LG G4 MRA58K – ‘liblg_parser_mkv.so’ Bad Allocation Calls

Exploit Database
103 阅读

作者： Google Security Research

日期： 2017-05-09
类别：
- dos
平台：
- android
来源：https://www.exploit-db.com/exploits/41981/

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102

In both of the following functions

mkvparser::AudioTrack::AudioTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)

mkvparser::VideoTrack::VideoTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)

During EBML node parsing the EBML element_size is used unvalidated to allocate a

stack buffer to store the element contents. Since calls to alloca simply compile

to a subtraction from the current stack pointer, for large sizes this can result

in memory corruption and potential remote-code-execution in the mediaserver

process.

Tested on an LG-G4 with the latest firmware available for my device; MRA58K.

See attached for crash samples and the original unmodified file.

(audio_track.mkv)

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'

Revision: '11'

ABI: 'arm'

pid: 16668, tid: 16986, name: pd_session>>> /system/bin/mediaserver <<<

AM write failed: Broken pipe

signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2e924108

r0 c01db33fr1 efd34940r2 0000022cr3 2e924118

r4 f1449d80r5 eeaff4d0r6 eeaff470r7 eeaff458

r8 f144f228r9 00000000sl 0000022cfp 00000000

ip 00000000sp 2e924108lr efd2afebpc efd2b2c0cpsr 800f0030

backtrace:

#00 pc 000122c0/system/lib/liblg_parser_mkv.so (_ZN9mkvparser10AudioTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+123)

#01 pc 0001247b/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+222)

#02 pc 00012635/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)

#03 pc 000128a9/system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)

#04 pc 0000c821/system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)

#05 pc 00009d01/system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)

#06 pc 000271f9/system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)

#07 pc 00022a85/system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)

#08 pc 000c033b/system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)

#09 pc 0005a209/system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)

#10 pc 0005d1bf/system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)

#11 pc 0005d471/system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)

#12 pc 0000b309/system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)

#13 pc 0000d2ef/system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)

#14 pc 0000bd15/system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)

#15 pc 000100d1/system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)

#16 pc 0003f9ab/system/lib/libc.so (_ZL15__pthread_startPv+30)

#17 pc 0001a0c5/system/lib/libc.so (__start_thread+6)

(video_track.mkv)

pid: 18217, tid: 18508, name: pd_session>>> /system/bin/mediaserver <<<

signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2ae64110

r0 c01db33fr1 efd5e940r2 000001bdr3 00000000

AM write failed: Broken pipe

r4 eb03f4d0r5 f1409b40r6 eb03f470r7 eb03f460

r8 f140f360r9 2ae64120sl c01db4fcfp 00000000

ip efd5ee80sp 2ae64110lr efd54febpc efd5517acpsr 800f0030

backtrace:

#00 pc 0001217a/system/lib/liblg_parser_mkv.so (_ZN9mkvparser10VideoTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+113)

#01 pc 00012449/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+172)