POSTED BY: anestis / 23.03.2016

Android stagefright libavc ih264d_decode heap overflow

CENSUS ID:CENSUS-2016-0003
CVE ID:CVE-2016-0816
Android ID:25928803
Affected Products:Android OS 6.0 — 6.0.1
Class:Out-of-bounds Write (CWE-787)
Discovered by:Anestis Bechtsoudis

Android provides a media playback engine at the native level called Stagefright that comes built-in with software-based codecs for several popular media formats. Stagefright features for audio and video playback include integration with OpenMAX codecs, session management, time-synchronized rendering, transport control, and DRM.

CENSUS engineers have discovered that the libavcodec H.264 software decoder invoked by libstagefright has an OOB write heap overflow at the ih264d_decode_recon_tfr_nmb_thread() procedure.

The vulnerability can be triggered remotely when a victim Android device starts decoding an H.264 compressed video resource (MMS, chat apps, browser, etc.) using the vulnerable built-in software decoder. Successfully exploiting the vulnerability can result into executing unauthorized code with the increased permissions of the mediaserver daemon.

Details

This section provides further technical details about the vulnerability. The issue was discovered by means of fuzz testing (fuzzing). More information about our Android fuzzing work can be found here and here.

In the libavc component of Stagefright, the picture decoder thread is invoking function ih264d_decode_recon_tfr_nmb_thread() in a loop until the ps_dec->u4_cur_slice_decode_done flag is set. Functions ih264d_decode_slice_thread() and ih264d_decode_recon_tfr_nmb_thread() are increasing the number of processed macroblocks (MBs). The number of processed MBs is used to offset the ps_dec->pu1_recon_mb_map metadata heap buffer (allocated from ih264d_allocate_dynamic_bufs()). The issue exists in the inner “recon” loop at lines 343-391. Specifically, this inner loop is not verifying that the u4_mb_num offset is constrained within the boundaries of the pu1_recon_mb_map buffer, before setting the metadata flag at line 388.


+android-6.0.0_r2/external/libavc/decoder/ih264d_thread_parse_decode.c
200  WORD32 ih264d_decode_recon_tfr_nmb_thread(dec_struct_t * ps_dec,
201                                            UWORD8 u1_num_mbs,
202                                            UWORD8 u1_num_mbs_next,
203                                            UWORD8 u1_end_of_row)
204  {
...
342      /* N Mb IQ IT RECON  Loop */
343      for(j = 0; j < i; j++)
344      {
...
384          else
385          {
386              UWORD32 u4_mb_num = ps_cur_mb_info->u2_mbx
387                 + ps_dec->u2_frm_wd_in_mbs * ps_cur_mb_info->u2_mby;  \
             /* no boundary check for u4_mb_num offset */

388              UPDATE_MB_MAP_MBNUM_BYTE(ps_dec->pu1_recon_mb_map, u4_mb_num);  \
             /* OOB write happens here from expanded macro if 'u4_mb_num' points \
              * past the end 'pu1_recon_mb_map' buffer \
              */

389          }
390          ps_dec->cur_dec_mb_num++;
391       }

+android-6.0.0_r2/external/libavc/decoder/ih264d_mb_utils.h
136  #define UPDATE_MB_MAP_MBNUM_BYTE(mb_map, u4_mb_number)
137  {                                                                                                  
138          volatile UWORD8 *pu1_mb_flag;                                             
139                                                                                                      
140          pu1_mb_flag    = (UWORD8 *)mb_map + (u4_mb_number);     
141          /*                                                                                         
142           * In case of MbAff, update the mb_map only if the entire MB is 
143           * done. We can check that by checking if Y is odd, implying      
144           * that this is the second row in the MbAff MB                           
145           */                                                                                        
146          (*pu1_mb_flag) = 1;                                                             
147  }

+android-6.0.0_r2/external/libavc/decoder/ih264d_utils.c:
1831  WORD16 ih264d_allocate_dynamic_bufs(dec_struct_t * ps_dec)
1832  {
...
1844      UWORD8 uc_frmOrFld = (1 — ps_dec->ps_cur_sps->u1_frame_mbs_only_flag);
...
1849      UWORD32 u4_total_mbs = ps_sps->u2_total_num_of_mbs << uc_frmOrFld;
...
1867
1868      size = u4_total_mbs;

1869      pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); \
                      /* heap buffer is allocated here */

1870      RETURN_IF((NULL == pv_buf), IV_FAIL);
1871      ps_dec->pu1_recon_mb_map = pv_buf;

We have developed a PoC that can trigger a heap buffer overflow with an OOB write of size 1 due to the u4_cur_slice_decode_done flag never being set, allowing the MBs processing loop to increase the number of MBs past the end of the metadata buffer (in this case the size is 0x252 bytes). The following GDB session demonstrates the u4_mb_num offset pointing 1 byte past the end of the pu1_recon_mb_map buffer.


gdb$ b external/libavc/decoder/ih264d_thread_parse_decode.c:386  \
                # breakpoint at buffer offset calculation

No source file named external/libavc/decoder/ih264d_thread_parse_decode.c.
Breakpoint 1 (external/libavc/decoder/ih264d_thread_parse_decode.c:386) pending.
gdb$ c
Continuing.
[New Thread 29503]
[Switching to Thread 29503]
--------------------------------------------------------------------------[regs]
  R0:  0x00000001  R1: 0x00000003  R2:  0xB5532000  R3:  0x00000000
  R4:  0x00000000  R5: 0xB5CA2000  R6:  0xB5CA3614  R7:  0xB5534274
  R8:  0x00000003  R9: 0xB5CA3658  R10: 0xB5CA362C  R11: 0x00000000
  R12: 0x00000001  SP: 0xB43C4880  LR:  0xB5CA3640  PC:  0xB5C52FB2
[0xB43C4880]------------------------------------------------------[stack]
0xB43C48D0 : 40 36 CA B5 2D DB C5 B5 — 4C 36 CA B5 37 33 C5 B5 @6..-...L6..73..
0xB43C48C0 : 00 20 CA B5 00 00 00 00 — 1E 00 00 00 B0 89 00 00 . ..............
0xB43C48B0 : 01 00 00 00 00 00 00 00 — 30 49 3C B4 00 00 00 00 ........0I<.....
0xB43C48A0 : 94 00 00 00 1E 00 00 00 — 04 00 00 00 00 00 00 00 ................
0xB43C4890 : 3C 36 CA B5 04 00 00 00 — 00 00 00 00 03 00 00 00 <6..............
0xB43C4880 : 02 00 00 00 EC 42 53 B5 — 00 00 00 00 03 00 00 00 .....BS.........
--------------------------------------------------------------------------[code]
   0xb5c52fb3 : ldrh.w  lr, [r7, #30]
   0xb5c52fb7 : ldrh    r0, [r5, #48]   ; 0x30
   0xb5c52fb9 : ldrh    r7, [r7, #32]
   0xb5c52fbb : ldr.w   r1, [r10]
   0xb5c52fbf : mla     r2, r7, r0, lr
   0xb5c52fc3 : strb.w  r12, [r1, r2]
   0xb5c52fc7 : b.n     0xb5c52f3e 
   0xb5c52fc9 : cmp     r1, #255        ; 0xff
--------------------------------------------------------------------------------
Breakpoint 1, ih264d_decode_recon_tfr_nmb_thread (ps_dec=ps_dec@entry=0xb5ca2000,
u1_num_mbs=, u1_num_mbs_next=, \
u1_end_of_row=) at external/libavc/decoder/ih264d_thread_parse_decode.c:387
387       + ps_dec->u2_frm_wd_in_mbs * ps_cur_mb_info->u2_mby;
gdb$ p ps_dec->ps_cur_sps->u2_total_num_of_mbs << \
        (1 — ps_dec->ps_cur_sps->u1_frame_mbs_only_flag)
$1 = 0x2b2 # MAX size of 'pu1_recon_mb_map' buffer
gdb$ p u4_mb_num # value when breakpoint hits for first time
$2 = 0xaf
gdb$ cond 1 u4_mb_num==0x2b2 # stop again if offset points past MAX
gdb$ c
Continuing.
--------------------------------------------------------------------------[regs]
  R0:  0x00000001  R1: 0x00000003  R2:  0xB5532000  R3:  0x00000000
  R4:  0x00000002  R5: 0xB5CA2000  R6:  0xB5CA3614  R7:  0xB553BB28
  R8:  0x0000001E  R9: 0xB5CA3658  R10: 0xB5CA362C  R11: 0x00000000
  R12: 0x00000001  SP: 0xB43C4880  LR:  0x0000001D  PC:  0xB5C52FB2
[0xB43C4880]------------------------------------------------------[stack]
0xB43C48D0 : 40 36 CA B5 2D DB C5 B5 — 4C 36 CA B5 37 33 C5 B5 @6..-...L6..73..
0xB43C48C0 : 00 20 CA B5 00 00 00 00 — 1E 00 00 00 60 32 01 00 . ..........`2..
0xB43C48B0 : 01 00 00 00 00 00 00 00 — 30 49 3C B4 00 00 00 00 ........0I<.....
0xB43C48A0 : 95 02 00 00 1E 00 00 00 — 04 00 00 00 00 00 00 00 ................
0xB43C4890 : 3C 36 CA B5 04 00 00 00 — 00 00 00 00 1E 00 00 00 <6..............
0xB43C4880 : 02 00 00 00 28 BB 53 B5 — 00 00 00 00 1E 00 00 00 ....(.S.........
--------------------------------------------------------------------------[code]
   0xb5c52fb3 : ldrh.w  lr, [r7, #30]
   0xb5c52fb7 : ldrh    r0, [r5, #48]   ; 0x30
   0xb5c52fb9 : ldrh    r7, [r7, #32]
   0xb5c52fbb : ldr.w   r1, [r10]
   0xb5c52fbf : mla     r2, r7, r0, lr
   0xb5c52fc3 : strb.w  r12, [r1, r2]
   0xb5c52fc7 : b.n     0xb5c52f3e 
   0xb5c52fc9 : cmp     r1, #255        ; 0xff
--------------------------------------------------------------------------------

Breakpoint 1, ih264d_decode_recon_tfr_nmb_thread (ps_dec=ps_dec@entry=0xb5ca2000, \
u1_num_mbs=, u1_num_mbs_next=, \
u1_end_of_row=) at external/libavc/decoder/ih264d_thread_parse_decode.c:387
387    + ps_dec->u2_frm_wd_in_mbs * ps_cur_mb_info->u2_mby;
gdb$ p ps_dec->pu1_recon_mb_map + u4_mb_num
$3 = (volatile UWORD8 *) 0xb63335b2 "" \
# u4_mb_num points 1 byte past the end of ps_dec->pu1_recon_mb_map buffer

The accompanying ASan report against a master branch build is also demonstrating the heap OOB write.


===14639==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaef03b32 \
   at pc 0xb35b8bc0 bp 0xae3d9808 sp 0xae3d9804
WRITE of size 1 at 0xaef03b32 thread T5
    #0 0xb35b8bbf in ih264d_decode_recon_tfr_nmb_thread
                 external/libavc/decoder/ih264d_thread_parse_decode.c:388
    #1 0xb35b917f in ih264d_decode_slice_thread
                 external/libavc/decoder/ih264d_thread_parse_decode.c:585
    #2 0xb35b9603 in ih264d_decode_picture_thread
                external/libavc/decoder/ih264d_thread_parse_decode.c:602
    #3 0xb4ff1adf in __pthread_start(void*) bionic/libc/bionic/pthread_create.cpp:200
    #4 0xb4fc44bb in __start_thread bionic/libc/bionic/clone.cpp:41

0xaef03b32 is located 0 bytes to the right of 690-byte region [0xaef03880,0xaef03b32)
allocated by thread T3 (le.h264.decoder) here:
    #5 0xb5d1f3d3 in malloc_stats ??:?
    #6 0xb357fe3b in \
       ih264d_allocate_dynamic_bufs external/libavc/decoder/ih264d_utils.c:1869
    #7 0xb357ed13 in \
       ih264d_init_pic external/libavc/decoder/ih264d_utils.c:825
    #8 0xb3596c9f in \
       ih264d_start_of_pic external/libavc/decoder/ih264d_parse_slice.c:338
    #9 0xb359cad3 in ih264d_parse_decode_slice \
       external/libavc/decoder/ih264d_parse_slice.c:1578
    #10 0xb356fab3 in ih264d_parse_nal_unit \
       external/libavc/decoder/ih264d_parse_headers.c:1068
    #11 0xb351ffeb in ih264d_video_decode \
       external/libavc/decoder/ih264d_api.c:2011
    #12 0xb3528c5f in ih264d_api_function \
       external/libavc/decoder/ih264d_api.c:3518
    #13 0xb351716b in android::SoftAVC::onQueueFilled(unsigned int) \
       frameworks/av/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp:586
    #14 0xb628ca37 in \ 
      android::SimpleSoftOMXComponent::onMessageReceived(android::sp \
      const&) frameworks/av/media/libstagefright/omx/SimpleSoftOMXComponent.cpp:375
    #15 0xb62914e3 in android::AHandlerReflector::onMessageReceived(android::sp \
   const&) frameworks/av/include/media/stagefright/foundation/AHandlerReflector.h:35
    #16 0xb68e3a53 in android::AHandler::deliverMessage(android::sp \
         const&) frameworks/av/media/libstagefright/foundation/AHandler.cpp:27
    #17 0xb68f00ef in android::AMessage::deliver() \
         frameworks/av/media/libstagefright/foundation/AMessage.cpp:354
    #18 0xb68e75d3 in \
         android::ALooper::loop() \
         frameworks/av/media/libstagefright/foundation/ALooper.cpp:216
    #14 0xb33ff96b  ()
    #15 0xb33ff91f  ()

Thread T5 created by T3 (le.h264.decoder) here:
    #19 0xb5d03c4f in __asan_memmove ??:?
    #20 0xb359cc1f in \
       ih264d_parse_decode_slice external/libavc/decoder/ih264d_parse_slice.c:1603
    #21 0xb356fab3 in \
       ih264d_parse_nal_unit external/libavc/decoder/ih264d_parse_headers.c:1068
    #22 0xb351ffeb in ih264d_video_decode external/libavc/decoder/ih264d_api.c:2011
    #23 0xb3528c5f in ih264d_api_function external/libavc/decoder/ih264d_api.c:3518
    #24 0xb351716b in \
      android::SoftAVC::onQueueFilled(unsigned int)\
      frameworks/av/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp:586
    #25 0xb628ca37 in \
      android::SimpleSoftOMXComponent::onMessageReceived(android::sp \
      const&) frameworks/av/media/libstagefright/omx/SimpleSoftOMXComponent.cpp:375
    #26 0xb62914e3 in \
     android::AHandlerReflector::onMessageReceived(android::sp\
const&) frameworks/av/include/media/stagefright/foundation/AHandlerReflector.h:35
    #27 0xb68e3a53 in \
      android::AHandler::deliverMessage(android::sp const&) \
      frameworks/av/media/libstagefright/foundation/AHandler.cpp:27
    #28 0xb68f00ef in \
      android::AMessage::deliver() \
      frameworks/av/media/libstagefright/foundation/AMessage.cpp:354
    #29 0xb68e75d3 in \
      android::ALooper::loop() \
      frameworks/av/media/libstagefright/foundation/ALooper.cpp:216
    #11 0xb33ff96b  ()
    #12 0xb33ff91f  ()

Thread T3 (le.h264.decoder) created by T0 here:
    #30 0xb5d03c4f in __asan_memmove ??:?
    #31 0xb69289fb in androidCreateRawThreadEtc system/core/libutils/Threads.cpp:160
    #32 0xb628938f in SimpleSoftOMXComponent \
       frameworks/av/media/libstagefright/omx/SimpleSoftOMXComponent.cpp:42
    #33 0xb62932ff in SoftVideoDecoderOMXComponent \
      frameworks/av/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp:54
    #34 0xb3518b8b in SoftAVC \
       frameworks/av/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp:112
    #35 0xb3518b8b in createSoftOMXComponent(char const*, \
       OMX_CALLBACKTYPE const*, void*, OMX_COMPONENTTYPE**) \
       frameworks/av/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp:701
    #36 0xb6292a3b in android::SoftOMXPlugin::makeComponentInstance(char const*, \
       OMX_CALLBACKTYPE const*, void*, OMX_COMPONENTTYPE**) \
       frameworks/av/media/libstagefright/omx/SoftOMXPlugin.cpp:112
    #37 0xb626ad37 in android::OMXMaster::makeComponentInstance(char const*, \
       OMX_CALLBACKTYPE const*, void*, OMX_COMPONENTTYPE**) \
       frameworks/av/media/libstagefright/omx/OMXMaster.cpp:138
    #38 0xb6260c83 in android::OMX::allocateNode(char const*, \
       android::sp const&, unsigned int*) \
       frameworks/av/media/libstagefright/omx/OMX.cpp:243
    #39 0xb653acfb in android::MuxOMX::allocateNode(char const*, \
       android::sp const&, unsigned int*) \
       frameworks/av/media/libstagefright/OMXClient.cpp:233
    #40 0xb6540e6f in android::OMXCodec::Create(android::sp \
      const&, android::sp const&, bool, \
      android::sp const&, char const*, unsigned int, \
      android::sp const&) \
      frameworks/av/media/libstagefright/OMXCodec.cpp:367
    #41 0xb6f1f0c3 in
    #42 0xb4fc18b5 in __libc_init bionic/libc/bionic/libc_init_dynamic.cpp:114
    #12 0x1  ()

SUMMARY: AddressSanitizer: heap-buffer-overflow \
                   (/data/lib/libstagefright_soft_avcdec.so+0xb0bbf)
Shadow bytes around the buggy address:
  0x15de0710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x15de0720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x15de0730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x15de0740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x15de0750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x15de0760: 00 00 00 00 00 00[02]fa fa fa fa fa fa fa fa fa
  0x15de0770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x15de0780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x15de0790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x15de07a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x15de07b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14639==ABORTING

Considering that most Nexus devices have a hardware H.264 decoder, mediaserver will prefer it over the vulnerable software version (if a failover is not triggered). Applications that initialize the decoders manually might be vulnerable to this issue depending on their choices.

The stagefright standalone command and our PoC can be used to trigger the vulnerability, using the software codec option shown below:

$ /system/bin/stagefright -s \
        /sdcard/Movies/ih264d_decode_recon_tfr_nmb_thread_POC.mp4

Our testing was carried out on the following devices and software setup:

  • google/shamu/shamu:6.0/MRA58N/2289998:user/release-keys
  • Android/aosp_hammerhead/hammerhead:6.0/MASTER/anestisb11211639:userdebug/test-keys ("frameworks/av "commit [bca41e3], "external/libavc" commit [94bf490])

Discussion

The vulnerablity has been fixed for supported Android OS versions as described in the March 2016 Nexus security bulletin. Users are advised to upgrade to the latest stable release.

Disclosure Timeline

Vendor Contact:November 28th, 2015
Vendor Assigned Internal ID:November 30th, 2015
Vendor Triaged Vulnerability (Critical):December 11th, 2015
Vendor Patch Release:March 7th, 2016
Public Advisory:March 23rd, 2016