[libav-bugs] PoC_avconv_stackoverflow_aacsbr_171

yangmew at outlook.com yangmew at outlook.com
Tue Jul 21 13:17:50 CEST 2020


Hello , 
I found a stack-buffer-overflow bug in libav/libavcodec/asscsbr.c.
Description:
There is a stack-buffer-overflow bug in in_table_int16(const int16_t *table, int last_el, int16_t needle) function at libav/libavcodec/aacsbr.c line 171:13
An attacker can exploit this bug to cause a Denial of Service (DoS) by submitting a malicious avi audio file.
This bug is caused by the dangerous using of int16_t array table[] as follow:
    for (i = 0; i <= last_el; i++)
        if (table[i] == needle)
            return 1;
the variable table[i] is an int16_t array, but there is no security check before the using of table (aacsbr.c line 171), which easily causes a stack overflow bug.
 
We used AddressSanitizer instrumented in avconv binary and triggered this bug, the output of asan as follow:
avconv version v13_dev0-1648-gc4642788e, Copyright (c) 2000-2018 the Libav developers
  built on Jul 12 2020 09:29:21 with clang version 10.0.0
Trailing options were found on the commandline.
[aac @ 0x61a000000080] Format detected only with low score of 1, misdetection possible!
[aac @ 0x619000002880] Expected to read 1 SBR bytes actually read 4.
[aac @ 0x619000002880] channel element 1.6 is not allocated
=================================================================
==100304==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd331e2bae at pc 0x000001bb80b2 bp 0x7ffd331e2b70 sp 0x7ffd331e2b68
READ of size 2 at 0x7ffd331e2bae thread T0
    #0 0x1bb80b1 in in_table_int16 /root/libav/libavcodec/aacsbr.c:171:13
    #1 0x1bb80b1 in sbr_make_f_tablelim /root/libav/libavcodec/aacsbr.c:207:18
    #2 0x1baa09c in sbr_make_f_derived /root/libav/libavcodec/aacsbr.c:605:5
    #3 0x1baa09c in sbr_reset /root/libav/libavcodec/aacsbr.c:1043:15
    #4 0x1baa09c in ff_decode_sbr_extension /root/libav/libavcodec/aacsbr.c:1089:9
    #5 0x1b74ee4 in decode_extension_payload /root/libav/libavcodec/aacdec.c:2239:15
    #6 0x1b74ee4 in aac_decode_frame_int /root/libav/libavcodec/aacdec.c:2917:28
    #7 0x1b66a43 in aac_decode_frame /root/libav/libavcodec/aacdec.c:3010:15
    #8 0xa695de in decode_simple_internal /root/libav/libavcodec/decode.c:336:15
    #9 0xa695de in decode_simple_receive_frame /root/libav/libavcodec/decode.c:387:15
    #10 0xa695de in decode_receive_frame_internal /root/libav/libavcodec/decode.c:405:15
    #11 0xa690b7 in avcodec_send_packet /root/libav/libavcodec/decode.c:466:15
    #12 0x84ff6d in try_decode_frame /root/libav/libavformat/utils.c:1950:19
    #13 0x849de1 in avformat_find_stream_info /root/libav/libavformat/utils.c:2459:9
    #14 0x4ee852 in open_input_file /root/libav/avtools/avconv_opt.c:821:11
    #15 0x4ed622 in open_files /root/libav/avtools/avconv_opt.c:2467:15
    #16 0x4ecff1 in avconv_parse_options /root/libav/avtools/avconv_opt.c:2504:11
    #17 0x51ae27 in main /root/libav/avtools/avconv.c:2953:11
    #18 0x7fd2d0d69b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #19 0x41c419 in _start (/root/libav/avconv+0x41c419)
Address 0x7ffd331e2bae is located in stack of thread T0 at offset 46 in frame
    #0 0x1bb757f in sbr_make_f_tablelim /root/libav/libavcodec/aacsbr.c:178
 
  This frame has 1 object(s):
    [32, 46) 'patch_borders' (line 185) <== Memory access at offset 46 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/libav/libavcodec/aacsbr.c:171:13 in in_table_int16
Shadow bytes around the buggy address:
  0x100026634520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026634530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026634540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026634550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026634560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100026634570: f1 f1 f1 f1 00[06]f3 f3 00 00 00 00 00 00 00 00
  0x100026634580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026634590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000266345a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000266345b0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x1000266345c0: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==100304==ABORTING

We could clearly observe this stack buffer overflow in in_table_int16 function at 0x1bb80b1, and the variable table[] was overflowing.
Then , we used GDB to debug this bug, the GDB outputs:
 
gdb-peda$ b * 0x1bb80b1
Breakpoint 1 at 0x1bb80b1: file libavcodec/aacsbr.c, line 171.
gdb-peda$ r
Starting program: /root/libav/avconv -i hh -r 24
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
avconv version v13_dev0-1648-gc4642788e, Copyright (c) 2000-2018 the Libav developers
  built on Jul 12 2020 09:29:21 with clang version 10.0.0
Trailing options were found on the commandline.
[aac @ 0x61a000000080] Format detected only with low score of 1, misdetection possible!
[aac @ 0x619000002880] Expected to read 1 SBR bytes actually read 4.
[aac @ 0x619000002880] channel element 1.6 is not allocated
 
Program received signal SIGSEGV, Segmentation fault.
 
[----------------------------------registers-----------------------------------]
RAX: 0x6
RBX: 0x7fffffffbba0 --> 0x7fffffffbc70 --> 0x7fffffffbfd0 --> 0x7fffffffc4b0 --> 0x7fffffffc610 --> 0x7fffffffc790 (--> ...)
RCX: 0xffffbb07 --> 0x0
RDX: 0x1bb7af7 (<sbr_make_f_tablelim+1415>:    add    r14,0x2)
RSI: 0x220020 (' ')
RDI: 0x7fffffffbb8e --> 0xffffe8155dd0000
RBP: 0x7fffffffbc70 --> 0x7fffffffbfd0 --> 0x7fffffffc4b0 --> 0x7fffffffc610 --> 0x7fffffffc790 --> 0xc3200000515 (--> ...)
RSP: 0x7fffffffbb58 --> 0x1bb80b2 (<sbr_make_f_tablelim+2882>:    mov    rdi,r14)
RIP: 0xffffffffce4b6600
R8 : 0x29757
R9 : 0x1e
R10: 0x7ffff7fd1000 --> 0x7ffff7fe8000 --> 0x2e4ba58 --> 0x4b9e80 (<__sanitizer::ThreadContextBase::OnDead()>:    repz ret)
R11: 0xc3200000515 --> 0x0
R12: 0xc ('\x0c')
R13: 0x220019
R14: 0x7fffffffbb8e --> 0xffffe8155dd0000
R15: 0xb ('\x0b')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0xffffffffce4b6600
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffbb58 --> 0x1bb80b2 (<sbr_make_f_tablelim+2882>:    mov    rdi,r14)
0008| 0x7fffffffbb60 --> 0x41b58ab3
0016| 0x7fffffffbb68 --> 0x2aacc8e ("1 32 14 17 patch_borders:185")
0024| 0x7fffffffbb70 --> 0x1bb7570 (<sbr_make_f_tablelim>:    push   rbp)
0032| 0x7fffffffbb78 --> 0x7fffffffbdd0 --> 0x3000300030003
0040| 0x7fffffffbb80 --> 0x22001a0012000b
0048| 0x7fffffffbb88 --> 0x3a0032002a --> 0x0
0056| 0x7fffffffbb90 --> 0xffffe8155dd --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xffffffffce4b6600 in ?? ()
We ensured there is a stack buffer overflow bug, which will be used to finish a DoS attack.
 
You can reproduce this stack buffer overflow bug by the following step:
./avconv -i ./PoC_avconv_stackoverflow_aacsbr_171 -r 24
You can download this PoC at:https://github.com/yangjiageng/PoC/blob/master/PoC_avconv_stackoverflow_aacsbr_171


yangmew at outlook.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20200721/5aad2dd0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PoC_avconv_stackoverflow_aacsbr_171
Type: application/octet-stream
Size: 25 bytes
Desc: not available
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20200721/5aad2dd0/attachment-0001.obj>


More information about the libav-bugs mailing list