New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 620277: Security: heap buffer overflow when calling RtpHeader::Parse on untrusted data

Reported by katrielc@chromium.org, Jun 15 2016 Project Member

Issue description

VULNERABILITY DETAILS
Calling webrtc::RtpUtility::RtpHeaderParser::Parse (https://cs.chromium.org/chromium/src/third_party/webrtc/modules/rtp_rtcp/source/rtp_utility.cc?l=178) with arbitrary data and all header extensions enabled results in a heap buffer overflow; it looks like the parser trusts the extension length reported by the packet, but I haven't investigated in depth.

I haven't traced this all the way through to a particular binary, but tracing the calls I believe Parse is called on untrusted data from the network.

This was found with a locally-run libfuzzer.

VERSION
WebRTC HEAD

REPRODUCTION CASE
Here is a malformed RTP packet.

unsigned char bad[] = {
  0x90, 0x64, 0x00, 0x58, 0x59, 0x43, 0x92, 0x78, 0x12, 0x30, 0x56, 0x78,
  0xbe, 0xde, 0x00, 0x02, 0x80, 0xff, 0xb2, 0x64, 0x00, 0xff, 0x32, 0xfd,
  0x90
};
unsigned int bad_len = 25;

Calling RtpHeaderParser::Parse on this packet with ASAN on hits a heap buffer overflow. The symbolised ASAN stacktrace follows.

==2977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee7a at pc 0x0000005c71c4 bp 0x7fff6f680390 sp 0x7fff6f680388
READ of size 1 at 0x60300000ee7a thread T0
    #0 0x5c71c3 in InternalReadBigEndian out/asan/../../webrtc/modules/rtp_rtcp/source/byte_io.h:93:29
    #1 0x5c71c3 in ReadBigEndian out/asan/../../webrtc/modules/rtp_rtcp/source/byte_io.h:81
    #2 0x5c71c3 in webrtc::RtpUtility::RtpHeaderParser::ParseOneByteExtensionHeader(webrtc::RTPHeader*, webrtc::RtpHeaderExtensionMap const*, unsigned char const*, unsigned char const*) const out/asan/../../webrtc/modules/rtp_rtcp/source/rtp_utility.cc:377
    #3 0x5c5734 in webrtc::RtpUtility::RtpHeaderParser::Parse(webrtc::RTPHeader*, webrtc::RtpHeaderExtensionMap*) const out/asan/../../webrtc/modules/rtp_rtcp/source/rtp_utility.cc:285:7
    #4 0x4de084 in webrtc::FuzzOneInput(unsigned char const*, unsigned long) out/asan/../../webrtc/test/fuzzers/rtp_header_fuzzer.cc:41:14
    #5 0x64bb16 in LLVMFuzzerTestOneInput out/asan/../../webrtc/test/fuzzers/webrtc_fuzzer_main.cc:39:3
    #6 0x5e6189 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) out/asan/../../third_party/libFuzzer/src/FuzzerLoop.cpp:514:13
    #7 0x5e4aed in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) out/asan/../../third_party/libFuzzer/src/FuzzerLoop.cpp:440:3
    #8 0x5d3b66 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) out/asan/../../third_party/libFuzzer/src/FuzzerDriver.cpp:257:6
    #9 0x5d7038 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) out/asan/../../third_party/libFuzzer/src/FuzzerDriver.cpp:379:9
    #10 0x5f4d56 in main out/asan/../../third_party/libFuzzer/src/FuzzerMain.cpp:21:10
    #11 0x7ff0dd846f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

0x60300000ee7a is located 0 bytes to the right of 26-byte region [0x60300000ee60,0x60300000ee7a)
allocated by thread T0 here:
    #0 0x4dbedb in operator new[](unsigned long) (/usr/local/google/home/katrielc/build/webrtc-checkout/src/out/asan/rtp_header_fuzzer+0x4dbedb)
    #1 0x5e60d9 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) out/asan/../../third_party/libFuzzer/src/FuzzerLoop.cpp:507:39
    #2 0x5e4aed in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) out/asan/../../third_party/libFuzzer/src/FuzzerLoop.cpp:440:3
    #3 0x5d3b66 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) out/asan/../../third_party/libFuzzer/src/FuzzerDriver.cpp:257:6
    #4 0x5d7038 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) out/asan/../../third_party/libFuzzer/src/FuzzerDriver.cpp:379:9
    #5 0x5f4d56 in main out/asan/../../third_party/libFuzzer/src/FuzzerMain.cpp:21:10
    #6 0x7ff0dd846f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow out/asan/../../webrtc/modules/rtp_rtcp/source/byte_io.h:93:29 in InternalReadBigEndian
Shadow bytes around the buggy address:
  0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00[02]
  0x0c067fff9dd0: fa fa 00 00 00 02 fa fa 00 00 00 02 fa fa 00 00
  0x0c067fff9de0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fff9df0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2977==ABORTING
 

Comment 1 by katrielc@chromium.org, Jun 15 2016

Cc: katrielc@chromium.org

Comment 2 by danilchap@chromium.org, Jun 15 2016

Owner: danilchap@chromium.org

Comment 3 by danilchap@chromium.org, Jun 15 2016

Status: Started (was: Unconfirmed)

Comment 4 by est...@chromium.org, Jun 15 2016

Labels: Security_Severity-Medium
danilchap@, can you please set a Security_Impact-* label to indicate what versions of Chrome this affects? Thanks!

Comment 5 by danilchap@chromium.org, Jun 15 2016

Labels: Security_Impact-Stable

Comment 6 by est...@chromium.org, Jun 15 2016

Labels: M-51

Comment 7 by bugdroid1@chromium.org, Jun 16 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/30a3a751a68f1a076fb28f3ab55e4be80c2dfac5

commit 30a3a751a68f1a076fb28f3ab55e4be80c2dfac5
Author: Danil Chapovalov <danilchap@webrtc.org>
Date: Thu Jun 16 13:57:15 2016

Fix buffer overflow parsing malformed rtp packet
that has one-byte length extension going past extensions block

BUG= chromium:620277 
R=asapersson@webrtc.org

Review URL: https://codereview.webrtc.org/2064403002 .

Cr-Commit-Position: refs/heads/master@{#13168}

[modify] https://crrev.com/30a3a751a68f1a076fb28f3ab55e4be80c2dfac5/webrtc/modules/rtp_rtcp/source/rtp_utility.cc

Comment 8 by pbos@chromium.org, Jun 16 2016

estark@: Aren't read OOBs Severity-High?

Comment 9 by danilchap@chromium.org, Jun 20 2016

Status: Fixed (was: Started)
Fix rolled into chromium with https://codereview.chromium.org/2075893002

Comment 10 by danilchap@chromium.org, Jun 20 2016

Labels: Merge-Request-52
Requesting a merge of https://codereview.webrtc.org/2064403002 into M52

Has been in dev/canary for 3 days
Fix is trivial.

Comment 11 by tin...@google.com, Jun 20 2016

Labels: -Merge-Request-52 Merge-Approved-52 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M52 (branch: 2743)

Comment 12 by bugdroid1@chromium.org, Jun 20 2016

Project Member
Labels: merge-merged-52
The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/f33698296719f956497d2dbff81b5080864a8804

commit f33698296719f956497d2dbff81b5080864a8804
Author: Danil Chapovalov <danilchap@webrtc.org>
Date: Mon Jun 20 20:03:33 2016

Merge into M52 Fix buffer overflow parsing malformed rtp packet
that has one-byte length extension going past extensions block

Original CL: https://codereview.webrtc.org/2064403002

BUG= chromium:620277 
R=asapersson@webrtc.org

Review URL: https://codereview.webrtc.org/2080313002 .

Cr-Commit-Position: refs/branch-heads/52@{#7}
Cr-Branched-From: a376e70cf9d0df3c35d53533b454da542661775b-refs/heads/master@{#12798}

[modify] https://crrev.com/f33698296719f956497d2dbff81b5080864a8804/webrtc/modules/rtp_rtcp/source/rtp_utility.cc

Comment 13 by danilchap@chromium.org, Jun 20 2016

Labels: -Hotlist-Merge-Approved -Merge-Approved-52

Comment 14 by sheriffbot@chromium.org, Jun 21 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 15 by danilchap@chromium.org, Jun 27 2016

Labels: Merge-Request-51
Requesting a merge of https://codereview.webrtc.org/2064403002 into M51

Has been in beta for >3 days
Fix is trivial.

Comment 16 by tin...@google.com, Jun 27 2016

Labels: -Merge-Request-51 Merge-Review-51 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M51), manual review required.

Comment 17 by amineer@chromium.org, Jul 22 2016

Labels: -M-51
M51 is done, removing merge request.

Comment 18 by amineer@chromium.org, Jul 22 2016

Labels: -Merge-Review-51 M-51
Removing merge request for realz.

Comment 19 by awhalley@chromium.org, Jul 29 2016

Labels: Release-1-M52

Comment 20 by sheriffbot@chromium.org, Sep 27 2016

Project Member
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 23 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment