CVE-2020-19824: race condition in audio.c on uninit · Issue #6808 · mpv-player/mpv

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

3kyo0 opened this issue

Jul 15, 2019

· 6 comments

Closed

race condition in audio.c on uninit #6808

3kyo0 opened this issue

Jul 15, 2019

· 6 comments

Comments

Can’t reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.
For fuzzing you might want to use --no-config to ensure the crash doesn’t depend on any of your local configuration.

Can’t reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.
For fuzzing you might want to use --no-config to ensure the crash doesn’t depend on any of your local configuration.

Only MacOS

seems ao_c->filter pointer broken.there is two debug info.
1、Normal info:
Playing: ./SIGSEGV.EXC_BAD_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz
[mkv] SeekHead position beyond end of file - incomplete file?
(+) Video --vid=1 () (h264 720x432 25.000fps)
(+) Audio --aid=1 --alang=fre () (ac3 2ch)
(+) Subs --sid=1 --slang=fre (*) (dvd_subtitle)
[vo/gpu] opengl cocoa backend is deprecated, use vo=libmpv instead
[debug]ao_c->filter->f->pins[1]:0x7f8e2f5418d0
[debug]mpctx:0x7f8e32004840
[debug]ao_c:0x7f8e2f5351b0
[debug]ao_c->filter:0x7f8e2f5414f8
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x0
[debug]
[mkv] Invalid EBML length at position 13124
[mkv] Corrupt file detected. Trying to resync starting from position 13124…
[ffmpeg/audio] ac3: expacc 126 is out-of-range
[ffmpeg/audio] ac3: error decoding the audio block
No video PTS! Making something up. Using 25.000000 FPS.
[debug]ao_c->filter->f->pins[1]:0x7f8e2f5418d0
Audio: no audio
[debug]mpctx:0x7f8e32004840
[debug]ao_c:0x7f8e2f5351b0
[debug]ao_c->filter:0x7f8e2f5414f8
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x5
[debug]
VO: [gpu] 720x432 => 1455x432 yuv420p
V: -00:00:00 / 00:00:00 (0%)

Exiting… (End of file)

2、Crashed info
Playing: ./SIGSEGV.EXC_BAD_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz
[mkv] SeekHead position beyond end of file - incomplete file?
(+) Video --vid=1 () (h264 720x432 25.000fps)
(+) Audio --aid=1 --alang=fre () (ac3 2ch)
(+) Subs --sid=1 --slang=fre (*) (dvd_subtitle)
[vo/gpu] opengl cocoa backend is deprecated, use vo=libmpv instead
[debug]ao_c->filter->f->pins[1]:0x7f8ebc1211c0
[debug]mpctx:0x7f8ebe000040
[debug]ao_c:0x7f8ebc120d30
[debug]ao_c->filter:0x7f8ebc120858
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x0
[debug]
[mkv] Invalid EBML length at position 13124
[mkv] Corrupt file detected. Trying to resync starting from position 13124…
No video PTS! Making something up. Using 25.000000 FPS.
[ffmpeg/audio] ac3: expacc 126 is out-of-range
[ffmpeg/audio] ac3: error decoding the audio block
[debug]ao_c->filter->f->pins[1]:0x7f8ebc1211c0
Audio: no audio
[debug]mpctx:0x7f8ebe000040
[debug]ao_c:0x7f8ebc120d30
[debug]ao_c->filter:0x312d320a6572662d
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3033==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001012bb3f9 bp 0x7000039f3dc0 sp 0x7000039f3d00 T61145)

After debugging I think this is an Use after free Vulnerability.
audio.c:425 uinit_audio_chain(mpctx); this line free the ao_c
audio.c:810 if(ao_c->filter->got_output_eof && . this line reuse it

Akemi changed the title crash on MacOS race condition in audio.c on uninit

Jul 21, 2019

i don’t think the uninit in line 425 is the culprit. it’s called in order and before the code in line 810. it’s some race condition in another part of the code.

I think @3kyo0 was right, that’s exactly what I observed.