My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 99211: Heap buffer overflow in Webaudio FFTFrame::doFFT
1 person starred this issue and may be notified of changes. Back to list
 
Reported by miaubiz@gmail.com, Oct 5, 2011


VULNERABILITY DETAILS
buffer overflow?

VERSION
Chrome Version: stable + trunk
Operating System: linux 64bit

REPRODUCTION CASE
data:text/html,<script>new webkitAudioContext(1, 1, 22050)</script>

higher third parameter makes allocation larger.

first parameter can go up to 10, second parameter can go up to third parameter


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 

==6220== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fffe4481c7f at pc 0x7ffff597d859 bp 0x7fffd8459370 sp 0x7fffd8459340
READ of size 1 at 0x7fffe4481c7f thread T5
    #0 0x7ffff597d859 in WebCore::FFTFrame::doFFT(float*) ???:0
    #1 0x7ffff59d711c in WebCore::HRTFKernel::HRTFKernel(WebCore::AudioChannel*, unsigned long, double, bool) ???:0

0x7fffe4481c7f is located 1 bytes to the left of 512-byte region [0x7fffe4481c80,0x7fffe4481e80)
allocated by thread T5 here:
    #0 0x7ffff5dfe8ba in malloc _asan_rtl_
    #1 0x7ffff2045f4b in WTF::fastMalloc(unsigned long) ???:0
    #2 0x7ffff27c3073 in WebCore::AudioArray<float>::allocate(unsigned long) ???:0

--

Warning: set address range perms: large range [0x28585b908000, 0x28587b908000) (noaccess)
Thread 6:
Invalid read of size 8
   at 0x4D617AC: memcpy (mc_replace_strmem.c:635)
   by 0x29870FA: WebCore::FFTFrame::doFFT(float*) 
   by 0x29A73B6: WebCore::extractAverageGroupDelay(WebCore::AudioChannel*, unsigned long) 
 Address 0x11ceded8 is 40 bytes before a block of size 512 alloc'd
   at 0x4D5D49B: malloc (vg_replace_malloc.c:904)
   by 0x17894E9: WTF::fastMalloc(unsigned long) 
   by 0x198A840: WebCore::AudioBus::AudioBus(unsigned int, unsigned long, bool) 

Address 0xb963c674ba66f2bc is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV)
 General Protection Fault
   at 0x4D616D0: memcpy (mc_replace_strmem.c:635)
   by 0x29870FA: WebCore::FFTFrame::doFFT(float*) 




1left.html
60 bytes   View   Download
audio-asan.txt
4.2 KB   View   Download
audio-vg.txt
5.9 KB   View   Download
Oct 5, 2011
#1 infe...@chromium.org
(No comment was entered for this change.)
Summary: Heap buffer overflow in Webaudio FFTFrame::doFFT
Status: Assigned
Owner: crog...@google.com
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-15 Stability-AddressSanitizer
Oct 5, 2011
#2 scarybea...@gmail.com
@palmer: perhaps you could help Chris Rogers take a quick look? This is super similar to the area we did some work on (doFFT), I hope we didn't miss anything :)
Cc: pal...@google.com
Oct 5, 2011
#3 scarybea...@gmail.com
@palmer: perhaps you could help Chris Rogers take a quick look? This is super similar to the area we did some work on (doFFT), I hope we didn't miss anything :)
Oct 5, 2011
#5 infe...@chromium.org
(No comment was entered for this change.)
Labels: reward-topanel
Oct 5, 2011
#6 pal...@google.com
The problem was that low sample rates cause not enough FFT bytes to be allocated; other code assumes the sample rate is always at least 44100. The patch is simple and crogers will commit it soon.
Oct 6, 2011
#7 infe...@chromium.org
http://trac.webkit.org/changeset/96843
Status: FixUnreleased
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Oct 6, 2011
#8 jschuh@chromium.org
(No comment was entered for this change.)
Labels: SecImpacts-Stable
Oct 6, 2011
#9 jschuh@chromium.org
(No comment was entered for this change.)
Labels: SecImpacts-Beta
Oct 7, 2011
#10 miaubiz@gmail.com
hi,

the bug is still there for samplerates 48001 through 88199 (2x44100-1)

I believe the reason is, on line 432 in third_party/WebKit/Source/WebCore/platform/audio/AudioBus.cpp:

430    double sampleRateRatio = sourceSampleRate / destinationSampleRate;
431    int sourceLength = resamplerSourceBus->length();
432    int destinationLength = sourceLength / sampleRateRatio;

destinationLength is the truncated value of the division, and the other code will 
attempt to touch areas outside the end of the buffer.

for 48001 asan says:
0x7fe9ef49587f is located 1 bytes to the left of 1112-byte region [0x7fe9ef495880,0x7fe9ef495cd8)

for 88199 asan says:
0x7fe9ecf7587f is located 3 bytes to the right of 2044-byte region [0x7fe9ecf75080,0x7fe9ecf7587c)

changing it to:
432    int destinationLength = (sourceLength / sampleRateRatio) + 1;

removes the crash.

cheers,
miaubiz

crash:
data:text/html,<script>new webkitAudioContext(1, 1, 48001)</script>
data:text/html,<script>new webkitAudioContext(1, 1, 88199)</script>

nocrash:
data:text/html,<script>new webkitAudioContext(1, 1, 48000)</script>
data:text/html,<script>new webkitAudioContext(1, 1, 88200)</script>


Oct 7, 2011
#11 infe...@chromium.org
reopening for analysis
Status: Assigned
Oct 7, 2011
#12 infe...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-View-SecurityNotify -Merge-Approved Restrict-View-SecurityTeam
Oct 11, 2011
#13 infe...@chromium.org
(No comment was entered for this change.)
Labels: ReleaseBlock-Stable
Oct 11, 2011
#15 crog...@google.com
(No comment was entered for this change.)
Labels: Merge-Requested
Oct 11, 2011
#16 crog...@google.com
(No comment was entered for this change.)
Labels: Merge-Approved
Oct 11, 2011
#17 infe...@chromium.org
Thanks Chris for merging. Wow, we might have missed this beta by 4 min. But there is one more.

http://trac.webkit.org/changeset/97217
Status: FixUnreleased
Cc: ka...@chromium.org
Labels: -Restrict-View-SecurityTeam -Merge-Approved Restrict-View-SecurityNotify Merge-Merged merge-merged-874
Oct 13, 2011
#18 kar...@google.com
(No comment was entered for this change.)
Labels: -Merge-Requested
Oct 19, 2011
#19 scarybea...@gmail.com
Thanks for catching this. $1000

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -reward-topanel reward-1000 reward-unpaid
Oct 19, 2011
#20 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: CVE-2011-3889
Oct 19, 2011
#21 miaubiz@gmail.com
not to be a greedy bastard, but wasn't this two separate bugs, c#0 and c#10.

Oct 20, 2011
#22 infe...@chromium.org
Miaubiz, you are right. These are two seperate bugs. Increasing reward.
Labels: -reward-1000 reward-2000
Oct 28, 2011
#23 scarybea...@gmail.com
Payment in system, can take up to a couple of weeks.
Labels: -reward-unpaid
May 15, 2012
#24 cdn@chromium.org
Marking old security bugs Fixed..
Status: Fixed
Oct 13, 2012
#25 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Jan 18, 2013
#26 lafo...@google.com
(No comment was entered for this change.)
Labels: Restrict-View-EditIssue
Mar 9, 2013
#27 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-15 -Stability-AddressSanitizer -SecImpacts-Stable -SecImpacts-Beta Cr-Content Security-Impact-Beta Security-Severity-High Security-Impact-Stable M-15 Type-Bug-Security Performance-Memory-AddressSanitizer
Mar 13, 2013
#28 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#29 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Mar 21, 2013
#30 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#31 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Mar 21, 2013
#32 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Beta Security_Impact-Beta
Apr 1, 2013
#33 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Apr 5, 2013
#34 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting