499 - Samsung Galaxy S6: android.media.process Face Recognition Memory Corruption - project-zero

Monorail	Project: project-zero ▼ Issues People Development process History	Sign in

Starred by 2 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Oct 2015
Cc:	project-...@google.com
Finder-natashenka Vendor-Samsung Deadline-90 Product-S6 Reported-2015-Aug-3 CVE-2015-7897 CCProjectZeroMembers Severity-High

Samsung Galaxy S6: android.media.process Face Recognition Memory Corruption

Project Member Reported by natashenka@google.com, Aug 3 2015

Back to list

The attached files cause memory corruption when they are scanned by the face recognition library in android.media.process.

From faces-art.bmp

F/libc    (11305): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 11555 (Thread-1136)
I/DEBUG   ( 2955): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 2955): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys'
I/DEBUG   ( 2955): Revision: '10'
I/DEBUG   ( 2955): ABI: 'arm64'
I/DEBUG   ( 2955): pid: 11305, tid: 11555, name: Thread-1136  >>> android.process.media <<<
I/DEBUG   ( 2955): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG   ( 2955):     x0   0000007f94ca2100  x1   0000007f94c63480  x2   0000007f94c0e200  x3   0000000000000000
I/DEBUG   ( 2955):     x4   0000000000000000  x5   0000000000000040  x6   000000000000003f  x7   0000000000000000
I/DEBUG   ( 2955):     x8   0000007f94c0e240  x9   0000000000000004  x10  000000000000003b  x11  000000000000003a
I/DEBUG   ( 2955):     x12  0000007f94c02080  x13  00000000ffffffff  x14  0000007f94c02080  x15  000000000151c5e8
I/DEBUG   ( 2955):     x16  0000007f885fe900  x17  0000007f9ee60d80  x18  0000007f9eed5a40  x19  0000007f94c1d100
I/DEBUG   ( 2955):     x20  0000000000000000  x21  0000007f94c65150  x22  0000007f949d0550  x23  0000007f94c1d110
I/DEBUG   ( 2955):     x24  0000000012d39070  x25  0000000000000066  x26  0000000012d23b80  x27  0000000000000066
I/DEBUG   ( 2955):     x28  0000000000000000  x29  0000007f949cfd70  x30  0000007f87acd200
I/DEBUG   ( 2955):     sp   0000007f949cfd70  pc   0000000000000000  pstate 0000000040000000
I/DEBUG   ( 2955): 
I/DEBUG   ( 2955): backtrace:
I/DEBUG   ( 2955):     #00 pc 0000000000000000  <unknown>
I/DEBUG   ( 2955):     #01 pc 0000000000000001  <unknown>
I/DEBUG   ( 2955):     #02 pc 26221b0826221b08  <unknown>

To reproduce, download the attached file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

faces_art.bmp
128 bytes Download

faces.bmp
1.0 KB Download

Project Member Comment 1 by natashenka@google.com, Aug 4 2015

Summary: Samsung Galaxy S6: android.media.process Face Recognition Memory Corruption (was: android.media.process Face Recognition Memory Corruption)

Project Member Comment 2 by natashenka@google.com, Oct 22 2015

Owner: natashenka@google.com
Status: Fixed

Project Member Comment 3 by natashenka@google.com, Oct 23 2015

Labels: CVE-2015-7897

Project Member Comment 4 by natashenka@google.com, Nov 2 2015

Labels: -Restrict-View-Commit

Fixed in October MR.

► Sign in to add a comment