New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Nov 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag

Blocked on:
issue 426560



Sign in to add a comment
Heap-use-after-free in vorbis_decode_frame
Project Member Reported by clusterf...@chromium.org, Sep 30 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4833912221073408

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_asan_chrome_v8_arm

Crash Type: Heap-use-after-free READ 2
Crash Address: 0xded28272
Crash State:
  vorbis_decode_frame
  avcodec_decode_audio4
  media::FFmpegAudioDecoder::FFmpegDecode
  

Minimized Testcase (97.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94fynbmP7VrCmejYF02QTiT_6G2WSDb7_Hs2XQlmBEy1XhRQIs2xEr1E_BtVnwFvBwRmmzS0lySun8BjLler0SapWgKUGCAudacqI_kUTlaTrvBooXkIZCkAv8b_xQ8RhoWvnuW_hanp9Cn6T1pxh2toGI2kDg_Rqmoy9jyKe6WuVl43JU

Filer: inferno
 
Cc: scherkus@chromium.org attek...@gmail.com
Owner: dalecur...@chromium.org
Status: Assigned
Project Member Comment 2 by clusterf...@chromium.org, Sep 30 2014
Labels: M-38 Pri-1
Cc: dalecur...@chromium.org
Labels: Cr-Internals-Media-FFmpeg
Owner: jrumm...@chromium.org
Probably only M39 since we just did an FFmpeg roll.

John, can you take a look?
Oh interesting, I just realized this was on ARM; possibly it means the size of the allocation is making incorrect assumptions about the primitive type width.
ClusterFuzz says this bug is old, says impacts stable, beta based on regression range. Anyway, the person analyzing will figure it out.
Cc: wolenetz@chromium.org
Cc: timwillis@chromium.org
Labels: -M-38 M-39
Bumping to M39 based on #c3. Please update if it turns out that this affects M38.
Project Member Comment 8 by clusterf...@chromium.org, Oct 9 2014
Labels: Nag
jrummell@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 9 by clusterf...@chromium.org, Oct 16 2014
jrummell@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 10 by clusterf...@chromium.org, Oct 24 2014
jrummell@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Comment 11 by attek...@gmail.com, Oct 24 2014

This is not an ARM only bug.

Here is a repro-file that reproduces the crash on: 

OS:Ubuntu 14.04
Chromium: 40.0.2197.0 (Developer Build) 
Revision	05bc9c84e44660e9ba56f5566092228d3674679a-refs/heads/master@{#300565}

The repro-file has to be loaded with a small html-snippet:

<html><body>
<video autoplay src="chrome-heap-use-after-free-vorbisresiduedecodeinternal9.video" ></video>
</body></html>

ASAN-trace:

==11327==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000074672 at pc 0x7fab3ad7f153 bp 0x7fab0fff8140 sp 0x7fab0fff8138
READ of size 2 at 0x619000074672 thread T12 (Media)
    #0 0x7fab3ad7f152 in vorbis_residue_decode_internal /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/vorbisdec.c:1416:25    #1 0x7fab3ad7f152 in vorbis_residue_decode /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/vorbisdec.c:1525:0
    #2 0x7fab3ad77ef9 in vorbis_parse_audio_packet /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/vorbisdec.c:1661:19
    #3 0x7fab3ad75d00 in vorbis_decode_frame /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/vorbisdec.c:1792:16
    #4 0x7fab3ad6b87c in avcodec_decode_audio4 /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/utils.c:2428:19
    #5 0x7fab57016aef in media::FFmpegAudioDecoder::FFmpegDecode(scoped_refptr<media::DecoderBuffer> const&, bool*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../media/filters/ffmpeg_audio_decoder.cc:257:24
.
.
.
0x619000074672 is located 498 bytes inside of 1024-byte region [0x619000074480,0x619000074880)
freed by thread T12 (Media) here:
    #0 0x7fab4d36f19e in __interceptor_realloc ??:0:0
    #1 0x7fab3ae6afa4 in av_realloc_f /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavutil/mem.c:179:9
    #2 0x7fab3acc6858 in alloc_table /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/bitstream.c:114:22
    #3 0x7fab3acc5d78 in build_table /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/bitstream.c:171:19
    #4 0x7fab3acc6309 in build_table /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/bitstream.c:226:21
    #5 0x7fab3acc5782 in ff_init_vlc_sparse /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/ffmpeg/libavcodec/bitstream.c:337:11
.
.
.
chrome-heap-use-after-free-vorbisresiduedecodeinternal9.video
3.7 KB Download
Cc: xhw...@chromium.org
I am able to reproduce this crash on ToT running with ASAN.

It is not a Heap-use-after-free error. It is caused by an index out of bounds.

failing line src/third_party/ffmpeg/libavcodec/vorbisdec.c:1416:25
    int vqbook  = vr->books[vqclass][pass];

Added some debugging logs, and I get:
vqclass 190, pass = 0, vr = 0x61d000082a80
=================================================================
==10==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000083672

vr->books defined as:
    int16_t books[64][8];

So even though it is attempting to read a realloced block of memory, it is really reading off the end of the block allocated @ 0x61d000082a80.
Have sent a possible patch to ffmpeg. Waiting for a response.
Blockedon: chromium:426560
This was fixed in ffmpeg about a month ago. It will get merged into Chromium with the M40 ffmpeg roll ( issue 426560 ).

Commit: 8c50704ebf1777bee76772c4835d9760b3721057
Date:   Fri Oct 3 18:12:34 2014
avcodec/vorbisdec: Fix off by 1 error in ptns_to_read
Fixes read of uninitialized memory
Project Member Comment 16 by bugdroid1@chromium.org, Nov 7 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/25eeccf24ff44b010f12879c57979d89bc9ee820

commit 25eeccf24ff44b010f12879c57979d89bc9ee820
Author: xhwang <xhwang@chromium.org>
Date: Fri Nov 07 01:50:46 2014

Roll FFmpeg DEPS.

This includes two bug fixes.

BUG= 419060 , 427266 

Review URL: https://codereview.chromium.org/705193002

Cr-Commit-Position: refs/heads/master@{#303160}

[modify] https://chromium.googlesource.com/chromium/src.git/+/25eeccf24ff44b010f12879c57979d89bc9ee820/DEPS

Status: Fixed
Fixed by: https://gerrit.chromium.org/gerrit/72103
Project Member Comment 18 by clusterf...@chromium.org, Nov 7 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-40 M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Project Member Comment 19 by clusterf...@chromium.org, Nov 8 2014
ClusterFuzz has detected this issue as fixed in range 303095:303227.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4833912221073408

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_asan_chrome_v8_arm

Crash Type: Heap-use-after-free READ 2
Crash Address: 0xded28272
Crash State:
  vorbis_decode_frame
  avcodec_decode_audio4
  media::FFmpegAudioDecoder::FFmpegDecode
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=303095:303227

Minimized Testcase (97.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94fynbmP7VrCmejYF02QTiT_6G2WSDb7_Hs2XQlmBEy1XhRQIs2xEr1E_BtVnwFvBwRmmzS0lySun8BjLler0SapWgKUGCAudacqI_kUTlaTrvBooXkIZCkAv8b_xQ8RhoWvnuW_hanp9Cn6T1pxh2toGI2kDg_Rqmoy9jyKe6WuVl43JU

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Labels: -Merge-Triage Merge-Requested
This has been in the trunk for a few days and it's confirmed by ClusterFuzz. Request to merge to M39.
Project Member Comment 21 by clusterf...@chromium.org, Nov 14 2014
Labels: -M-38
Labels: -Merge-Requested Merge-Approved
Cc: jrumm...@chromium.org amineer@chromium.org
Owner: xhw...@chromium.org
Assign to myself to handle the merge request.

amineer: Double check with you.. Is it okay to merge this fix back to M39?
Cc: mbarbe...@chromium.org
+mbarbella@ from the security team.  M39 has already been released to stable (the merge request came after stable candidate was cut by a few days) and I don't plan to take anything that isn't critical.  Martin, do we need this in M39, or can we wait until M40?
If there is going to be a patch to M39, this looks like it would be worth including.
Labels: -Merge-Approved Merge-Review
Moving back to merge review, same justification as https://code.google.com/p/chromium/issues/detail?id=427266#c29
Labels: -Merge-Review Merge-Approved
spoke with dale, merge is approved for m39 branch 2171.  please roll deps by tomorrow evening PST.
Has this been merged into 40?
This was fixed in M40 per #16 and verified on M40 per #19.

The fix was also merged to M39 in https://codereview.chromium.org/755623005/, but I don't know why this issue wasn't updated with that.
Labels: -Merge-Approved Merge-Merged merge-merged-2214 merge-merged-2171
Labels: Release-0-M40
Labels: -Security_Severity-High Security_Severity-Medium
adjusting severity based on c#13.
Labels: -reward-topanel reward-unpaid CVE-2014-7937 reward-1500
Congratulations - $1500 for this report. Panel notes: "$1000 for bug - not a use after free but an index out of bounds. +$500 ClusterFuzz bonus".
Project Member Comment 34 by clusterf...@chromium.org, Feb 13 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!
Project Member Comment 37 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 38 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment