LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers

EDB-ID: 41982
Author: Google Security Research
Published: 2017-05-09
CVE: N/A
Type: Dos
Platform: Android
Aliases: N/A
Advisory/Source: Link
Tags: Denial of Service (DoS)
Vulnerable App: N/A

  
Failure to initialise pointers in mkvparser::Tracks constructor

The constructor mkvparser::Tracks::Tracks() doesn't handle parsing failures correctly.

If we look at the function, it makes allocations in two places; the first where it allocates a temporary array, and the second, where we make the allocation of an array of Track* which we will store in the Tracks object. Note that there is no path in the function which can free the second allocation; if the parsing of the Track object fails in the subsequent code these pointers are left uninitialised.

Subsequent code will then dereference and use the uninitialised pointers. The results of this obviously depend on the state of the heap prior to parsing of the testcase - a commonly occuring crash where a vtable pointer has been read through the bad pointer during destruction of the Tracks object.

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 31956, tid: 31904, name: NuPlayerDriver >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf62c9880
r0 eee45000 r1 f62e4b60 r2 f62c9880 r3 eb1c08a0
AM write failed: Broken pipe
r4 f1859da0 r5 f15ce05c r6 f15ce060 r7 f62c9880
r8 fffdfc60 r9 efc3f5f4 sl 6175644e fp f6f50c11
ip eb1c0d18 sp efc3f4c0 lr eb1b19b5 pc f62c9880 cpsr a00f0010

backtrace:
#00 pc 00049880 [anon:libc_malloc]
#01 pc 0000c9b3 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD1Ev+34)
#02 pc 0000c9cd /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD0Ev+4)
#03 pc 0001150d /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7SegmentD1Ev+60)
#04 pc 0000b015 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorD1Ev+10)
#05 pc 00009449 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser5CloseEv+24)
#06 pc 0002739b /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+38)
#07 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
#08 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#09 pc 00027481 /system/lib/libLGParserOSAL.so
#10 pc 000274d9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractor11LGMKVSourceD0Ev+4)
#11 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#12 pc 000329bd /system/lib/liblgesourceplugin.so (_ZN7android2spINS_3lge20StreamingBufferQueueEED1Ev+18)
#13 pc 0005997d /system/lib/liblgesourceplugin.so (_ZNK7android6VectorINS_2spINS_11MediaSourceEEEE10do_destroyEPvj+12)
#14 pc 00010b6d /system/lib/libutils.so (_ZN7android10VectorImpl15release_storageEv+28)
#15 pc 00010bd9 /system/lib/libutils.so (_ZN7android10VectorImpl13finish_vectorEv+4)
#16 pc 00058cb7 /system/lib/liblgesourceplugin.so
#17 pc 0005a695 /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD1Ev+292)
#18 pc 0005a6d9 /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD0Ev+4)
#19 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#20 pc 00057f69 /system/lib/liblgesourceplugin.so (_ZN7android12HTTPPDSource4stopEv+72)
#21 pc 0006bc51 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer12performResetEv+168)
#22 pc 0006b103 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer22processDeferredActionsEv+90)
#23 pc 00069ca1 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer17onMessageReceivedERKNS_2spINS_8AMessageEEE+4944)
#24 pc 0000b309 /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
#25 pc 0000d2ef /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
#26 pc 0000bd15 /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
#27 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#28 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#29 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41982.zip

Related Posts

Comments