Android - ih264d_process_intra_mb Memory Corruption

2016-04-01T00:00:00
ID EDB-ID:39651
Type exploitdb
Reporter Google Security Research
Modified 2016-04-01T00:00:00

Description

Android - ih264d_process_intra_mb Memory Corruption. Dos exploit for android platform

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=523

The attached file causes a crash in ih264d_process_intra_mb in avc parsing, likely due to incorrect bounds checking in one of the memcpy or memset calls in the method.

The file crashes with the following stack trace in M:

09-08 15:51:01.212  8488  8951 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 8951 (le.h264.decoder)
09-08 15:51:01.313   198   198 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-08 15:51:01.313   198   198 F DEBUG   : Build fingerprint: 'google/hammerhead/hammerhead:6.0/MRA58G/2228996:userdebug/dev-keys'
09-08 15:51:01.313   198   198 F DEBUG   : Revision: '0'
09-08 15:51:01.313   198   198 F DEBUG   : ABI: 'arm'
09-08 15:51:01.313   198   198 F DEBUG   : pid: 8488, tid: 8951, name: le.h264.decoder  >>> /system/bin/mediaserver <<<
09-08 15:51:01.313   198   198 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
09-08 15:51:01.317   796   938 W NativeCrashListener: Couldn't find ProcessRecord for pid 8488
09-08 15:51:01.322   198   198 F DEBUG   :     r0 ad7877e0  r1 b21cabf8  r2 00000001  r3 00000220
09-08 15:51:01.322   198   198 E DEBUG   : AM write failed: Broken pipe
09-08 15:51:01.322   198   198 F DEBUG   :     r4 000000c5  r5 0000000a  r6 00000000  r7 00000005
09-08 15:51:01.322   198   198 F DEBUG   :     r8 b3098400  r9 b21cabf8  sl 00000001  fp 00000220
09-08 15:51:01.322   198   198 F DEBUG   :     ip b3099bbc  sp ad7876a0  lr b1c38ab7  pc 00000000  cpsr 200d0010
09-08 15:51:01.329   198   198 F DEBUG   : 
09-08 15:51:01.329   198   198 F DEBUG   : backtrace:
09-08 15:51:01.329   198   198 F DEBUG   :     #00 pc 00000000  <unknown>
09-08 15:51:01.329   198   198 F DEBUG   :     #01 pc 00018ab5  /system/lib/libstagefright_soft_avcdec.so (ih264d_process_intra_mb+2544)
09-08 15:51:01.329   198   198 F DEBUG   :     #02 pc 0000de03  /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_slice+610)
09-08 15:51:01.329   198   198 F DEBUG   :     #03 pc 0000e0b9  /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_thread+64)
09-08 15:51:01.329   198   198 F DEBUG   :     #04 pc 0003f3e7  /system/lib/libc.so (__pthread_start(void*)+30)
09-08 15:51:01.329   198   198 F DEBUG   :     #05 pc 00019b43  /system/lib/libc.so (__start_thread+6)
09-08 15:51:01.627   198   198 F DEBUG   : 
09-08 15:51:01.627   198   198 F DEBUG   : Tombstone written to: /data/tombstones/tombstone_02

It crashes with the following trace in L:

W/NativeCrashListener( 2256): Couldn't find ProcessRecord for pid 26174
I/DEBUG   ( 6837): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/DEBUG   ( 6837): AM write failure (32 / Broken pipe)
I/DEBUG   ( 6837): Build fingerprint: 'google/shamu/shamu:5.1.1/LYZ28K/2168912:user/release-keys'
I/DEBUG   ( 6837): Revision: '33696'
I/DEBUG   ( 6837): ABI: 'arm'
I/DEBUG   ( 6837): pid: 26174, tid: 7029, name: le.h264.decoder  >>> /system/bin/mediaserver <<<
I/DEBUG   ( 6837): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG   ( 6837):     r0 0000000f  r1 ffffffff  r2 af2e286c  r3 00000007
I/DEBUG   ( 6837):     r4 af2e286c  r5 00000010  r6 00000000  r7 00000000
I/DEBUG   ( 6837):     r8 0d452c00  r9 af2fc9c8  sl a36c81f7  fp 1e1a8a58
I/DEBUG   ( 6837):     ip ffffffff  sp af2e2840  lr 0000000f  pc af2ea8f0  cpsr 800c0010
I/DEBUG   ( 6837): 
I/DEBUG   ( 6837): backtrace:
I/DEBUG   ( 6837):     #00 pc 000078f0  /system/lib/libstagefright_soft_h264dec.so
I/DEBUG   ( 6837):     #01 pc 0000000d  <unknown>
I/DEBUG   ( 6837): 
I/DEBUG   ( 6837): Tombstone written to: /data/tombstones/tombstone_09

To reproduce the issue, download the attached file, and wait for it to be thumbnailed. This can be triggered by opening the downloads folder in the Photos application.

Reported to Android here: https://code.google.com/p/android/issues/detail?id=185644


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39651.zip