Opened 2 years ago

Closed 2 years ago

#8717 closed defect (duplicate)

Heap buffer overflow in crash_dnn_execute_layer_pad

Reported by: Assaf Sion Owned by:
Priority: important Component: avfilter
Version: git-master Keywords: dnn crash SIGSEGV
Cc: assafsion@gmaiil.com Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

dnn_backend_native_layer_pad.c the call to dnn_execute_layer_pad could cause a heap buffer overflow caused by a missing check of the variable input_operand_index while accessing operands and setting the dimensions. this could cause a write/read buffer overflow and may use as a primitive to leak addresses or sensitive memory and edit them.
I compiled ffmpeg on Ubuntu 18.04 with the following configuration:
configuration: --cc=clang --extra-cflags='-O0 -g3 -fsanitize=address -Wno-error -fPIC' --extra-ldflags='-O0 -g3 -fsanitize=address -Wno-error -fPIC' --enable-debug --disable-asm --disable-optimizations --disable-shared --enable-libopenjpeg --enable-gpl --enable-libass --enable-libfdk-aac --enable-libmp3lame --enable-libopus --enable-libtheora --enable-libvorbis --enable-libvpx --enable-libx264 --enable-nonfree

the bug could be reproduced while running the following command line:
ffmpeg -v debug -i 10.jpg -vf format=rgb24,sr=dnn_backend=native:model=crash_dnn_execute_layer_pad_2 derain.jpg
the output after running the command:
ffmpeg version N-97806-gf603d10b1e Copyright (c) 2000-2020 the FFmpeg developers

built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --extra-cflags='-O0 -g3 -fsanitize=address -Wno-error -fPIC' --extra-ldflags='-O0 -g3 -fsanitize=address -Wno-error -fPIC' --enable-debug --disable-asm --disable-optimizations --disable-shared --enable-libopenjpeg --enable-gpl --enable-libass --enable-libfdk-aac --enable-libmp3lame --enable-libopus --enable-libtheora --enable-libvorbis --enable-libvpx --enable-libx264 --enable-nonfree
libavutil 56. 45.100 / 56. 45.100
libavcodec 58. 84.100 / 58. 84.100
libavformat 58. 43.100 / 58. 43.100
libavdevice 58. 9.103 / 58. 9.103
libavfilter 7. 81.100 / 7. 81.100
libswscale 5. 6.101 / 5. 6.101
libswresample 3. 6.100 / 3. 6.100
libpostproc 55. 6.100 / 55. 6.100

Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument 'debug'.
Reading option '-i' ... matched as input url with argument '10.jpg'.
Reading option '-vf' ... matched as option 'vf' (set video filters) with argument 'format=rgb24,sr=dnn_backend=native:model=crash_dnn_execute_layer_pad_2'.
Reading option 'derain.jpg' ... matched as output url.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument debug.
Successfully parsed a group of options.
Parsing a group of options: input url 10.jpg.
Successfully parsed a group of options.
Opening an input file: 10.jpg.
[NULL @ 0x61b000000080] Opening '10.jpg' for reading
[file @ 0x60c000000040] Setting default whitelist 'file,crypto,data'
[image2 @ 0x61b000000080] Format image2 probed with size=2048 and score=50
[image2 @ 0x61b000000080] Before avformat_find_stream_info() pos: 0 bytes read:18522 seeks:0 nb_streams:1
[mjpeg @ 0x619000000580] marker=d8 avail_size_in_buf=18520
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] marker=e0 avail_size_in_buf=18518
[mjpeg @ 0x619000000580] marker parser used 16 bytes (128 bits)
[mjpeg @ 0x619000000580] marker=e1 avail_size_in_buf=18500
[mjpeg @ 0x619000000580] marker parser used 12833 bytes (102664 bits)
[mjpeg @ 0x619000000580] marker=db avail_size_in_buf=5664
[mjpeg @ 0x619000000580] index=0
[mjpeg @ 0x619000000580] qscale[0]: 2
[mjpeg @ 0x619000000580] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x619000000580] marker=db avail_size_in_buf=5595
[mjpeg @ 0x619000000580] index=1
[mjpeg @ 0x619000000580] qscale[1]: 8
[mjpeg @ 0x619000000580] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x619000000580] marker=c0 avail_size_in_buf=5526
[mjpeg @ 0x619000000580] Changing bps from 0 to 8
[mjpeg @ 0x619000000580] sof0: picture: 432x173
[mjpeg @ 0x619000000580] component 0 1:1 id: 0 quant:0
[mjpeg @ 0x619000000580] component 1 1:1 id: 1 quant:1
[mjpeg @ 0x619000000580] component 2 1:1 id: 2 quant:1
[mjpeg @ 0x619000000580] pix fmt id 11111100
[mjpeg @ 0x619000000580] Format yuvj444p chosen by get_format().
[mjpeg @ 0x619000000580] marker parser used 17 bytes (136 bits)
[mjpeg @ 0x619000000580] marker=c4 avail_size_in_buf=5507
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] marker=c4 avail_size_in_buf=5478
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] marker=c4 avail_size_in_buf=5420
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] marker=c4 avail_size_in_buf=5393
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] escaping removed 16 bytes
[mjpeg @ 0x619000000580] marker=da avail_size_in_buf=5360
[mjpeg @ 0x619000000580] marker parser used 5344 bytes (42752 bits)
[mjpeg @ 0x619000000580] marker=d9 avail_size_in_buf=0
[mjpeg @ 0x619000000580] decode frame unused 0 bytes
[image2 @ 0x61b000000080] After avformat_find_stream_info() pos: 18522 bytes read:18522 seeks:0 frames:1
Input #0, image2, from '10.jpg':

Duration: 00:00:00.04, start: 0.000000, bitrate: 3704 kb/s

Stream #0:0, 1, 1/25: Video: mjpeg (Baseline), 1 reference frame, yuvj444p(pc, bt470bg/unknown/unknown, center), 432x173 [SAR 96:96 DAR 432:173], 0/1, 25 tbr, 25 tbn, 25 tbc

Successfully opened the file.
Parsing a group of options: output url derain.jpg.
Applying option vf (set video filters) with argument format=rgb24,sr=dnn_backend=native:model=crash_dnn_execute_layer_pad_2.
Successfully parsed a group of options.
Opening an output file: derain.jpg.
Successfully opened the file.
Stream mapping:

Stream #0:0 -> #0:0 (mjpeg (native) -> mjpeg (native))

Press [q] to stop, ? for help
cur_dts is invalid st:0 (0) [init:0 i_done:0 finish:0] (this is harmless if it occurs once at the start per stream)
[mjpeg @ 0x619000000a80] marker=d8 avail_size_in_buf=18520
[mjpeg @ 0x619000000a80] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000a80] marker=e0 avail_size_in_buf=18518
[mjpeg @ 0x619000000a80] marker parser used 16 bytes (128 bits)
[mjpeg @ 0x619000000a80] marker=e1 avail_size_in_buf=18500
[mjpeg @ 0x619000000a80] marker parser used 12833 bytes (102664 bits)
[mjpeg @ 0x619000000a80] marker=db avail_size_in_buf=5664
[mjpeg @ 0x619000000a80] index=0
[mjpeg @ 0x619000000a80] qscale[0]: 2
[mjpeg @ 0x619000000a80] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x619000000a80] marker=db avail_size_in_buf=5595
[mjpeg @ 0x619000000a80] index=1
[mjpeg @ 0x619000000a80] qscale[1]: 8
[mjpeg @ 0x619000000a80] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x619000000a80] marker=c0 avail_size_in_buf=5526
[mjpeg @ 0x619000000a80] sof0: picture: 432x173
[mjpeg @ 0x619000000a80] component 0 1:1 id: 0 quant:0
[mjpeg @ 0x619000000a80] component 1 1:1 id: 1 quant:1
[mjpeg @ 0x619000000a80] component 2 1:1 id: 2 quant:1
[mjpeg @ 0x619000000a80] pix fmt id 11111100
[mjpeg @ 0x619000000a80] Format yuvj444p chosen by get_format().
[mjpeg @ 0x619000000a80] marker parser used 17 bytes (136 bits)
[mjpeg @ 0x619000000a80] marker=c4 avail_size_in_buf=5507
[mjpeg @ 0x619000000a80] class=0 index=0 nb_codes=8
[mjpeg @ 0x619000000a80] marker parser used 27 bytes (216 bits)
[mjpeg @ 0x619000000a80] marker=c4 avail_size_in_buf=5478
[mjpeg @ 0x619000000a80] class=1 index=0 nb_codes=226
[mjpeg @ 0x619000000a80] marker parser used 56 bytes (448 bits)
[mjpeg @ 0x619000000a80] marker=c4 avail_size_in_buf=5420
[mjpeg @ 0x619000000a80] class=0 index=1 nb_codes=6
[mjpeg @ 0x619000000a80] marker parser used 25 bytes (200 bits)
[mjpeg @ 0x619000000a80] marker=c4 avail_size_in_buf=5393
[mjpeg @ 0x619000000a80] class=1 index=1 nb_codes=82
[mjpeg @ 0x619000000a80] marker parser used 31 bytes (248 bits)
[mjpeg @ 0x619000000a80] escaping removed 16 bytes
[mjpeg @ 0x619000000a80] marker=da avail_size_in_buf=5360
[mjpeg @ 0x619000000a80] component: 0
[mjpeg @ 0x619000000a80] component: 1
[mjpeg @ 0x619000000a80] component: 2
[mjpeg @ 0x619000000a80] marker parser used 5343 bytes (42742 bits)
[mjpeg @ 0x619000000a80] marker=d9 avail_size_in_buf=0
[mjpeg @ 0x619000000a80] decode frame unused 0 bytes
detected 32 logical cores
[Parsed_format_0 @ 0x610000000040] Setting 'pix_fmts' to value 'rgb24'
[Parsed_sr_1 @ 0x610000000140] Setting 'dnn_backend' to value 'native'
[Parsed_sr_1 @ 0x610000000140] Setting 'model' to value 'crash_dnn_execute_layer_pad_2'
[file @ 0x60d000000040] Setting default whitelist 'file,crypto,data'
[AVIOContext @ 0x6120000001c0] Statistics: 145 bytes read, 0 seeks
[graph 0 input from stream 0:0 @ 0x610000000240] Setting 'video_size' to value '432x173'
[graph 0 input from stream 0:0 @ 0x610000000240] Setting 'pix_fmt' to value '14'
[graph 0 input from stream 0:0 @ 0x610000000240] Setting 'time_base' to value '1/25'
[graph 0 input from stream 0:0 @ 0x610000000240] Setting 'pixel_aspect' to value '96/96'
[graph 0 input from stream 0:0 @ 0x610000000240] Setting 'frame_rate' to value '25/1'
[graph 0 input from stream 0:0 @ 0x610000000240] w:432 h:173 pixfmt:yuvj444p tb:1/25 fr:25/1 sar:96/96
[format @ 0x610000000440] Setting 'pix_fmts' to value 'yuvj420p|yuvj422p|yuvj444p'
[auto_scaler_0 @ 0x610000001d40] Setting 'flags' to value 'bicubic'
[auto_scaler_0 @ 0x610000001d40] w:iw h:ih flags:'bicubic' interl:0
[Parsed_format_0 @ 0x610000000040] auto-inserting filter 'auto_scaler_0' between the filter 'graph 0 input from stream 0:0' and the filter 'Parsed_format_0'
[auto_scaler_1 @ 0x610000002a40] Setting 'flags' to value 'bicubic'
[auto_scaler_1 @ 0x610000002a40] w:iw h:ih flags:'bicubic' interl:0
[Parsed_sr_1 @ 0x610000000140] auto-inserting filter 'auto_scaler_1' between the filter 'Parsed_format_0' and the filter 'Parsed_sr_1'
[auto_scaler_2 @ 0x610000003740] Setting 'flags' to value 'bicubic'
[auto_scaler_2 @ 0x610000003740] w:iw h:ih flags:'bicubic' interl:0
[format @ 0x610000000440] auto-inserting filter 'auto_scaler_2' between the filter 'Parsed_sr_1' and the filter 'format'
[AVFilterGraph @ 0x6090000006e0] query_formats: 5 queried, 1 merged, 3 already done, 0 delayed
[auto_scaler_1 @ 0x610000002a40] picking yuv444p out of 6 ref:rgb24 alpha:0
[auto_scaler_2 @ 0x610000003740] picking yuvj444p out of 3 ref:yuv444p alpha:0
[swscaler @ 0x62f000000400] deprecated pixel format used, make sure you did set range correctly
[swscaler @ 0x62f000000400] Forcing full internal H chroma due to input having non subsampled chroma
[auto_scaler_0 @ 0x610000001d40] w:432 h:173 fmt:yuvj444p sar:96/96 -> w:432 h:173 fmt:rgb24 sar:1/1 flags:0x4
[auto_scaler_1 @ 0x610000002a40] w:432 h:173 fmt:rgb24 sar:1/1 -> w:432 h:173 fmt:yuv444p sar:1/1 flags:0x4
=================================================================
==95694==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130000040e0 at pc 0x000001317bb2 bp 0x7fffffff6b00 sp 0x7fffffff6af8
READ of size 4 at 0x6130000040e0 thread T0

#0 0x1317bb1 in dnn_execute_layer_pad /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/dnn/dnn_backend_native_layer_pad.c:84:18
#1 0x130f6ee in ff_dnn_execute_model_native /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/dnn/dnn_backend_native.c:276:9
#2 0xe5a10f in config_props /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/vf_sr.c:133:14
#3 0x6c1d38 in avfilter_config_links /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfilter.c:369:28
#4 0x6c08bd in avfilter_config_links /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfilter.c:307:24
#5 0x6c08bd in avfilter_config_links /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfilter.c:307:24
#6 0x6c08bd in avfilter_config_links /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfilter.c:307:24
#7 0x6d1dbc in graph_config_links /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfiltergraph.c:261:24
#8 0x6d0bb6 in avfilter_graph_config /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfiltergraph.c:1279:16
#9 0x568e88 in configure_filtergraph /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg_filter.c:1106:16
#10 0x5d66a3 in ifilter_send_frame /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2166:15
#11 0x5d5669 in send_frame_to_filters /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2247:15
#12 0x5d0f2b in decode_video /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2446:11
#13 0x59ba41 in process_input_packet /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2600:19
#14 0x5be936 in process_input /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4491:5
#15 0x597af6 in transcode_step /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4611:11
#16 0x590da5 in transcode /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4665:15
#17 0x58efda in main /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4866:9
#18 0x7ffff2cb9b96 in libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#19 0x423839 in _start (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg_g+0x423839)

0x6130000040e0 is located 32 bytes to the left of 352-byte region [0x613000004100,0x613000004260)
allocated by thread T0 here:

#0 0x4e4328 in posix_memalign (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg_g+0x4e4328)
#1 0x4a3fdb8 in av_malloc /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavutil/mem.c:87:9
#2 0x4a40a24 in av_mallocz /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavutil/mem.c:241:17
#3 0x6be731 in avfilter_link /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfilter.c:156:12
#4 0x564ec6 in configure_output_video_filter /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg_filter.c:542:16
#5 0x563510 in configure_output_filter /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg_filter.c:684:37
#6 0x568dda in configure_filtergraph /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg_filter.c:1103:9
#7 0x5d66a3 in ifilter_send_frame /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2166:15
#8 0x5d5669 in send_frame_to_filters /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2247:15
#9 0x5d0f2b in decode_video /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2446:11
#10 0x59ba41 in process_input_packet /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2600:19
#11 0x5be936 in process_input /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4491:5
#12 0x597af6 in transcode_step /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4611:11
#13 0x590da5 in transcode /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4665:15
#14 0x58efda in main /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4866:9
#15 0x7ffff2cb9b96 in libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/dnn/dnn_backend_native_layer_pad.c:84:18 in dnn_execute_layer_pad
Shadow bytes around the buggy address:

0x0c267fff87c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff87d0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c267fff87e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c267fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c267fff8810: 00 00 00 00 fa fa fa fa fa fa fa fa[fa]fa fa fa

0x0c267fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8840: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c267fff8850: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c267fff8860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

==95694==ABORTING
[1] + Done "/usr/bin/gdb" --interpreter=mi --tty=${DbgTerm} 0<"/tmp/Microsoft-MIEngine-In-j4a31k15.558" 1>"/tmp/Microsoft-MIEngine-Out-76pid8cq.9fv"

Attachments (2)

crash_dnn_execute_layer_pad_2 (145 bytes ) - added by Assaf Sion 2 years ago.
10.jpg (18.1 KB ) - added by Assaf Sion 2 years ago.

Download all attachments as: .zip

Change History (4)

by Assaf Sion, 2 years ago

by Assaf Sion, 2 years ago

Attachment: 10.jpg added

comment:1 by Carl Eugen Hoyos, 2 years ago

Keywords: dnn crash SIGSEGV added
Priority: criticalimportant
Reproduced by developer: set
Status: newopen

comment:2 by Carl Eugen Hoyos, 2 years ago

Resolution: duplicate
Status: openclosed

This was apparently a duplicate of ticket #8716, fixed by Guo Yejun in 0b3bd001ac1745d9d008a2d195817df57d7d1d14

Note: See TracTickets for help on using tickets.