Exploit LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
41982
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
ANDROID
CVE
N/A
Дата публикации
2017-05-09
LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers
Код:
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117

Failure to initialise pointers in mkvparser::Tracks constructor

The constructor mkvparser::Tracks::Tracks() doesn't handle parsing failures correctly.

If we look at the function, it makes allocations in two places; the first where it allocates a temporary array, and the second, where we make the allocation of an array of Track* which we will store in the Tracks object. Note that there is no path in the function which can free the second allocation; if the parsing of the Track object fails in the subsequent code these pointers are left uninitialised.

Subsequent code will then dereference and use the uninitialised pointers. The results of this obviously depend on the state of the heap prior to parsing of the testcase - a commonly occuring crash where a vtable pointer has been read through the bad pointer during destruction of the Tracks object.

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 31956, tid: 31904, name: NuPlayerDriver   >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf62c9880
    r0 eee45000  r1 f62e4b60  r2 f62c9880  r3 eb1c08a0
AM write failed: Broken pipe
    r4 f1859da0  r5 f15ce05c  r6 f15ce060  r7 f62c9880
    r8 fffdfc60  r9 efc3f5f4  sl 6175644e  fp f6f50c11
    ip eb1c0d18  sp efc3f4c0  lr eb1b19b5  pc f62c9880  cpsr a00f0010

backtrace:
    #00 pc 00049880  [anon:libc_malloc]
    #01 pc 0000c9b3  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD1Ev+34)
    #02 pc 0000c9cd  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD0Ev+4)
    #03 pc 0001150d  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7SegmentD1Ev+60)
    #04 pc 0000b015  /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorD1Ev+10)
    #05 pc 00009449  /system/lib/liblg_parser_mkv.so (_ZN9MKVParser5CloseEv+24)
    #06 pc 0002739b  /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+38)
    #07 pc 00027425  /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
    #08 pc 0000e753  /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
    #09 pc 00027481  /system/lib/libLGParserOSAL.so
    #10 pc 000274d9  /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractor11LGMKVSourceD0Ev+4)
    #11 pc 0000e753  /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
    #12 pc 000329bd  /system/lib/liblgesourceplugin.so (_ZN7android2spINS_3lge20StreamingBufferQueueEED1Ev+18)
    #13 pc 0005997d  /system/lib/liblgesourceplugin.so (_ZNK7android6VectorINS_2spINS_11MediaSourceEEEE10do_destroyEPvj+12)
    #14 pc 00010b6d  /system/lib/libutils.so (_ZN7android10VectorImpl15release_storageEv+28)
    #15 pc 00010bd9  /system/lib/libutils.so (_ZN7android10VectorImpl13finish_vectorEv+4)
    #16 pc 00058cb7  /system/lib/liblgesourceplugin.so
    #17 pc 0005a695  /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD1Ev+292)
    #18 pc 0005a6d9  /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD0Ev+4)
    #19 pc 0000e753  /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
    #20 pc 00057f69  /system/lib/liblgesourceplugin.so (_ZN7android12HTTPPDSource4stopEv+72)
    #21 pc 0006bc51  /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer12performResetEv+168)
    #22 pc 0006b103  /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer22processDeferredActionsEv+90)
    #23 pc 00069ca1  /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer17onMessageReceivedERKNS_2spINS_8AMessageEEE+4944)
    #24 pc 0000b309  /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
    #25 pc 0000d2ef  /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
    #26 pc 0000bd15  /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
    #27 pc 000100d1  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
    #28 pc 0003f9ab  /system/lib/libc.so (_ZL15__pthread_startPv+30)
    #29 pc 0001a0c5  /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41982.zip
 
Источник
www.exploit-db.com

Похожие темы