ioasis / google-security-research

Automatically exported from code.google.com/p/google-security-research
2 stars 0 forks source link

libstagefright integer overflow checks can by bypassed with extended chunk lengths #502

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The following fix to an integer overflow issue (part of the stage fright issues 
presented at BlackHat) does not work as intended:

https://android.googlesource.com/platform/frameworks/av/+/f6dda8df18979200a27ca4
62a9dfa38c11a0e80c%5E!/

The check:

+            if (SIZE_MAX - chunk_size <= size) {
+                return ERROR_MALFORMED;
+            }

is ineffective because chunk_size can be a 64 bit value if extended chunk 
lengths are used. In the attached sample, SIZE_MAX = 0xffffffff, chunk_size = 
0xffffffffffffffff and size = 0x40.Therefore, SIZE_MAX - check_size = 
0xffffffff00000000 which passes the check as it is more than 0x40. This then 
causes an integer overflow in the allocation and read:

            uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size];
            if (buffer == NULL) {
                return ERROR_MALFORMED;
            }

            if (size > 0) {
                memcpy(buffer, data, size);
            }

            if ((size_t)(mDataSource->readAt(*offset, buffer + size, chunk_size))

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by natashe...@google.com on 12 Aug 2015 at 6:30

Attachments:

GoogleCodeExporter commented 9 years ago
This is a duplicate:
https://code.google.com/p/android/issues/detail?id=182559

Public now, unrestricting. 
http://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/

Original comment by natashe...@google.com on 13 Aug 2015 at 8:43

GoogleCodeExporter commented 9 years ago
Might as well unrestrict 182559 then...

Original comment by berendjanwever on 14 Aug 2015 at 3:43

GoogleCodeExporter commented 9 years ago
nice

Original comment by wangwei...@gmail.com on 26 Aug 2015 at 3:49

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Updating with a proof-of-concept exploit by Mark Brand. See the Project Zero 
blog for more details.

Original comment by haw...@google.com on 16 Sep 2015 at 6:30

Attachments: