Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102
In both of the following functions
mkvparser::AudioTrack::AudioTrack(mkvparser::Segment*, mkvparser::Track::Info const&,longlong,longlong)
mkvparser::VideoTrack::VideoTrack(mkvparser::Segment*, mkvparser::Track::Info const&,longlong,longlong)
During EBML node parsing the EBML element_size is used unvalidated to allocate a
stack buffer to store the element contents. Since calls to alloca simply compile
to a subtraction from the current stack pointer,for large sizes this can result
in memory corruption and potential remote-code-execution in the mediaserver
process.
Tested on an LG-G4 with the latest firmware available for my device; MRA58K.
See attached for crash samples and the original unmodified file.(audio_track.mkv)
Build fingerprint:'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision:'11'
ABI:'arm'
pid:16668, tid:16986, name: pd_session>>>/system/bin/mediaserver <<<
AM write failed: Broken pipe
signal 11(SIGSEGV), code 1(SEGV_MAPERR), fault addr 0x2e924108
r0 c01db33fr1 efd34940r2 0000022cr3 2e924118
r4 f1449d80r5 eeaff4d0r6 eeaff470r7 eeaff458
r8 f144f228r9 00000000sl 0000022cfp 00000000
ip 00000000sp 2e924108lr efd2afebpc efd2b2c0cpsr 800f0030
backtrace:#00 pc 000122c0/system/lib/liblg_parser_mkv.so (_ZN9mkvparser10AudioTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+123)#01 pc 0001247b/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+222)#02 pc 00012635/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)#03 pc 000128a9/system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)#04 pc 0000c821/system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)#05 pc 00009d01/system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)#06 pc 000271f9/system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)#07 pc 00022a85/system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)#08 pc 000c033b/system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)#09 pc 0005a209/system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)#10 pc 0005d1bf/system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)#11 pc 0005d471/system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)#12 pc 0000b309/system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)#13 pc 0000d2ef/system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)#14 pc 0000bd15/system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)#15 pc 000100d1/system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)#16 pc 0003f9ab/system/lib/libc.so (_ZL15__pthread_startPv+30)#17 pc 0001a0c5/system/lib/libc.so (__start_thread+6)(video_track.mkv)
pid:18217, tid:18508, name: pd_session>>>/system/bin/mediaserver <<<
signal 11(SIGSEGV), code 1(SEGV_MAPERR), fault addr 0x2ae64110
r0 c01db33fr1 efd5e940r2 000001bdr3 00000000
AM write failed: Broken pipe
r4 eb03f4d0r5 f1409b40r6 eb03f470r7 eb03f460
r8 f140f360r9 2ae64120sl c01db4fcfp 00000000
ip efd5ee80sp 2ae64110lr efd54febpc efd5517acpsr 800f0030
backtrace:#00 pc 0001217a/system/lib/liblg_parser_mkv.so (_ZN9mkvparser10VideoTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+113)#01 pc 00012449/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+172)#02 pc 00012635/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)#03 pc 000128a9/system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)#04 pc 0000c821/system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)#05 pc 00009d01/system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)#06 pc 000271f9/system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)#07 pc 00022a85/system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)#08 pc 000c033b/system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)#09 pc 0005a209/system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)#10 pc 0005d1bf/system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)#11 pc 0005d471/system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)#12 pc 0000b309/system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)#13 pc 0000d2ef/system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)#14 pc 0000bd15/system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)#15 pc 000100d1/system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)#16 pc 0003f9ab/system/lib/libc.so (_ZL15__pthread_startPv+30)#17 pc 0001a0c5/system/lib/libc.so (__start_thread+6)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41981.zip
