search

AndroidVTS / android-vts

Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let's take a pulse on the state of Android security. NowSecure presents an on-device app to test for recent device vulnerabilities.
Other
1.02k stars 272 forks source link

Rewrite (some) Stagefright checks #17

Closed Fuzion24 closed 9 years ago

Fuzion24 commented 9 years ago

For some of the bugs, they are shallow enough in the function, where we can trigger the issue without necessarily causing memory corruption. Rather than crafting an mp4 and hoping that it crashes mediaserver, we can dlsym functions of the stagefright and logically check for the existence of bugs.

https://android.googlesource.com/platform/frameworks/av/+/2b50b7aa7d16014ccf35db7a7b4b5e84f7b4027c

looks like you can dlsym status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) and check for this without crashing

you send in size = INT_MAX and see if you get ERROR_MALFORMED. if not, make sure mDataSource->readAt points to a function that returns -1 or whatever then you get ERROR_IO on unpatched rom

Fuzion24 commented 9 years ago

Implemented here: https://github.com/nowsecure/android-vts/blob/master/app/src/main/jni/stage_fright.c#L125

needs a bit of testing