Samsung libQjpeg image decoding memory corruption

GoogleCodeExporter commented 8 years ago

The attached JPEG file causes memory corruption the DCMProvider service when 
the file is processed by the media scanner, leading to the following crash:

quaramip.jpg:

I/DEBUG   ( 2962): pid: 19350, tid: 19468, name: HEAVY#0  >>> 
com.samsung.dcm:DCMService <<<
I/DEBUG   ( 2962): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 
0x8080808080808080
I/DEBUG   ( 2962):     x0   0000007f97afd000  x1   0000007f98118650  x2   
0000007f9811eaa8  x3   0000007f9815a430
I/DEBUG   ( 2962):     x4   8080808080808080  x5   0000007f9811eaa8  x6   
0000000000000000  x7   0000000000000003
I/DEBUG   ( 2962):     x8   0000000000000050  x9   0000000000000005  x10  
0000000000000053  x11  0000007f9815a470
I/DEBUG   ( 2962):     x12  0000007f97803920  x13  0000007f978ff050  x14  
0000007f983fea40  x15  0000000000000001
I/DEBUG   ( 2962):     x16  0000007faabefae0  x17  0000007faf708880  x18  
0000007faf77da40  x19  0000007f97afd000
I/DEBUG   ( 2962):     x20  00000000ffffffff  x21  0000000000000001  x22  
0000007f9815a410  x23  0000007f981588f0
I/DEBUG   ( 2962):     x24  0000007f983feb44  x25  0000007f983feb48  x26  
ffffffffffffffe8  x27  0000007f98118600
I/DEBUG   ( 2962):     x28  0000007f98177800  x29  000000000000001c  x30  
0000007faabb8ff8
I/DEBUG   ( 2962):     sp   0000007f983fea50  pc   8080808080808080  pstate 
0000000000000000
I/DEBUG   ( 2962): 
I/DEBUG   ( 2962): backtrace:
I/DEBUG   ( 2962):     #00 pc 8080808080808080  <unknown>
I/DEBUG   ( 2962):     #01 pc 00000000000000a6  <unknown>

quaramfree.jpg:

I/DEBUG   ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 
0x808080808000d0
I/DEBUG   ( 2956):     x0   0000000000008080  x1   0000007f89d03720  x2   
00000000000fffff  x3   8080808080800000
I/DEBUG   ( 2956):     x4   0000000000000008  x5   0000007f89cf2000  x6   
0000007f89d03758  x7   0000000000000002
I/DEBUG   ( 2956):     x8   0000000000000006  x9   0000000000000012  x10  
8080808080800090  x11  0000007f803015d8
I/DEBUG   ( 2956):     x12  0000000000000013  x13  0000007f89cf2000  x14  
0000007f89d00000  x15  00000000000014a4
I/DEBUG   ( 2956):     x16  0000007f850eec00  x17  0000007f89c4e17c  x18  
0000007f89d037f8  x19  8080808080808080
I/DEBUG   ( 2956):     x20  0000007f8031e618  x21  0000007f89cf2000  x22  
0000000000000001  x23  0000007f803166d8
I/DEBUG   ( 2956):     x24  0000007f80331170  x25  0000000000000010  x26  
00000000000001f4  x27  fffffffffffffffc
I/DEBUG   ( 2956):     x28  000000000000007d  x29  0000007f84efea60  x30  
0000007f89c4e194
I/DEBUG   ( 2956):     sp   0000007f84efea60  pc   0000007f89cae0b4  pstate 
0000000020000000
I/DEBUG   ( 2956): 
I/DEBUG   ( 2956): backtrace:
I/DEBUG   ( 2956):     #00 pc 00000000000790b4  /system/lib64/libc.so 
(je_free+92)
I/DEBUG   ( 2956):     #01 pc 0000000000019190  /system/lib64/libc.so (free+20)
I/DEBUG   ( 2956):     #02 pc 000000000003e8a0  /system/lib64/libQjpeg.so 
(WINKJ_DeleteDecoderInfo+1076)
I/DEBUG   ( 2956):     #03 pc 00000000000427b0  /system/lib64/libQjpeg.so 
(WINKJ_DecodeImage+2904)
I/DEBUG   ( 2956):     #04 pc 00000000000428d4  /system/lib64/libQjpeg.so 
(WINKJ_DecodeFrame+88)
I/DEBUG   ( 2956):     #05 pc 0000000000042a08  /system/lib64/libQjpeg.so 
(QURAMWINK_DecodeJPEG+276)
I/DEBUG   ( 2956):     #06 pc 000000000004420c  /system/lib64/libQjpeg.so 
(QURAMWINK_PDecodeJPEG+200)
I/DEBUG   ( 2956):     #07 pc 00000000000a4234  /system/lib64/libQjpeg.so 
(QjpgDecodeFileOpt+432)
I/DEBUG   ( 2956):     #08 pc 0000000000001b98  /system/lib64/libsaiv_codec.so 
(saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG   ( 2956):     #09 pc 0000000000001418  /system/lib64/libsaiv_codec.so 
(Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG   ( 2956):     #10 pc 00000000000018ec  
/system/framework/arm64/saiv.odex

The pc is set to the value of content of the JPEG file, indicating that this 
issue could probably be exploited to allow code execution. We believe the issue 
is caused due to a flaw in libQjpeg.so (third-party Quram Qjpeg library).

To reproduce the issue, download the file and wait for media scanning to occur, 
or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d 
file:///mnt/shell/emulated/0

This issue was tested on a SM-G925V device running build number 
LRX22G.G925VVRU1AOE2. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 29 Jul 2015 at 10:05

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by scvi...@google.com on 30 Jul 2015 at 2:13

Added labels: Reported-2015-Jul-29
Removed labels: Reported-2015-July-29

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 22 Oct 2015 at 12:16

Changed state: Fixed

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 23 Oct 2015 at 6:26

Added labels: CVE-2015-7894

GoogleCodeExporter commented 8 years ago

Fixed in October update.

Original comment by natashe...@google.com on 2 Nov 2015 at 8:48

Removed labels: Restrict-View-Commit

ITh4cker / google-security-research

Samsung libQjpeg image decoding memory corruption #495