[Live-devel] heap-use-after-free while handling PLAY

Tue Jun 13 06:04:55 PDT 2023

Hi,

We found one heap-use-after-free in live.2023.05.10 running in Ubuntu 20.04. It happens while handling the PLAY client request by calling the function `MultiFramedRTPSink::continuePlaying`.

We attached the relevant files to reproduce this bug and hope it could help you fix it. You can reproduce it as follows/README:

1. build the docker image:
    docker build . -t uaf3
2. create the docker container:
    docker run -it -u root --privileged --name reproduce-uaf3 uaf3 bash
3. open two terminals:
    3.1 one run live555:
        cd /home/ubuntu/experiments/live/testProgs && ./testOnDemandRTSPServer
    3.2 another one run client to send requests:
        cd /home/ubuntu/experiments && aflnet-replay uaf3-client-request1 RTSP 8554 30
        You can also try other client requests:
        cd /home/ubuntu/experiments && aflnet-replay uaf3-client-request2 RTSP 8554 30

The following is the ASAN bug report:

=================================================================
==98372==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ffff37b5810 at pc 0x0000004957e5 bp 0x7fffffffdaf0 sp 0x7fffffffd2b8
WRITE of size 270 at 0x7ffff37b5810 thread T0
    #0 0x4957e4 in __asan_memmove (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4957e4)
    #1 0x5d06f0 in StreamParser::testBytes(unsigned char*, unsigned int) /home/ubuntu/experiments/live/liveMedia/./StreamParser.hh:96:5
    #2 0x5d06f0 in StreamParser::getBytes(unsigned char*, unsigned int) /home/ubuntu/experiments/live/liveMedia/./StreamParser.hh:90:5
    #3 0x5d06f0 in MatroskaFileParser::deliverFrameBytes() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:1240:7
    #4 0x5c761c in MatroskaFileParser::parse() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:173:4
    #5 0x5c6348 in MatroskaFileParser::continueParsing() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:100:10
    #6 0x5a4844 in MultiFramedRTPSink::packFrame() /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:223:14
    #7 0x5a3fdf in MultiFramedRTPSink::buildAndSendPacket(unsigned char) /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:199:3
    #8 0x5a3fdf in MultiFramedRTPSink::continuePlaying() /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:159:3
    #9 0x5bbe7e in StreamState::startPlaying(Destinations*, unsigned int, void (*)(void*), void*, void (*)(void*, unsigned char), void*) /home/ubuntu/experiments/live/liveMedia/OnDemandServerMediaSubsession.cpp:575:17
    #10 0x5bb691 in OnDemandServerMediaSubsession::startStream(unsigned int, void*, void (*)(void*), void*, unsigned short&, unsigned int&, void (*)(void*, unsigned char), void*) /home/ubuntu/experiments/live/liveMedia/OnDemandServerMediaSubsession.cpp:229:18
    #11 0x4dd3d3 in RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:1943:36
    #12 0x4dba3e in RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp
    #13 0x4d6ba9 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:996:22
    #14 0x5b7a66 in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live/liveMedia/GenericMediaServer.cpp:324:3
    #15 0x605e35 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:153:7
    #16 0x60c409 in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5
    #17 0x4ca479 in main /home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer.cpp:462:24
    #18 0x7ffff770a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x41d73d in _start (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x41d73d)

0x7ffff37b5810 is located 16 bytes inside of 300564-byte region [0x7ffff37b5800,0x7ffff37fee14)
freed by thread T0 here:
    #0 0x4c5f4d in operator delete[](void*) (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4c5f4d)
    #1 0x5a3674 in MultiFramedRTPSink::~MultiFramedRTPSink() /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:60:3

previously allocated by thread T0 here:
    #0 0x4c56fd in operator new[](unsigned long) (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4c56fd)
    #1 0x4cbc82 in OutPacketBuffer::OutPacketBuffer(unsigned int, unsigned int, unsigned int) /home/ubuntu/experiments/live/liveMedia/MediaSink.cpp:122:10
    #2 0x57d752 in MPEG4GenericRTPSink::createNew(UsageEnvironment&, Groupsock*, unsigned char, unsigned int, char const*, char const*, char const*, unsigned int) /home/ubuntu/experiments/live/liveMedia/MPEG4GenericRTPSink.cpp:88:14

SUMMARY: AddressSanitizer: heap-use-after-free (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4957e4) in __asan_memmove
Shadow bytes around the buggy address:
  0x10007e6eeab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e6eeac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e6eead0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e6eeae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e6eeaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x10007e6eeb00: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e6eeb10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e6eeb20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e6eeb30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e6eeb40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007e6eeb50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==98372==ABORTING
Aborted (core dumped)

------
Kind Regards,
Ruijie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20230613/eed17909/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UAF3.rar
Type: application/vnd.rar
Size: 7377 bytes
Desc: UAF3.rar
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20230613/eed17909/attachment-0001.bin>