Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-use-after-free in gf_isom_box_dump_ex isomedia/box_funcs.c:1734 #1333

Closed
Clingto opened this issue Nov 9, 2019 · 4 comments

Comments

@Clingto
Copy link

Clingto commented Nov 9, 2019

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

Run Command:

$ MP4Box -diso -out /dev/null $POC-new-gf_isom_box_dump_ex

POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_box_dump_ex

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000505aee in stco_dump ()
(gdb) bt
#0  0x0000000000505aee in stco_dump ()
#1  0x0000000000514918 in gf_isom_box_dump_ex ()
#2  0x0000000000502e15 in gf_isom_box_array_dump ()
#3  0x00000000005149dc in gf_isom_box_dump_done ()
#4  0x0000000000503a1b in stbl_dump ()
#5  0x0000000000514918 in gf_isom_box_dump_ex ()
#6  0x0000000000502e15 in gf_isom_box_array_dump ()
#7  0x00000000005149dc in gf_isom_box_dump_done ()
#8  0x000000000050615d in minf_dump ()
#9  0x0000000000514918 in gf_isom_box_dump_ex ()
#10 0x0000000000502f10 in gf_isom_dump ()
#11 0x0000000000425faa in dump_isom_xml ()
#12 0x000000000041c69a in mp4boxMain ()
#13 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:291
#14 0x000000000040eba9 in _start ()

ASAN info:

�[33m[iso file] Box "mvhd" (start 445) has 8 extra bytes
�[0m�[32m[iso file] Unknown box type tkhd in parent moov
�[0m�[32m[iso file] Unknown box type mdia in parent moov
�[0m�[33m[iso file] Box "UNKN" is larger than container box
�[0m�[33m[iso file] Box "moov" size 256 (start 437) invalid (read 830)
�[0m�[31m[iso file] Read Box type 00000000 (0x00000000) at position 851 has size 0 but is not at root/file level, skipping
�[0m�[33m[iso file] Box "stsd" (start 817) has 120 extra bytes
�[0m�[33m[iso file] Box "stco" (start 1003) has 40 extra bytes
�[0m=================================================================
==27857==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000ee50 at pc 0x0000006c6f5d bp 0x7fffffff7db0 sp 0x7fffffff7da0
READ of size 8 at 0x60600000ee50 thread T0
    #0 0x6c6f5c in gf_isom_box_dump_ex isomedia/box_funcs.c:1734
    #1 0x6a370c in gf_isom_box_dump isomedia/box_dump.c:97
    #2 0x6a370c in gf_isom_box_array_dump isomedia/box_dump.c:107
    #3 0x6c6faf in gf_isom_box_dump_done isomedia/box_funcs.c:1747
    #4 0x6a4f3e in stbl_dump isomedia/box_dump.c:379
    #5 0x6c6e7d in gf_isom_box_dump_ex isomedia/box_funcs.c:1738
    #6 0x6a370c in gf_isom_box_dump isomedia/box_dump.c:97
    #7 0x6a370c in gf_isom_box_array_dump isomedia/box_dump.c:107
    #8 0x6c6faf in gf_isom_box_dump_done isomedia/box_funcs.c:1747
    #9 0x6aa69a in minf_dump isomedia/box_dump.c:1291
    #10 0x6c6e7d in gf_isom_box_dump_ex isomedia/box_funcs.c:1738
    #11 0x6a3937 in gf_isom_box_dump isomedia/box_dump.c:97
    #12 0x6a3937 in gf_isom_dump isomedia/box_dump.c:139
    #13 0x443b9a in dump_isom_xml /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/filedump.c:1930
    #14 0x43246d in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4982
    #15 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)

0x60600000ee50 is located 16 bytes inside of 56-byte region [0x60600000ee40,0x60600000ee78)
freed by thread T0 here:
    #0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x6c393f in gf_isom_box_del isomedia/box_funcs.c:1508

previously allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xae2b8d in stco_New isomedia/box_code_base.c:5616

SUMMARY: AddressSanitizer: heap-use-after-free isomedia/box_funcs.c:1734 gf_isom_box_dump_ex
Shadow bytes around the buggy address:
  0x0c0c7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9da0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff9db0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c7fff9dc0: 00 00 00 04 fa fa fa fa fd fd[fd]fd fd fd fd fa
  0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
  0x0c0c7fff9de0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff9df0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==27857==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d


Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

@carnil
Copy link

carnil commented Dec 31, 2019

CVE-2019-20168 was assigned for this issue.

aureliendavid added a commit that referenced this issue Jan 8, 2020
@aureliendavid
Copy link
Contributor

Thanks for the report.

This should be fixed in master / 0.8.0 as of the above commit.

It will be included in filters / 0.9.0 in the next merge.

Feel free to reopen the issue if necessary.

@Beuc
Copy link

Beuc commented Jan 16, 2020

Hi, I'm preparing a security upload for older gpac versions at Debian.

As far as I can test, 5250afe is not related to this issue: applying it on the reporter's 00dfc93 does not fix the ASAN error, and conversely reverse-applying it on master (cf620e1) does not make it re-appear.

Do you know what patch is fixing this CVE?

@aureliendavid
Copy link
Contributor

Hi,

you're right, this one is mislabeled and is actually fixed by the previous commit (a8b6246).

looks like it also works when applying it to 00dfc93

$ git diff 00dfc93369329f1f549567d1b157566217bbfae0
diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c
index f40c9ba5..1add6c3f 100644
--- a/src/isomedia/box_code_base.c
+++ b/src/isomedia/box_code_base.c
@@ -5311,7 +5311,9 @@ GF_Err stbl_AddBox(GF_Box *s, GF_Box *a)
        case GF_ISOM_BOX_TYPE_CO64:
        case GF_ISOM_BOX_TYPE_STCO:
                if (ptr->ChunkOffset) {
-                       gf_isom_box_del(ptr->ChunkOffset);
+                       extern Bool use_dump_mode;
+                       if (!use_dump_mode)
+                               gf_isom_box_del(ptr->ChunkOffset);
                }
                ptr->ChunkOffset = a;
                return GF_OK;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants