Headline
CVE-2021-38291: #9312 (assertion failed in av_rescale_delta) – FFmpeg
FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c.
Summary of the bug
there is an assertion failure at src/libavutil/mathematics.c, causing ffmpeg aborted.
System info
Ubuntu 18.04.5 LTS
clang version 10.0.0
ffmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640)
commit date:Wed Jun 30 09:34:09 2021
How to build
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug make
How to reproduce
ffmpeg ffmpeg -y -i crash_input -c:v mpeg4 -c:a copy -f mp4 /dev/null
Gdb output
Assertion duration >= 0 failed at src/libavutil/mathematics.c:172
Thread 1 “ffmpeg_g” received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:51
51 …/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff7248921 in __GI_abort () at abort.c:79
#2 0x00000000014689a5 in av_rescale_delta (in_tb=…, in_ts=<optimized out>, fs_tb=…, duration=<optimized out>, last=<optimized out>, out_tb=…) at src/libavutil/mathematics.c:172
#3 0x0000000000422647 in do_streamcopy (ist=0x22b4040, ost=0x22cab00, pkt=0x22b4240) at src/fftools/ffmpeg.c:2110
#4 process_input_packet (ist=<optimized out>, pkt=<optimized out>, no_eof=<optimized out>) at src/fftools/ffmpeg.c:2801
#5 0x000000000041e4a6 in process_input (file_index=<optimized out>) at src/fftools/ffmpeg.c:4618
#6 transcode_step () at src/fftools/ffmpeg.c:4758
#7 transcode () at src/fftools/ffmpeg.c:4812
#8 0x000000000041a822 in main (argc=<optimized out>, argv=<optimized out>) at src/fftools/ffmpeg.c:5017
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0x7ffff7246f97 to 0x7ffff7246fd7:
0x00007ffff7246f97 <__GI_raise+167>: add %dh,%al
0x00007ffff7246f99 <__GI_raise+169>: (bad)
0x00007ffff7246f9a <__GI_raise+170>: pushq 0x3b(%rdi)
0x00007ffff7246f9d <__GI_raise+173>: mov %eax,%r8d
0x00007ffff7246fa0 <__GI_raise+176>: mov $0x8,%r10d
0x00007ffff7246fa6 <__GI_raise+182>: xor %edx,%edx
0x00007ffff7246fa8 <__GI_raise+184>: mov %r9,%rsi
0x00007ffff7246fab <__GI_raise+187>: mov $0x2,%edi
0x00007ffff7246fb0 <__GI_raise+192>: mov $0xe,%eax
0x00007ffff7246fb5 <__GI_raise+197>: syscall
=> 0x00007ffff7246fb7 <__GI_raise+199>: mov 0x108(%rsp),%rcx
0x00007ffff7246fbf <__GI_raise+207>: xor %fs:0x28,%rcx
0x00007ffff7246fc8 <__GI_raise+216>: mov %r8d,%eax
0x00007ffff7246fcb <__GI_raise+219>: jne 0x7ffff7246fec <__GI_raise+252>
0x00007ffff7246fcd <__GI_raise+221>: add $0x118,%rsp
0x00007ffff7246fd4 <__GI_raise+228>: retq
0x00007ffff7246fd5 <__GI_raise+229>: nopl (%rax)
End of assembler dump.
(gdb) info all-registers
rax 0x0 0
rbx 0x22b4040 36388928
rcx 0x7ffff7246fb7 140737339748279
rdx 0x0 0
rsi 0x7fffffffcdc0 140737488342464
rdi 0x2 2
rbp 0x22cab00 0x22cab00
rsp 0x7fffffffcdc0 0x7fffffffcdc0
r8 0x0 0
r9 0x7fffffffcdc0 140737488342464
r10 0x8 8
r11 0x246 582
r12 0xffffe412 4294960146
r13 0x22b3b80 36387712
r14 0x22b4240 36389440
r15 0x22cc4c0 36488384
rip 0x7ffff7246fb7 0x7ffff7246fb7 <__GI_raise+199>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
bndcfgu {raw = 0x0, config = {base = 0x0, reserved = 0x0, preserved = 0x0, enabled = 0x0}} {raw = 0x0, config = {base = 0, reserved = 0, preserved = 0, enabled = 0}}
bndstatus {raw = 0x0, status = {bde = 0x0, error = 0x0}} {raw = 0x0, status = {bde = 0, error = 0}}
k0 0x0 0
k1 0x0 0
k2 0x0 0
k3 0x0 0
k4 0x0 0
k5 0x0 0
k6 0x0 0
k7 0x0 0
pkru 0x55555554 1431655764
zmm0 {v16_float = {0x0, 0x0, 0x0, 0x0, 0x0 <repeats 12 times>}, v8_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v64_int8 = {0xff <repeats 16 times>, 0x0 <repeats 48 times>}, v32_int16 = {0xffff, 0xffff, 0xffff, 0xffff,
0xffff, 0xffff, 0xffff, 0xffff, 0x0 <repeats 24 times>}, v16_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0 <repeats 12 times>}, v8_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int128 = {
0xffffffffffffffffffffffffffffffff, 0x0, 0x0, 0x0}}
Related news
Gentoo Linux Security Advisory 202312-14 - Multiple vulnerabilities have been discovered in FFmpeg, the worst of which could lead to code execution. Versions greater than or equal to 6.0 are affected.
Implemented protections on AWS credentials that were not properly protected.
Ubuntu Security Notice 5472-1 - It was discovered that FFmpeg would attempt to divide by zero when using Linear Predictive Coding or AAC codecs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. It was discovered that FFmpeg incorrectly handled certain input. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10.
File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device.