Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV on unknown address 0x000000000003(0x000000000009) #2515

Closed
chaoqu-ouc opened this issue Jul 4, 2023 · 0 comments
Closed

SEGV on unknown address 0x000000000003(0x000000000009) #2515

chaoqu-ouc opened this issue Jul 4, 2023 · 0 comments

Comments

@chaoqu-ouc
Copy link

Hello,I use the fuzzer(AFL) to fuzz binary gpac and got some crashes.
The following is the details.

Title: SEGV on unknown address 0x000000000003(0x000000000009)

1. Description

A SEGV on unknown address 0x000000000003(0x000000000009) has occurred in function dump_isom_scene /root/gpac/applications/mp4box/filedump.c:223:7
when running program MP4Box, this can reproduce on the lattest commit.

2. Software version info

fuzz@ubuntu:~/gpac2.1/gpac/bin/gcc$ MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev381-g817a848f6-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

3. System version info

./uname -a
Linux ouc7 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

4. Command

./MP4Box -bt poc

5. Result

[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808401079
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808401079
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (invalid descriptor)
[MP4 Loading] Unable to fetch sample 14 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3913141==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000003 (pc 0x7f3c65d28adb bp 0x00000000002d sp 0x7fffa6574310 T3913141)
==3913141==The signal is caused by a READ memory access.
==3913141==Hint: address points to the zero page.
    #0 0x7f3c65d28adb in gf_dump_vrml_sffield (/usr/local/lib/libgpac.so.12+0x4dfadb)
    #1 0x7f3c65d284e1 in gf_dump_vrml_simple_field (/usr/local/lib/libgpac.so.12+0x4df4e1)
    #2 0x7f3c65d1f694 in gf_sm_dump_command_list (/usr/local/lib/libgpac.so.12+0x4d6694)
    #3 0x7f3c65d27670 in gf_sm_dump (/usr/local/lib/libgpac.so.12+0x4de670)
    #4 0x450606 in dump_isom_scene /root/gpac/applications/mp4box/filedump.c:223:7
    #5 0x4478b0 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6461:7
    #6 0x7f3c654dc082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #7 0x41304d in _start (/usr/local/bin/MP4Box+0x41304d)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/usr/local/lib/libgpac.so.12+0x4dfadb) in gf_dump_vrml_sffield
==3913141==ABORTING


[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808423476
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808423476
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (not supported)
[MP4 Loading] Unable to fetch sample 2 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==430714==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000009 (pc 0x7f38a4794adb bp 0x00000000002d sp 0x7ffed4adff90 T430714)
==430714==The signal is caused by a READ memory access.
==430714==Hint: address points to the zero page.
    #0 0x7f38a4794adb in gf_dump_vrml_sffield (/usr/local/lib/libgpac.so.12+0x4dfadb)
    #1 0x7f38a47944e1 in gf_dump_vrml_simple_field (/usr/local/lib/libgpac.so.12+0x4df4e1)
    #2 0x7f38a478b96d in gf_sm_dump_command_list (/usr/local/lib/libgpac.so.12+0x4d696d)
    #3 0x7f38a4793670 in gf_sm_dump (/usr/local/lib/libgpac.so.12+0x4de670)
    #4 0x450606 in dump_isom_scene /root/gpac/applications/mp4box/filedump.c:223:7
    #5 0x4478b0 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6461:7
    #6 0x7f38a3f48082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #7 0x41304d in _start (/usr/local/bin/MP4Box+0x41304d)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/usr/local/lib/libgpac.so.12+0x4dfadb) in gf_dump_vrml_sffield
==430714==ABORTING

6. Impact

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

7. POC

POC file list

poc_list.zip

Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chaoqu-ouc