LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking

2017-06-13 22:05:02

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222

There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check
that the size of the copy is smaller than the size of the source buffer,
resulting in an out-of-bounds heap read.

The vulnerable code appears to be in handling the parsing of an extension object of
type ASF_Metadata_Object with a Description Record with an overly large length.

See attached for a crash poc. This issue probably allows leaking mediaserver
memory from an app process on the device via the retrieved metadata.

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 10423, tid: 10533, name: Binder_2 >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf05c0000
r0 ef5aff40 r1 f05bfff5 r2 00f5007f r3 00000000
r4 f050b280 r5 f0510000 r6 00ffffff r7 00000000
r8 000000b5 r9 00000034 sl 00000000 fp f05455a0
ip f05e2e1c sp f06f35c8 lr f05d8c9d pc f71d77b4 cpsr 200b0010

backtrace:
#00 pc 000177b4 /system/lib/libc.so (__memcpy_base+88)
#01 pc 00003c99 /system/lib/liblg_parser_asf.so (_ZN9ASFParser27ParseHeaderExtensionObjectsEv+436)
#02 pc 00006a87 /system/lib/liblg_parser_asf.so (_ZN9ASFParser6OpenExEP11IDataSourcei+50)
#03 pc 00024a93 /system/lib/libLGParserOSAL.so (_ZN7android12ASFExtractorC1ERKNS_2spINS_10DataSourceEEERKNS1_INS_8AMessageEEE+270)
#04 pc 00022aa9 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+104)
#05 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
#06 pc 000d66db /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
#07 pc 000591e3 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
#08 pc 0008e329 /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
#09 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
#10 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
#11 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
#12 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
#13 pc 00023909 /system/lib/libbinder.so
#14 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#15 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#16 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42171.zip

Fixes

No fixes

In order to submit a new fix you need to be registered.