[Live-devel] heap-use-after-free in continueParsing

Meng Ruijie ruijie_meng at u.nus.edu
Tue Jun 13 05:48:44 PDT 2023 

Hi,

We found one heap-use-after-free bug in live.2023.05.10 while running in Ubuntu:20.04. This bug happens while calling the function `MatroskaFileParser::continueParsing`.

You can reproduce this bug as the README in the attachment as follows:
1. build the docker image:
    docker build . -t uaf
2. create the docker container:
    docker run -it -u root --privileged --name reproduce-uaf uaf bash
3. open two terminals:
    3.1 one run live555:
        cd /home/ubuntu/experiments/live/testProgs && ./testOnDemandRTSPServer
    3.2 another one to run the client to send requests:
        cd /home/ubuntu/experiments && aflnet-replay client-request1 RTSP 8554 30
        You can also try other client requests:
        cd /home/ubuntu/experiments && aflnet-replay client-request2 RTSP 8554 30


The following is the ASAN bug report:

=================================================================
==98331==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ffff3969810 at pc 0x0000004957e5 bp 0x7fffffffe0d0 sp 0x7fffffffd898
WRITE of size 270 at 0x7ffff3969810 thread T0
    #0 0x4957e4 in __asan_memmove (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4957e4)
    #1 0x5d06f0 in StreamParser::testBytes(unsigned char*, unsigned int) /home/ubuntu/experiments/live/liveMedia/./StreamParser.hh:96:5
    #2 0x5d06f0 in StreamParser::getBytes(unsigned char*, unsigned int) /home/ubuntu/experiments/live/liveMedia/./StreamParser.hh:90:5
    #3 0x5d06f0 in MatroskaFileParser::deliverFrameBytes() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:1240:7
    #4 0x5c761c in MatroskaFileParser::parse() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:173:4
    #5 0x5c62c8 in MatroskaFileParser::continueParsing() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:100:10
    #6 0x5c62c8 in MatroskaFileParser::continueParsing(void*, unsigned char*, unsigned int, timeval) /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:95:38
    #7 0x605e86 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
    #8 0x60c409 in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5
    #9 0x4ca479 in main /home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer.cpp:462:24
    #10 0x7ffff770a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x41d73d in _start (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x41d73d)

0x7ffff3969810 is located 16 bytes inside of 300564-byte region [0x7ffff3969800,0x7ffff39b2e14)
freed by thread T0 here:
    #0 0x4c5f4d in operator delete[](void*) (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4c5f4d)
    #1 0x5a3674 in MultiFramedRTPSink::~MultiFramedRTPSink() /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:60:3

previously allocated by thread T0 here:
    #0 0x4c56fd in operator new[](unsigned long) (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4c56fd)
    #1 0x4cbc82 in OutPacketBuffer::OutPacketBuffer(unsigned int, unsigned int, unsigned int) /home/ubuntu/experiments/live/liveMedia/MediaSink.cpp:122:10
    #2 0x57d752 in MPEG4GenericRTPSink::createNew(UsageEnvironment&, Groupsock*, unsigned char, unsigned int, char const*, char const*, char const*, unsigned int) /home/ubuntu/experiments/live/liveMedia/MPEG4GenericRTPSink.cpp:88:14

SUMMARY: AddressSanitizer: heap-use-after-free (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4957e4) in __asan_memmove
Shadow bytes around the buggy address:
  0x10007e7252b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e7252c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e7252d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e7252e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e7252f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x10007e725300: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e725310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e725320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e725330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e725340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e725350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==98331==ABORTING
Aborted (core dumped)

------
Kind Regards,
Ruijie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20230613/536c6abf/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UAF2.rar
Type: application/vnd.rar
Size: 6801 bytes
Desc: UAF2.rar
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20230613/536c6abf/attachment-0001.bin>

More information about the live-devel mailing list