Samsung Galaxy S6 – libQjpeg je_free Crash

• Exploit Database
• 17 阅读

• 作者： Google Security Research
  日期： 2016-02-08
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/39424/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=617
  
  The attached jpg causes an invalid pointer to be freed when media scanning occurs.
  
  F/libc(11192): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xffffffffffffb0 in tid 14368 (HEAVY#7)
  I/DEBUG ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
  I/DEBUG ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
  I/DEBUG ( 3021): Revision: '10'
  I/DEBUG ( 3021): ABI: 'arm64'
  I/DEBUG ( 3021): pid: 11192, tid: 14368, name: HEAVY#7>>> com.samsung.dcm:DCMService <<<
  I/DEBUG ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xffffffffffffb0
  I/DEBUG ( 3021): x0 0000000000000002x1 0000007f89fa9758x2 00000000003fffffx3 0000000000000000
  I/DEBUG ( 3021): x4 0000000000000000x5 0000007f89f98000x6 0000007f89fa9790x7 0000000000000006
  I/DEBUG ( 3021): x8 fffffffffffffffax9 ffffffffffffffeex10ffffffffffffff70x110000007f7f000bb8
  I/DEBUG ( 3021): x120000000000000014x130000007f89f98000x140000007f89fa5000x150000004000000000
  I/DEBUG ( 3021): x160000007f7eed6ba0x170000007f89ef38fcx180000007f89fa9830x190000000000000002
  I/DEBUG ( 3021): x20000000000000001fx210000007f89f98000x2200000000ffffffffx230000007f7f0647f8
  I/DEBUG ( 3021): x240000007f71809b10x250000000000000010x260000000000000080x27fffffffffffffffc
  I/DEBUG ( 3021): x280000007f7edf9dd0x290000007f7edf9b50x300000007f89ef3914
  I/DEBUG ( 3021): sp 0000007f7edf9b50pc 0000007f89f53b24pstate 0000000020000000
  I/DEBUG ( 3021): 
  I/DEBUG ( 3021): backtrace:
  I/DEBUG ( 3021): #00 pc 0000000000079b24/system/lib64/libc.so (je_free+92)
  I/DEBUG ( 3021): #01 pc 0000000000019910/system/lib64/libc.so (free+20)
  I/DEBUG ( 3021): #02 pc 000000000003f8cc/system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+916)
  I/DEBUG ( 3021): #03 pc 0000000000043890/system/lib64/libQjpeg.so (WINKJ_DecodeImage+2852)
  I/DEBUG ( 3021): #04 pc 00000000000439b4/system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
  I/DEBUG ( 3021): #05 pc 0000000000043af0/system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+284)
  I/DEBUG ( 3021): #06 pc 0000000000045ddc/system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+440)
  I/DEBUG ( 3021): #07 pc 00000000000a24c0/system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
  I/DEBUG ( 3021): #08 pc 0000000000001b98/system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
  I/DEBUG ( 3021): #09 pc 0000000000001418/system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
  
  To reproduce, download the image file and wait, or trigger media scanning by calling:
  
  adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39424.zip