search

LMS-Community / slimserver-vendor

Third-party software used with Lyrion Music Server
https://lyrion.org
42 stars 68 forks source link

Crash in alac library when parsing malformed m4a file #94

Closed retpoline closed 2 years ago

retpoline commented 2 years ago

Hi folks,

An interesting crash was found while fuzz testing of the alac binary in slimserver-vendor/alac_decoder which can be triggered via a malformed m4a file. Although this malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.

Repro m4a file uploaded here: https://ufile.io/64gx1oqe

debug log

$ LD_PRELOAD=/usr/lib/libefence.so alac -f /tmp/test.wav crash.m4a 

  Electric Fence 2.2 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
unknown version??

ElectricFence Exiting: mprotect() failed: Segmentation fault (core dumped)

(gdb) r -f /tmp/test.wav crash.m4a 

Starting program: alac -f /tmp/test.wav crash.m4a

  Electric Fence 2.2 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
unknown version??

Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:538

(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:538
#1  0x00007ffff7c334de in __GI__IO_file_xsgetn (fp=0x7ffff7a7ee28, data=<optimized out>, n=4294967288) at fileops.c:1304
#2  0x00007ffff7c27063 in __GI__IO_fread (buf=buf@entry=0x7ffff7a86ffc, size=size@entry=4, count=count@entry=1073741822, fp=0x7ffff7a7ee28) at iofread.c:38
#3  0x000055555555855e in fread (__stream=<optimized out>, __n=1073741822, __size=4, __ptr=0x7ffff7a86ffc) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:297
#4  stream_read (stream=stream@entry=0x7ffff7a80ff0, size=size@entry=4294967289, buf=0x7ffff7a86ffc) at stream.c:62
#5  0x0000555555557fd6 in read_chunk_stsd (qtmovie=<optimized out>, qtmovie=<optimized out>, chunk_len=103) at demux.c:254
#6  read_chunk_stbl (chunk_len=1135, qtmovie=<optimized out>) at demux.c:376
#7  read_chunk_minf (chunk_len=1195, qtmovie=<optimized out>) at demux.c:443
#8  read_chunk_mdia (chunk_len=1269, qtmovie=<optimized out>) at demux.c:483
#9  read_chunk_trak (chunk_len=1369, qtmovie=<optimized out>) at demux.c:523
#10 read_chunk_moov (chunk_len=<optimized out>, qtmovie=<optimized out>) at demux.c:593
#11 qtmovie_read (file=0x7ffff7a80ff0, demux_res=<optimized out>) at demux.c:693
#12 0x0000555555555415 in main (argc=<optimized out>, argv=<optimized out>) at main.c:312

(gdb) i r
rax            0x7ffff7a87ed6      140737348402902
rbx            0x7ffff7a7ee28      140737348365864
rcx            0x7ffff7a84f4a      140737348390730
rdx            0xe44               3652
rsi            0x7ffff7a84126      140737348387110
rdi            0x7ffff7a86ffc      140737348399100
rbp            0xeda               0xeda
rsp            0x7fffffffdfc8      0x7fffffffdfc8
r8             0x16                22
r9             0x7ffff7a87ea0      140737348402848
r10            0x7ffff7a85e8e      140737348394638
r11            0x7ffff7a87eb6      140737348402870
r12            0xfffff11e          4294963486
r13            0x7ffff7a86ffc      140737348399100
r14            0xd68               3432
r15            0x7ffff7d8d8a0      140737351571616
rip            0x7ffff7d2fa02      0x7ffff7d2fa02 <__memmove_avx_unaligned_erms+914>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

(gdb) x/i $rip
=> 0x7ffff7d2fa02 <__memmove_avx_unaligned_erms+914>:   vmovntdq YMMWORD PTR [r9],ymm0

(gdb) exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: e4ce8e167f722e20ccc8209a9537d07a.8a34082441819a0511cdd311c7d3e32d
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: AccessViolation (21/22)
mherger commented 2 years ago

duplicate of #95