cpsr 800f0030

backtrace:
#00 pc 000122c0 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser10AudioTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+123)
#01 pc 0001247b /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+222)
#02 pc 00012635 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)
#03 pc 000128a9 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)
#04 pc 0000c821 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)
#05 pc 00009d01 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)
#06 pc 000271f9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
#07 pc 00022a85 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
#08 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
#09 pc 0005a209 /system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)
#10 pc 0005d1bf /system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)
#11 pc 0005d471 /system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)
#12 pc 0000b309 /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
#13 pc 0000d2ef /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
#14 pc 0000bd15 /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
#15 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#16 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#17 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)

(video_track.mkv)

pid: 18217, tid: 18508, name: pd_session >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2ae64110
r0 c01db33f r1 efd5e940 r2 000001bd r3 00000000
AM write failed: Broken pipe
r4 eb03f4d0 r5 f1409b40 r6 eb03f470 r7 eb03f460
r8 f140f360 r9 2ae64120 sl c01db4fc fp 00000000
ip efd5ee80 sp 2ae64110 lr efd54feb pc efd5517a cpsr 800f0030

backtrace:
#00 pc 0001217a /system/lib/liblg_parser_mkv.so (_ZN9mkvparser10VideoTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+113)
#01 pc 00012449 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+172)
#02 pc 00012635 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)
#03 pc 000128a9 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)
#04 pc 0000c821 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)
#05 pc 00009d01 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)
#06 pc 000271f9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
#07 pc 00022a85 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
#08 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
#09 pc 0005a209 /system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)
#10 pc 0005d1bf /system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)
#11 pc 0005d471 /system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)
#12 pc 0000b309 /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
#13 pc 0000d2ef /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
#14 pc 0000bd15 /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
#15 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#16 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#17 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41981.zip

Related Posts

Comments