LG G4 MRA58K – ‘liblg_parser_mkv.so’ Bad Allocation Calls

• Exploit Database
• 14 阅读

• 作者： Google Security Research
  日期： 2017-05-09
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/41981/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102
  
  In both of the following functions
  mkvparser::AudioTrack::AudioTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)
  mkvparser::VideoTrack::VideoTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)
  
  During EBML node parsing the EBML element_size is used unvalidated to allocate a
  stack buffer to store the element contents. Since calls to alloca simply compile
  to a subtraction from the current stack pointer, for large sizes this can result
  in memory corruption and potential remote-code-execution in the mediaserver 
  process.
  
  Tested on an LG-G4 with the latest firmware available for my device; MRA58K.
  
  See attached for crash samples and the original unmodified file.
  
  (audio_track.mkv)
  
  Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
  Revision: '11'
  ABI: 'arm'
  pid: 16668, tid: 16986, name: pd_session>>> /system/bin/mediaserver <<<
  AM write failed: Broken pipe
  signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2e924108
  r0 c01db33fr1 efd34940r2 0000022cr3 2e924118
  r4 f1449d80r5 eeaff4d0r6 eeaff470r7 eeaff458
  r8 f144f228r9 00000000sl 0000022cfp 00000000
  ip 00000000sp 2e924108lr efd2afebpc efd2b2c0cpsr 800f0030
  
  backtrace:
  #00 pc 000122c0/system/lib/liblg_parser_mkv.so (_ZN9mkvparser10AudioTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+123)
  #01 pc 0001247b/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+222)
  #02 pc 00012635/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)
  #03 pc 000128a9/system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)
  #04 pc 0000c821/system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)
  #05 pc 00009d01/system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)
  #06 pc 000271f9/system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
  #07 pc 00022a85/system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
  #08 pc 000c033b/system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
  #09 pc 0005a209/system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)
  #10 pc 0005d1bf/system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)
  #11 pc 0005d471/system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)
  #12 pc 0000b309/system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
  #13 pc 0000d2ef/system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
  #14 pc 0000bd15/system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
  #15 pc 000100d1/system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
  #16 pc 0003f9ab/system/lib/libc.so (_ZL15__pthread_startPv+30)
  #17 pc 0001a0c5/system/lib/libc.so (__start_thread+6)
  
  (video_track.mkv)
  
  pid: 18217, tid: 18508, name: pd_session>>> /system/bin/mediaserver <<<
  signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2ae64110
  r0 c01db33fr1 efd5e940r2 000001bdr3 00000000
  AM write failed: Broken pipe
  r4 eb03f4d0r5 f1409b40r6 eb03f470r7 eb03f460
  r8 f140f360r9 2ae64120sl c01db4fcfp 00000000
  ip efd5ee80sp 2ae64110lr efd54febpc efd5517acpsr 800f0030
  
  backtrace:
  #00 pc 0001217a/system/lib/liblg_parser_mkv.so (_ZN9mkvparser10VideoTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+113)
  #01 pc 00012449/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+172)
  #02 pc 00012635/system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)
  #03 pc 000128a9/system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)
  #04 pc 0000c821/system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)
  #05 pc 00009d01/system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)
  #06 pc 000271f9/system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
  #07 pc 00022a85/system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
  #08 pc 000c033b/system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
  #09 pc 0005a209/system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)
  #10 pc 0005d1bf/system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)
  #11 pc 0005d471/system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)
  #12 pc 0000b309/system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
  #13 pc 0000d2ef/system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
  #14 pc 0000bd15/system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
  #15 pc 000100d1/system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
  #16 pc 0003f9ab/system/lib/libc.so (_ZL15__pthread_startPv+30)
  #17 pc 0001a0c5/system/lib/libc.so (__start_thread+6)
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41981.zip