Headline
CVE-2022-1795: Use After Free in gpac
Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV.
Description
Use After Free in gpac
Proof of Concept
MP4Box -bt POC1
POC1 is here
ASAN
==74043==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000003fd0 at pc 0x7f0c5374e845 bp 0x7ffcfc56f2b0 sp 0x7ffcfc56f2a8
READ of size 8 at 0x604000003fd0 thread T0
#0 0x7f0c5374e844 in gf_node_try_destroy /home/wjh/gpac/src/scenegraph/base_scenegraph.c:668:24
#1 0x7f0c537623c1 in gf_sg_command_del /home/wjh/gpac/src/scenegraph/commands.c:120:3
#2 0x7f0c53f10d1c in gf_sm_au_del /home/wjh/gpac/src/scene_manager/scene_manager.c:113:4
#3 0x7f0c53f0dcd8 in gf_sm_reset_stream /home/wjh/gpac/src/scene_manager/scene_manager.c:126:3
#4 0x7f0c53f0dcd8 in gf_sm_delete_stream /home/wjh/gpac/src/scene_manager/scene_manager.c:133:2
#5 0x7f0c53f0dcd8 in gf_sm_del /home/wjh/gpac/src/scene_manager/scene_manager.c:147:3
#6 0x505572 in dump_isom_scene /home/wjh/gpac/applications/mp4box/filedump.c:220:2
#7 0x4f3e66 in mp4box_main /home/wjh/gpac/applications/mp4box/mp4box.c:6227:7
#8 0x7f0c52e34082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x42ac0d in _start (/home/wjh/gpac/bin/gcc/MP4Box+0x42ac0d)
0x604000003fd0 is located 0 bytes inside of 48-byte region [0x604000003fd0,0x604000004000)
freed by thread T0 here:
#0 0x4a49fd in free (/home/wjh/gpac/bin/gcc/MP4Box+0x4a49fd)
#1 0x7f0c5374a1cf in gf_node_unregister /home/wjh/gpac/src/scenegraph/base_scenegraph.c:763:3
#2 0x7f0c5374e7dc in gf_node_try_destroy /home/wjh/gpac/src/scenegraph/base_scenegraph.c:669:9
#3 0x7f0c53f10d1c in gf_sm_au_del /home/wjh/gpac/src/scene_manager/scene_manager.c:113:4
#4 0x7f0c53f0dcd8 in gf_sm_reset_stream /home/wjh/gpac/src/scene_manager/scene_manager.c:126:3
#5 0x7f0c53f0dcd8 in gf_sm_delete_stream /home/wjh/gpac/src/scene_manager/scene_manager.c:133:2
#6 0x7f0c53f0dcd8 in gf_sm_del /home/wjh/gpac/src/scene_manager/scene_manager.c:147:3
previously allocated by thread T0 here:
#0 0x4a4c7d in malloc (/home/wjh/gpac/bin/gcc/MP4Box+0x4a4c7d)
#1 0x7f0c5377e2db in Group_Create /home/wjh/gpac/src/scenegraph/mpeg4_nodes.c:7579:2
#2 0x7f0c5377e2db in gf_sg_mpeg4_node_new /home/wjh/gpac/src/scenegraph/mpeg4_nodes.c:36809:10
SUMMARY: AddressSanitizer: heap-use-after-free /home/wjh/gpac/src/scenegraph/base_scenegraph.c:668:24 in gf_node_try_destroy
Shadow bytes around the buggy address:
0x0c087fff87a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff87b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff87c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff87d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff87e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fff87f0: fa fa 00 00 00 00 02 fa fa fa[fd]fd fd fd fd fd
0x0c087fff8800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff8810: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff8820: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8830: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8840: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==74043==ABORTING
Impact
can cause a program to crash, use unexpected values, or execute code.
Related news
Gentoo Linux Security Advisory 202408-21
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Security Advisory 5411-1
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.