GNOME Bugzilla – Bug 774834
flic decoder: Buffer overflow in flx_decode_delta_fli
Last modified: 2016-11-22 22:41:59 UTC
Created attachment 340511 [details] crash proof of concept from Chris Evans I haven't seen a bug report yet and it's unfixed in gstreamer's git code, so I'm reporting this: https://scarybeastsecurity.blogspot.dk/2016/11/0day-exploit-advancing-exploitation.html Chris Evans has written an exploit based on a buffer overflow in the flic decoder of gst-plugins-good. Here's a stack trace from address sanitizer with the sample file he provides and the current git head code: ==29835==ERROR: AddressSanitizer: SEGV on unknown address 0x60200003e6ae (pc 0x7fba1667b508 bp 0x7fba184ec770 sp 0x7fba184ec520 T1) ==29835==The signal is caused by a WRITE memory access. New clock: GstSystemClock #0 0x7fba1667b507 in flx_decode_delta_fli /f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:375:26 #1 0x7fba1667b507 in flx_decode_chunks /f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:236 #2 0x7fba1667b507 in gst_flxdec_chain /f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:574 #3 0x7fba250e60b7 in gst_pad_chain_data_unchecked /f/gstreamer/gstreamer/gst/gstpad.c:4206:11 #4 0x7fba250e9887 in gst_pad_push_data /f/gstreamer/gstreamer/gst/gstpad.c:4458:9 #5 0x7fba250e8eff in gst_pad_push /f/gstreamer/gstreamer/gst/gstpad.c:4577:9 #6 0x7fba19d33af9 in gst_type_find_element_loop /f/gstreamer/gstreamer/plugins/elements/gsttypefindelement.c:1180:11 #7 0x7fba251b05c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5 #8 0x7fba244bd867 (/usr/lib64/libglib-2.0.so.0+0x70867) #9 0x7fba244bced4 (/usr/lib64/libglib-2.0.so.0+0x6fed4) #10 0x7fba23e2c443 in start_thread (/lib64/libpthread.so.0+0x7443) #11 0x7fba2395b92c in clone (/lib64/libc.so.6+0xe792c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:375:26 in flx_decode_delta_fli Thread T1 (typefind:sink) created by T0 here: #0 0x42e81d in __interceptor_pthread_create (/usr/bin/gst-launch-1.0+0x42e81d) #1 0x7fba244daadf (/usr/lib64/libglib-2.0.so.0+0x8dadf)
commit bf43f44fcfada5ec4a3ce60cb374340486fe9fac Author: Matthew Waters <matthew@centricular.com> Date: Tue Nov 22 19:05:00 2016 +1100 flxdec: add some write bounds checking Without checking the bounds of the frame we are writing into, we can write off the end of the destination buffer. https://scarybeastsecurity.blogspot.dk/2016/11/0day-exploit-advancing-exploitation.html https://bugzilla.gnome.org/show_bug.cgi?id=774834 and 1.10 2e203a79b7d9af4029307c1a845b3c148d5f5e62
The fix seems to work, but clang shows this warning: afl-clang-fast 2.35b by <lszekeres@google.com> gstflxdec.c:322:33: error: comparison of unsigned expression < 0 is always false [-Werror,-Wtautological-compare] if ((glong) row - count < 0) { ~~~~~~~~~~~~~~~~~~~ ^ ~ gstflxdec.c:332:33: error: comparison of unsigned expression < 0 is always false [-Werror,-Wtautological-compare] if ((glong) row - count < 0) { ~~~~~~~~~~~~~~~~~~~ ^ ~ So some checks are probably not working due to signed/unsigned issues.
... also in 1.8. But needs some further work
Take 2: commit fec77de8cbb0c8192b77aff2e563705ba421f2f2 Author: Matthew Waters <matthew@centricular.com> Date: Tue Nov 22 23:46:00 2016 +1100 flxdec: fix some warnings comparing unsigned < 0 bf43f44fcfada5ec4a3ce60cb374340486fe9fac was comparing an unsigned expression to be < 0 which was always false. gstflxdec.c: In function ‘flx_decode_brun’: gstflxdec.c:322:33: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] if ((glong) row - count < 0) { ^ gstflxdec.c:332:33: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] if ((glong) row - count < 0) { ^ https://bugzilla.gnome.org/show_bug.cgi?id=774834 and 1.10 1ab2b26193861b124426e2f8eb62b75b59ec5488
None of my business, but "row < count" is more legible :)