New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 101458 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Oct 2011
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

OOB read in WebM/vorbis vorbis_decode_frame()

Reported by aohe...@gmail.com, Oct 25 2011

Issue description

VULNERABILITY DETAILS
ASan reports an heap buffer overflow (read) when the attached video is played in Chromium. The read is 384 past the end of an object. This appears to also affect the stable version, where the renderer often crashes with a general protection error.

VERSION
Chrome Version: 17.0.918.0 (dev, also stable)
Operating System: Linux (Debian 6.0.3, x86_64)

REPRODUCTION CASE
 $ chrome oobr-vorbis-2.webm

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 

I don't have enough memory to symbolize ASan traces with full debugging data, but thanks to a tip form kcc at least the symbols are here.

=================================================================
==26270== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f4d053a6200 at pc 0x7f4d819e44f8 bp 0x7f4d28a3b430 sp 0x7f4d28a3b428
READ of size 4 at 0x7f4d053a6200 thread T92
    #0 0x7f4d819e44f8 in vorbis_decode_frame third_party/ffmpeg/patched-ffmpeg/libavcodec/vorbisdec.c:0
    #1 0x7f4d819d6f91 in avcodec_decode_audio3 ??:0
    #2 0x7f4d9697d476 in _ZN5media18FFmpegAudioDecoder14DoDecodeBufferERK13scoped_refptrINS_6BufferEE sysinfo.cc:0
    #3 0x7f4d9697eafc in _ZN4base8internal8Invoker2ILb0ENS0_15InvokerStorage2IMN5media18FFmpegAudioDecoderEFvRK13scoped_refptrINS3_6BufferEEEPS4_S7_EESB_E8DoInvokeEPNS0_18InvokerStorageBaseE sysinfo.cc:0
    #4 0x7f4d917935de in _ZN11MessageLoop7RunTaskERKNS_11PendingTaskE sysinfo.cc:0
    #5 0x7f4d91793cc9 in _ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE sysinfo.cc:0
    #6 0x7f4d91794e8a in _ZN11MessageLoop6DoWorkEv sysinfo.cc:0
    #7 0x7f4d9179e997 in _ZN4base18MessagePumpDefault3RunEPNS_11MessagePump8DelegateE sysinfo.cc:0
    #8 0x7f4d9179230b in _ZN11MessageLoop11RunInternalEv sysinfo.cc:0
    #9 0x7f4d917907c9 in _ZN11MessageLoop3RunEv sysinfo.cc:0
    #10 0x7f4d918090c8 in _ZN4base6Thread10ThreadMainEv sysinfo.cc:0
    #11 0x7f4d91807efc in _ZN4base12_GLOBAL__N_110ThreadFuncEPv base/threading/platform_thread_posix.cc:0
    #12 0x7f4d96a51f75 in _ZN10AsanThread11ThreadStartEv /usr/local/google/asan/address-sanitizer/asan/asan_thread.cc:102
    #13 0x7f4d8bc518ba in start_thread /home/aurel32/eglibc/eglibc-2.11.2/nptl/pthread_create.c:300
    #14 0x7f4d89dd802d in ?? /home/aurel32/eglibc/eglibc-2.11.2/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:114
[26270:26440:29543271666:ERROR:platform_thread_posix.cc(253)] Not implemented reached in static void base::PlatformThread::SetThreadPriority(PlatformThreadHandle, base::ThreadPriority)
0x7f4d053a6200 is located 384 bytes to the right of 4096-byte region [0x7f4d053a5080,0x7f4d053a6080)
allocated by thread T92 here:
    #0 0x7f4d96a47bcd in posix_memalign _asan_rtl_
    #1 0x7f4d81ab290b in av_malloc ??:0
    #2 0x7f4d819dc4cb in vorbis_decode_init third_party/ffmpeg/patched-ffmpeg/libavcodec/vorbisdec.c:0
    #3 0x7f4d819d5c8b in avcodec_open2 ??:0
    #4 0x7f4d9697c31d in _ZN5media18FFmpegAudioDecoder12DoInitializeERK13scoped_refptrINS_13DemuxerStreamEERKN4base8CallbackIFvvEEERKNS7_IFvRKNS_18PipelineStatisticsEEEE sysinfo.cc:0
    #5 0x7f4d9697f175 in _ZN4base8internal8Invoker4ILb0ENS0_15InvokerStorage4IMN5media18FFmpegAudioDecoderEFvRK13scoped_refptrINS3_13DemuxerStreamEERKNS_8CallbackIFvvEEERKNSA_IFvRKNS3_18PipelineStatisticsEEEEEPS4_S7_SC_SJ_EESN_E8DoInvokeEPNS0_18InvokerStorageBaseE sysinfo.cc:0
    #6 0x7f4d917935de in _ZN11MessageLoop7RunTaskERKNS_11PendingTaskE sysinfo.cc:0
    #7 0x7f4d91793cc9 in _ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE sysinfo.cc:0
    #8 0x7f4d91794e8a in _ZN11MessageLoop6DoWorkEv sysinfo.cc:0
    #9 0x7f4d9179e997 in _ZN4base18MessagePumpDefault3RunEPNS_11MessagePump8DelegateE sysinfo.cc:0
    #10 0x7f4d9179230b in _ZN11MessageLoop11RunInternalEv sysinfo.cc:0
    #11 0x7f4d917907c9 in _ZN11MessageLoop3RunEv sysinfo.cc:0
    #12 0x7f4d918090c8 in _ZN4base6Thread10ThreadMainEv sysinfo.cc:0
    #13 0x7f4d91807efc in _ZN4base12_GLOBAL__N_110ThreadFuncEPv base/threading/platform_thread_posix.cc:0
    #14 0x7f4d96a51f75 in _ZN10AsanThread11ThreadStartEv /usr/local/google/asan/address-sanitizer/asan/asan_thread.cc:102
Thread T92 created by T0 here:
    #0 0x7f4d96a47274 in pthread_create _asan_rtl_
    #1 0x7f4d91807cc9 in _ZN4base12_GLOBAL__N_112CreateThreadEmbPNS_14PlatformThread8DelegateEPm base/threading/platform_thread_posix.cc:0
    #2 0x7f4d91807bca in _ZN4base14PlatformThread6CreateEmPNS0_8DelegateEPm sysinfo.cc:0
    #3 0x7f4d9180890d in _ZN4base6Thread16StartWithOptionsERKNS0_7OptionsE sysinfo.cc:0
    #4 0x7f4d91808693 in _ZN4base6Thread5StartEv sysinfo.cc:0
    #5 0x7f4d963aaade in _ZN5media22MessageLoopFactoryImpl14GetMessageLoopERKSs sysinfo.cc:0
    #6 0x7f4d967c8a09 in _ZN11webkit_glue18WebMediaPlayerImpl10InitializeEPN6WebKit8WebFrameEb13scoped_refptrINS_16WebVideoRendererEE sysinfo.cc:0
    #7 0x7f4d95ee3c0a in _ZN14RenderViewImpl17createMediaPlayerEPN6WebKit8WebFrameEPNS0_20WebMediaPlayerClientE sysinfo.cc:0
    #8 0x7f4d92f4b6a0 in _ZN6WebKit24WebMediaPlayerClientImpl12loadInternalEv sysinfo.cc:0
    #9 0x7f4d93719045 in _ZN7WebCore11MediaPlayer23loadWithNextMediaEngineEPNS_18MediaPlayerFactoryE sysinfo.cc:0
    #10 0x7f4d937181e1 in _ZN7WebCore11MediaPlayer4loadERKN3WTF6StringERKNS_11ContentTypeE sysinfo.cc:0
    #11 0x7f4d9347ece6 in _ZN7WebCore16HTMLMediaElement12loadResourceERKNS_4KURLERNS_11ContentTypeE sysinfo.cc:0
    #12 0x7f4d9347d707 in _ZN7WebCore16HTMLMediaElement19selectMediaResourceEv sysinfo.cc:0
    #13 0x7f4d9347bc4a in _ZN7WebCore16HTMLMediaElement12loadInternalEv sysinfo.cc:0
    #14 0x7f4d936938d8 in _ZN7WebCore12ThreadTimers24sharedTimerFiredInternalEv sysinfo.cc:0
    #15 0x7f4d91805cf9 in _ZN4base6subtle18TaskClosureAdapter3RunEv sysinfo.cc:0
    #16 0x7f4d917935de in _ZN11MessageLoop7RunTaskERKNS_11PendingTaskE sysinfo.cc:0
    #17 0x7f4d91793cc9 in _ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE sysinfo.cc:0
    #18 0x7f4d91794e8a in _ZN11MessageLoop6DoWorkEv sysinfo.cc:0
    #19 0x7f4d9179e997 in _ZN4base18MessagePumpDefault3RunEPNS_11MessagePump8DelegateE sysinfo.cc:0
    #20 0x7f4d9179230b in _ZN11MessageLoop11RunInternalEv sysinfo.cc:0
    #21 0x7f4d917907c9 in _ZN11MessageLoop3RunEv sysinfo.cc:0
    #22 0x7f4d95f36563 in _Z12RendererMainRK18MainFunctionParams sysinfo.cc:0
    #23 0x7f4d915bab23 in _ZN12_GLOBAL__N_123RunNamedProcessTypeMainERKSsRK18MainFunctionParamsPN7content19ContentMainDelegateE content/app/content_main.cc:0
    #24 0x7f4d915ba070 in _ZN7content11ContentMainEiPPKcPNS_19ContentMainDelegateE sysinfo.cc:0
    #25 0x7f4d8ff093f7 in ChromeMain ??:0
    #26 0x7f4d8ff0864b in main sysinfo.cc:0
    #27 0x7f4d89d27c4d in __libc_start_main /home/aurel32/eglibc/eglibc-2.11.2/csu/libc-start.c:260
==26270== ABORTING
Shadow byte and word:
  0x1fe9a0a74c40: fa
  0x1fe9a0a74c40: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1fe9a0a74c20: fa fa fa fa fa fa fa fa
  0x1fe9a0a74c28: fa fa fa fa fa fa fa fa
  0x1fe9a0a74c30: fa fa fa fa fa fa fa fa
  0x1fe9a0a74c38: fa fa fa fa fa fa fa fa
=>0x1fe9a0a74c40: fa fa fa fa fa fa fa fa
  0x1fe9a0a74c48: fa fa fa fa fa fa fa fa
  0x1fe9a0a74c50: fa fa fa fa fa fa fa fa
  0x1fe9a0a74c58: fa fa fa fa fa fa fa fa
  0x1fe9a0a74c60: fa fa fa fa fa fa fa fa

 
oobr-vorbis-2.webm
766 KB Download

Comment 1 by aohe...@gmail.com, Oct 25 2011

I'm actually not sure if the patch of http://code.google.com/p/chromium/issues/detail?id=100543 was on the test machine yet. Better check with it before looking further because this might be another manifestation of the same bug.
Owner: cevans@chromium.org

Comment 3 by kcc@chromium.org, Oct 25 2011

Labels: Stability-AddressSanitizer
Aki, you may also want to run the log through c++filt to get human readable function names. 

The log with line numbers: 

READ of size 4 at 0x7fa6c4e76200 thread T5                                                                                                                                                          
    #0 0x7fa6c55bd3c5 in vorbis_residue_decode_internal third_party/ffmpeg/patched-ffmpeg/libavcodec/vorbisdec.c:1406                                                                               
    #1 0x7fa6c55b0101 in avcodec_decode_audio3 third_party/ffmpeg/patched-ffmpeg/libavcodec/utils.c:823                                                                                             
    #2 0x7fa6daaf7cd6 in media::FFmpegAudioDecoder::DoDecodeBuffer(scoped_refptr<media::Buffer> const&) media/filters/ffmpeg_audio_decoder.cc:193   

0x7fa6c4e76200 is located 384 bytes to the right of 4096-byte region [0x7fa6c4e75080,0x7fa6c4e76080)                                                                                                
allocated by thread T5 here:                                                                                                                                                                        
    #0 0x7fa6dabd032d in posix_memalign _asan_rtl_                                                                                                                                                  
    #1 0x7fa6c568ef3b in av_malloc third_party/ffmpeg/patched-ffmpeg/libavutil/mem.c:90                                                                                                             
    #2 0x7fa6c55b561b in vorbis_parse_id_hdr third_party/ffmpeg/patched-ffmpeg/libavcodec/vorbisdec.c:938                                                                                           
    #3 0x7fa6c55aedfb in avcodec_open2 third_party/ffmpeg/patched-ffmpeg/libavcodec/utils.c:645                                           
Labels: Stability-Valgrind SecSeverity-High reward-topanel SecImpacts-Stable SecImpacts-Beta Mstone-15
Status: Started
Ugly.

    vec[voffs + k + l * step] += codebook.codevectors[coffs + l];  // FPMATH

So the OOB read is followed immediately by an OOB write, courtesy of the += operator. That's a nasty heap corruption and definitely a different bug.

Investigating.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Nice catch Aki!
crrev.com/107662
Cc: scherkus@chromium.org rbultje@google.com
Still needs DEPS roll etc.
Project Member

Comment 9 by bugdroid1@chromium.org, Nov 3 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=108385

------------------------------------------------------------------------
r108385 | scherkus@chromium.org | Wed Nov 02 18:14:16 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=108385&r2=108384&pathrev=108385

Rolling FFmpeg to r108357.

TBR=cevans
BUG= 101458 

Review URL: http://codereview.chromium.org/8439065
------------------------------------------------------------------------
Labels: -reward-topanel reward-1000 reward-unpaid
As I mentioned earlier: great bug Aki! Reliable repro and a nasty heap buffer overflow which we're really glad to be without. A clear $1000 Chromium Security Reward.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -Merge-Approved Merge-Merged
DEPS rolled on M15 branch @19346
DEPS rolled on M16 branch @19347

Comment 12 by aohe...@gmail.com, Nov 5 2011

@scarybeasts Excellent \o/ I was in a hurry to find as many video-handling bugs as possible, and thought these would only be rewarded on the $500-level due to large repros.
@aohelin: hehe. We're less strict about the size of video files. They're not nearly as feasible to reduce. So as long as the file reliably demonstrates the issue, that's fine. Video bugs / fixes also tend to be less state-induced than WebKit bugs so the large repro typically doesn't hamper diagnosis.
Labels: CVE-2011-3895
Labels: -reward-unpaid
Payment in system.

Comment 16 Deleted

Labels: -Restrict-View-SecurityNotify
Opening access as requested.

Comment 18 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 19 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Stability-AddressSanitizer -Stability-Valgrind -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Mstone-15 Security-Impact-Beta Performance-Valgrind Performance-Memory-AddressSanitizer Security-Impact-Stable M-15 Type-Bug-Security Security-Severity-High
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 26 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 27 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Valgrind Stability-Valgrind
Project Member

Comment 28 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 30 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 33 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-0 Pri-1

Sign in to add a comment