Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OOB: cv::WorkerThread::WorkerThread() #15481

Closed
RootUp opened this issue Sep 7, 2019 · 2 comments · Fixed by #15531
Closed

OOB: cv::WorkerThread::WorkerThread() #15481

RootUp opened this issue Sep 7, 2019 · 2 comments · Fixed by #15531
Assignees
@terfendail
Labels
bug category: video category: vulnerability
Milestone
4.1.2

Comments

@RootUp
Copy link

RootUp commented Sep 7, 2019

Build type: Release
OpenCV version: 4.1.2-pre
OS: Linux 4.15.0-62-generic #69-Ubuntu
OpenCV VCS version: 4.1.1-217-g4de115c08

I've complied opencv with clang enabling ASAN while fuzzing the opencv_test_video binary crashes at cv::hal_baseline::v_load() and cv::computeSSDMeanNorm()

==14389==ERROR: AddressSanitizer: unknown-crash on address 0x61500000c9c4 at pc 0x7f24d2ff6a40 bp 0x7f24aa6c4ac0 sp 0x7f24aa6c4ab0
READ of size 16 at 0x61500000c9c4 thread T7
    #0 0x7f24d2ff6a3f in _mm_loadu_si128(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/7/include/emmintrin.h:703
    #1 0x7f24d2ff6a3f in cv::hal_baseline::v_load(unsigned char const*) /home/input0/opencv/modules/core/include/opencv2/core/hal/intrin_sse.hpp:1348
    #2 0x7f24d2ff6a3f in cv::computeSSDMeanNorm(unsigned char*, unsigned char*, int, int, float, float, float, float, int) /home/input0/opencv/modules/video/src/dis_flow.cpp:738
    #3 0x7f24d2ff927f in cv::DISOpticalFlowImpl::PatchInverseSearch_ParBody::operator()(cv::Range const&) const /home/input0/opencv/modules/video/src/dis_flow.cpp:887
    #4 0x7f24cc0d860e in operator() /home/input0/opencv/modules/core/src/parallel.cpp:323
    #5 0x7f24cc0de621 in cv::ParallelJob::execute(bool) /home/input0/opencv/modules/core/src/parallel_impl.cpp:315
    #6 0x7f24cc0f3dd5 in cv::WorkerThread::thread_body() /home/input0/opencv/modules/core/src/parallel_impl.cpp:415
    #7 0x7f24cc0f5660 in cv::WorkerThread::thread_loop_wrapper(void*) /home/input0/opencv/modules/core/src/parallel_impl.cpp:265
    #8 0x7f24d2a8c6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #9 0x7f24ca52e88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x61500000c9d0 is located 0 bytes to the right of 400-byte region [0x61500000c840,0x61500000c9d0)
allocated by thread T0 here:
    #0 0x7f24d35127a0 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdf7a0)
    #1 0x7f24cb2ffdc0 in cv::fastMalloc(unsigned long) /home/input0/opencv/modules/core/src/alloc.cpp:93

Thread T7 created by T0 here:
    #0 0x7f24d346ad2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f24cc0e9aa3 in cv::WorkerThread::WorkerThread(cv::ThreadPool&, unsigned int) /home/input0/opencv/modules/core/src/parallel_impl.cpp:227
    #2 0x7fffb7dfd58f  (<unknown module>)

SUMMARY: AddressSanitizer: unknown-crash /usr/lib/gcc/x86_64-linux-gnu/7/include/emmintrin.h:703 in _mm_loadu_si128(long long __vector(2) const*)
Shadow bytes around the buggy address:
  0x0c2a7fff98e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff98f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c2a7fff9900: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2a7fff9910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9930: 00 00 00 00 00 00 00 00[00]00 fa fa fa fa fa fa
  0x0c2a7fff9940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9950: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2a7fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9980: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14389==
@RootUp RootUp changed the title cv::WorkerThread::WorkerThread() OOB: cv::WorkerThread::WorkerThread() Sep 16, 2019
@mshabunin
Copy link
Contributor

https://nvd.nist.gov/vuln/detail/CVE-2019-16249

@terfendail terfendail mentioned this issue Sep 17, 2019
Merged
@alalek
Copy link
Member

alalek commented Sep 17, 2019

fuzzing the opencv_test_video

There is no fuzzing in regular OpenCV tests, so there is no special reproducer input data.

Only address sanitizer is working.
One of failed test is:

  • DenseOpticalFlow_DIS.InvalidImgSize_CoarsestLevelLessThanFinestLevel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terfendail terfendail

Labels
bug category: video category: vulnerability
Projects
None yet
Milestone
4.1.2
Development

Successfully merging a pull request may close this issue.

Fixed out of bound reading in DIS optical flow evaluation implementation terfendail/opencv
4 participants
@mshabunin @alalek @terfendail @RootUp