Context Navigation

#1206 closed defect (fixed)

Controlled EDX in avformat

Reported by:	John Villamil	Owned by:
Priority:	important	Component:	avformat
Version:	git-master	Keywords:	crash SIGSEGV mkv
Cc:		Blocked By:
Blocking:		Reproduced by developer:	yes
Analyzed by developer:	no

Description

An attacker can control the value in EDX. Whether this issue is exploitable is not clear. I did not take a close look at any of these issues, but it looks pretty dangerous nonetheless.

(5d3c.3f14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avformat-54.dll -
avformat_54!avio_rb16+0x15:
699183f5 0fb632 movzx esi,byte ptr [edx] ds:002b:00000016=??
0:002:x86> $<dbgcomm.txt
0:002:x86> !load winext\msec.dll
0:002:x86> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at avformat_54!avio_rb16+0x0000000000000015 (Hash=0x676f5b27.0x64114365)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:002:x86> q
quit:

Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/

A PoC file:
http://w.rdtsc.net/ffmpegmkv/Unknown/WhatsUpWithEdx.zip

Thanks,
John Villamil

Change History (2)

comment:1 by Carl Eugen Hoyos, 12 years ago

Component:	undetermined → avformat
Keywords:	crash SIGSEGV mkv added
Priority:	normal → important
Reproduced by developer:	set
Status:	new → open
Version:	unspecified → git-master

(gdb) r -i 243391nosound.mkvtest107.mkv -f null -
Starting program: ffmpeg_g -i 243391nosound.mkvtest107.mkv -f null -
[Thread debugging using libthread_db enabled]
[New Thread 0xb7b6b6c0 (LWP 11511)]
ffmpeg version N-39787-gcca9528 Copyright (c) 2000-2012 the FFmpeg developers
  built on Apr 14 2012 08:48:33 with gcc 4.3.2
  configuration: --cc=/usr/local/gcc-4.3.2/bin/gcc --enable-gpl
  libavutil      51. 46.100 / 51. 46.100
  libavcodec     54. 14.101 / 54. 14.101
  libavformat    54.  3.100 / 54.  3.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 69.101 /  2. 69.101
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0. 11.100 /  0. 11.100
  libpostproc    52.  0.100 / 52.  0.100
[matroska,webm @ 0x8ee3380] Unknown entry 0x233100
[matroska,webm @ 0x8ee3380] Read error
[matroska,webm @ 0x8ee3380] Unknown entry 0x82
    Last message repeated 1 times
[matroska,webm @ 0x8ee3380] Unknown entry 0x84
    Last message repeated 1 times
[matroska,webm @ 0x8ee3380] Unknown entry 0x233100
[matroska,webm @ 0x8ee3380] Read error

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7b6b6c0 (LWP 11511)]
avio_rb16 (s=0xbfd45c88) at libavformat/aviobuf.c:459
459             return *s->buf_ptr++;
(gdb) bt
#0  avio_rb16 (s=0xbfd45c88) at libavformat/aviobuf.c:459
#1  0x08105dc5 in matroska_read_header (s=0x8ee3380) at libavformat/matroskadec.c:1590
#2  0x0818f066 in avformat_open_input (ps=0xbfd45ed4, filename=0xbfd48269 "243391nosound.mkvtest107.mkv",
    fmt=0x0, options=0x8e1fcec) at libavformat/utils.c:634
#3  0x080545db in opt_input_file (o=0xbfd45fd0, opt=0xbfd48267 "i",
    filename=0xbfd48269 "243391nosound.mkvtest107.mkv") at ffmpeg.c:3777
#4  0x0805f9d2 in parse_option (optctx=0xbfd45fd0, opt=0xbfd48267 "i",
    arg=0xbfd48269 "243391nosound.mkvtest107.mkv", options=0x87d96e0) at cmdutils.c:303
#5  0x0805fd63 in parse_options (optctx=0xbfd45fd0, argc=6, argv=0xbfd46204, options=0x87d96e0,
    parse_arg_function=0x805a580 <opt_output_file>) at cmdutils.c:336
#6  0x08059806 in main (argc=6, argv=0xbfd46204) at ffmpeg.c:5255
(gdb) disass $pc-28 $pc+32
Dump of assembler code from 0x80d9a8b to 0x80d9ac7:
0x080d9a8b:     mov    $0x0,%edi
0x080d9a90 <avio_rb16+0>:       sub    $0xc,%esp
0x080d9a93 <avio_rb16+3>:       mov    %esi,0x8(%esp)
0x080d9a97 <avio_rb16+7>:       mov    0x10(%esp),%esi
0x080d9a9b <avio_rb16+11>:      mov    %ebx,0x4(%esp)
0x080d9a9f <avio_rb16+15>:      mov    0xc(%esi),%eax
0x080d9aa2 <avio_rb16+18>:      cmp    0x10(%esi),%eax
0x080d9aa5 <avio_rb16+21>:      jae    0x80d9ad8 <avio_rb16+72>
0x080d9aa7 <avio_rb16+23>:      movzbl (%eax),%ebx
0x080d9aaa <avio_rb16+26>:      add    $0x1,%eax
0x080d9aad <avio_rb16+29>:      mov    %eax,0xc(%esi)
0x080d9ab0 <avio_rb16+32>:      shl    $0x8,%ebx
0x080d9ab3 <avio_rb16+35>:      cmp    0x10(%esi),%eax
0x080d9ab6 <avio_rb16+38>:      jae    0x80d9ae9 <avio_rb16+89>
0x080d9ab8 <avio_rb16+40>:      movzbl (%eax),%edx
0x080d9abb <avio_rb16+43>:      add    $0x1,%eax
0x080d9abe <avio_rb16+46>:      mov    %eax,0xc(%esi)
0x080d9ac1 <avio_rb16+49>:      mov    0x8(%esp),%esi
0x080d9ac5 <avio_rb16+53>:      or     %edx,%ebx
(gdb) info register
eax            0x16     22
ecx            0x2e7261 3043937
edx            0x0      0
ebx            0xbfd45c88       -1076601720
esp            0xbfd45bc0       0xbfd45bc0
ebp            0x8ee4340        0x8ee4340
esi            0xbfd45c88       -1076601720
edi            0x15000  86016
eip            0x80d9aa7        0x80d9aa7 <avio_rb16+23>
eflags         0x10283  [ CF SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

comment:2 by Michael Niedermayer, 12 years ago

Resolution:	→ fixed
Status:	open → closed

Fixed locally
will be in my next git push

Thanks

Note: See TracTickets for help on using tickets.

Download in other formats: