LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflows

EDB-ID: 41983
Author: Google Security Research
Published: 2017-05-09
CVE: N/A
Type: Dos
Platform: Android
Aliases: N/A
Advisory/Source: Link
Tags: Denial of Service (DoS)
Vulnerable App: N/A

  
There are multiple paths in mkvparser::Block::Block(...) that result in heap buffer overflows. See attached for sample files that trigger the overflow conditions - these will not reliably crash the process, since the overflows are small and don't deterministically corrupt interesting data.

All offsets correspond to the version of the library I have, with md5sum 6708b7a76313c0a51df34c3cec5a0e0d.

Attached are crashers for the testcases which repeatedly cause the parsing of the files by the mediaserver process (via binder ipc), which will eventually cause the mediaserver to crash when the corrupted data is used.

1) (000035.mkv) Writing outside the bounds of a new[0] allocation.

In mkvparser::Block::Block, there is a call to new[] (0xfd44) with an attacker controlled count. By setting this count to 0, this will be passed by _Znaj/_Znwj as a call to malloc(1). In jemalloc, this will result in a minimum-sized allocation of 8 bytes.

The result of this new[] call is stored in the mkvparser::Block structure at offset 0x1c, and if we take the path resulting in a call to mkvparser::Block::BlockWithEbml (0xfe50), this function will write into this allocation at an offset of 8, overwriting the dword immediately following the allocation (0xfb54).

Due to the behaviour of jemalloc, this will be the first dword of another allocation of size 8.

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
AM write failed: Broken pipe
ABI: 'arm'
pid: 14682, tid: 14791, name: Binder_2 >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe3617e2e
r0 f153f250 r1 f003f4e8 r2 00000000 r3 e3617e22
r4 f003f500 r5 f153f250 r6 f003f4e8 r7 f1a59d58
r8 f05008f4 r9 00000000 sl 000003f5 fp f050081c
ip f6680e04 sp f05006a0 lr f667800b pc f714f742 cpsr 600f0030

backtrace:
#00 pc 0000e742 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+33)
#01 pc 00008007 /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD2Ev+22)
#02 pc 0000801d /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD0Ev+4)
#03 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#04 pc 000273f1 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+124)
#05 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
#06 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#07 pc 000d64af /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD1Ev+118)
#08 pc 000d6515 /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD0Ev+4)
#09 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#10 pc 00058ee5 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient10disconnectEv+24)
#11 pc 0008e19d /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+72)
#12 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
#13 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
#14 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
#15 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
#16 pc 00023909 /system/lib/libbinder.so
#17 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#18 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#19 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)

2) (000038.mkv) Writing outside the bounds of a new[16] allocation.

Following a similar path through the code, but instead letting the count resolve to 1, we get an allocation of size 16. We will then write outside the bounds of this allocation in mkvparser::Block::BlockWithEbml at (0xfbe0).

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 16410, tid: 16516, name: Binder_2 >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6ec
r0 000006ec r1 f06dd3fc r2 00000002 r3 efba11c4
AM write failed: Broken pipe
r4 00000000 r5 00000800 r6 f19cf6c0 r7 00000800
r8 00000000 r9 00000812 sl efba12e0 fp 00001000
ip 00000000 sp f06dd410 lr 00000001 pc f6f31cb8 cpsr 200f0030

backtrace:
#00 pc 00093cb8 /system/lib/libstagefright.so (_ZN7android18CallbackDataSource6readAtExPvj+39)
#01 pc 00093e97 /system/lib/libstagefright.so (_ZN7android15TinyCacheSource6readAtExPvj+230)
#02 pc 000262c9 /system/lib/libLGParserOSAL.so (_ZN19LGDataSourceAdaptor4ReadEPhPm+28)
#03 pc 00014737 /system/lib/liblg_parser_mkv.so (_ZN9MkvReader4ReadExlPh+62)
#04 pc 0000e1ed /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment17DoLoadClusterInfoERxRlS1_S1_+212)
#05 pc 00013c71 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment13DoLoadClusterERxRl+140)
#06 pc 00013e43 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment11LoadClusterERxRl+14)
#07 pc 0000aa73 /system/lib/liblg_parser_mkv.so (_ZN13BlockIterator3eosEv+42)
#08 pc 0000b16f /system/lib/liblg_parser_mkv.so (_ZN13BlockIterator7advanceEv+66)
#09 pc 0000b765 /system/lib/liblg_parser_mkv.so (_ZN8MkvTrackC2EP12MkvExtractorm+164)
#10 pc 0000b7d9 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractor8addTrackEm+24)
#11 pc 00009c81 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser8GetTrackEi+8)
#12 pc 00009dc1 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+248)
#13 pc 000271f9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
#14 pc 00022a85 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
#15 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
#16 pc 000d66db /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
#17 pc 000591e3 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
#18 pc 0008e329 /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
#19 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
#20 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
#21 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
#22 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
#23 pc 00023909 /system/lib/libbinder.so
#24 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#25 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#26 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)

3) (000128.mkv) Writing outside the bounds of a new[1] allocation.

Similarly to 1) but writing out of bounds at (0xfdd0) without calling through to BlockWithEbml.

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 16661, tid: 18181, name: Binder_6 >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x1ac
r0 f134e130 r1 e9a3b0d8 r2 00000000 r3 000001a0
AM write failed: Broken pipe
r4 e9a3b0f0 r5 f134e130 r6 e9a3b0d8 r7 ef8b94e8
r8 ee5bf8f4 r9 00000000 sl 000003f5 fp ee5bf81c
ip f61fae04 sp ee5bf6a0 lr f61f200b pc f6cc9742 cpsr 600f0030

backtrace:
#00 pc 0000e742 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+33)
#01 pc 00008007 /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD2Ev+22)
#02 pc 0000801d /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD0Ev+4)
#03 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#04 pc 000273f1 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+124)
#05 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
#06 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#07 pc 000d64af /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD1Ev+118)
#08 pc 000d6515 /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD0Ev+4)
#09 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
#10 pc 00058ee5 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient10disconnectEv+24)
#11 pc 0008e19d /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+72)
#12 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
#13 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
#14 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
#15 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
#16 pc 00023909 /system/lib/libbinder.so
#17 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#18 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#19 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41983.zip

Related Posts