Issue metadata
Sign in to add a comment
|
Security: heap buffer overflow when calling RtpHeader::Parse on untrusted data |
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Calling webrtc::RtpUtility::RtpHeaderParser::Parse (https://cs.chromium.org/chromium/src/third_party/webrtc/modules/rtp_rtcp/source/rtp_utility.cc?l=178) with arbitrary data and all header extensions enabled results in a heap buffer overflow; it looks like the parser trusts the extension length reported by the packet, but I haven't investigated in depth. I haven't traced this all the way through to a particular binary, but tracing the calls I believe Parse is called on untrusted data from the network. This was found with a locally-run libfuzzer. VERSION WebRTC HEAD REPRODUCTION CASE Here is a malformed RTP packet. unsigned char bad[] = { 0x90, 0x64, 0x00, 0x58, 0x59, 0x43, 0x92, 0x78, 0x12, 0x30, 0x56, 0x78, 0xbe, 0xde, 0x00, 0x02, 0x80, 0xff, 0xb2, 0x64, 0x00, 0xff, 0x32, 0xfd, 0x90 }; unsigned int bad_len = 25; Calling RtpHeaderParser::Parse on this packet with ASAN on hits a heap buffer overflow. The symbolised ASAN stacktrace follows. ==2977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee7a at pc 0x0000005c71c4 bp 0x7fff6f680390 sp 0x7fff6f680388 READ of size 1 at 0x60300000ee7a thread T0 #0 0x5c71c3 in InternalReadBigEndian out/asan/../../webrtc/modules/rtp_rtcp/source/byte_io.h:93:29 #1 0x5c71c3 in ReadBigEndian out/asan/../../webrtc/modules/rtp_rtcp/source/byte_io.h:81 #2 0x5c71c3 in webrtc::RtpUtility::RtpHeaderParser::ParseOneByteExtensionHeader(webrtc::RTPHeader*, webrtc::RtpHeaderExtensionMap const*, unsigned char const*, unsigned char const*) const out/asan/../../webrtc/modules/rtp_rtcp/source/rtp_utility.cc:377 #3 0x5c5734 in webrtc::RtpUtility::RtpHeaderParser::Parse(webrtc::RTPHeader*, webrtc::RtpHeaderExtensionMap*) const out/asan/../../webrtc/modules/rtp_rtcp/source/rtp_utility.cc:285:7 #4 0x4de084 in webrtc::FuzzOneInput(unsigned char const*, unsigned long) out/asan/../../webrtc/test/fuzzers/rtp_header_fuzzer.cc:41:14 #5 0x64bb16 in LLVMFuzzerTestOneInput out/asan/../../webrtc/test/fuzzers/webrtc_fuzzer_main.cc:39:3 #6 0x5e6189 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) out/asan/../../third_party/libFuzzer/src/FuzzerLoop.cpp:514:13 #7 0x5e4aed in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) out/asan/../../third_party/libFuzzer/src/FuzzerLoop.cpp:440:3 #8 0x5d3b66 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) out/asan/../../third_party/libFuzzer/src/FuzzerDriver.cpp:257:6 #9 0x5d7038 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) out/asan/../../third_party/libFuzzer/src/FuzzerDriver.cpp:379:9 #10 0x5f4d56 in main out/asan/../../third_party/libFuzzer/src/FuzzerMain.cpp:21:10 #11 0x7ff0dd846f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 0x60300000ee7a is located 0 bytes to the right of 26-byte region [0x60300000ee60,0x60300000ee7a) allocated by thread T0 here: #0 0x4dbedb in operator new[](unsigned long) (/usr/local/google/home/katrielc/build/webrtc-checkout/src/out/asan/rtp_header_fuzzer+0x4dbedb) #1 0x5e60d9 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) out/asan/../../third_party/libFuzzer/src/FuzzerLoop.cpp:507:39 #2 0x5e4aed in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) out/asan/../../third_party/libFuzzer/src/FuzzerLoop.cpp:440:3 #3 0x5d3b66 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) out/asan/../../third_party/libFuzzer/src/FuzzerDriver.cpp:257:6 #4 0x5d7038 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) out/asan/../../third_party/libFuzzer/src/FuzzerDriver.cpp:379:9 #5 0x5f4d56 in main out/asan/../../third_party/libFuzzer/src/FuzzerMain.cpp:21:10 #6 0x7ff0dd846f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-buffer-overflow out/asan/../../webrtc/modules/rtp_rtcp/source/byte_io.h:93:29 in InternalReadBigEndian Shadow bytes around the buggy address: 0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00[02] 0x0c067fff9dd0: fa fa 00 00 00 02 fa fa 00 00 00 02 fa fa 00 00 0x0c067fff9de0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 0x0c067fff9df0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2977==ABORTING
,
Jun 15 2016
,
Jun 15 2016
,
Jun 15 2016
danilchap@, can you please set a Security_Impact-* label to indicate what versions of Chrome this affects? Thanks!
,
Jun 15 2016
,
Jun 15 2016
,
Jun 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/30a3a751a68f1a076fb28f3ab55e4be80c2dfac5 commit 30a3a751a68f1a076fb28f3ab55e4be80c2dfac5 Author: Danil Chapovalov <danilchap@webrtc.org> Date: Thu Jun 16 13:57:15 2016 Fix buffer overflow parsing malformed rtp packet that has one-byte length extension going past extensions block BUG= chromium:620277 R=asapersson@webrtc.org Review URL: https://codereview.webrtc.org/2064403002 . Cr-Commit-Position: refs/heads/master@{#13168} [modify] https://crrev.com/30a3a751a68f1a076fb28f3ab55e4be80c2dfac5/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
,
Jun 16 2016
estark@: Aren't read OOBs Severity-High?
,
Jun 20 2016
Fix rolled into chromium with https://codereview.chromium.org/2075893002
,
Jun 20 2016
Requesting a merge of https://codereview.webrtc.org/2064403002 into M52 Has been in dev/canary for 3 days Fix is trivial.
,
Jun 20 2016
Your change meets the bar and is auto-approved for M52 (branch: 2743)
,
Jun 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/f33698296719f956497d2dbff81b5080864a8804 commit f33698296719f956497d2dbff81b5080864a8804 Author: Danil Chapovalov <danilchap@webrtc.org> Date: Mon Jun 20 20:03:33 2016 Merge into M52 Fix buffer overflow parsing malformed rtp packet that has one-byte length extension going past extensions block Original CL: https://codereview.webrtc.org/2064403002 BUG= chromium:620277 R=asapersson@webrtc.org Review URL: https://codereview.webrtc.org/2080313002 . Cr-Commit-Position: refs/branch-heads/52@{#7} Cr-Branched-From: a376e70cf9d0df3c35d53533b454da542661775b-refs/heads/master@{#12798} [modify] https://crrev.com/f33698296719f956497d2dbff81b5080864a8804/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
,
Jun 20 2016
,
Jun 21 2016
,
Jun 27 2016
Requesting a merge of https://codereview.webrtc.org/2064403002 into M51 Has been in beta for >3 days Fix is trivial.
,
Jun 27 2016
[Automated comment] Request affecting a post-stable build (M51), manual review required.
,
Jul 22 2016
M51 is done, removing merge request.
,
Jul 22 2016
Removing merge request for realz.
,
Jul 29 2016
,
Sep 27 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by katrielc@chromium.org
, Jun 15 2016