CPR-Zero: CVE-2021-0674

Information

libMtkOmxAlacDec.so HAL library is responsible for decoding the Apple iTunes ALAC/AAC-LC audio format on MediaTek based smartphones.
In the libMtkOmxAlacDec.so, there is a possible out of bounds read due to an incorrect bounds check.
This could lead to local information disclosure with no additional execution privileges needed:

When calling the alac_init function with our controlled csd-0 buffer, we can set the size of the sample buffer. This is similar to what we see here.
The first 4 bytes will set the setinfo_max_samples_per_frame inside the context struct.
The setinfo_max_samples_per_frame field is used as the size of an internal output buffer that stores the decoded sample and then copies its content to the output buffer.
Later, when we hit the alac_decode_frame function, the setinfo_max_samples_per_frame will be used as the number of bytes to copy from the frame data to the outputsamples_buffer_a as we can see here.
This means that when we set the setinfo_max_samples_per_frame to be larger than the frame buffer, we will eventually leak information from outside the input buffer to our output buffer.

Crash Trace:

Build fingerprint: 'Redmi/cannong_global/cannong:11/RP1A.200720.011/V12.5.2.0.RJEMIXM:user/release-keys'
Revision: '0'
ABI: 'arm'
Timestamp: 2021-08-15 15:00:19+0300
pid: 13992, tid: 14730, name: omx@1.0-service  >>> media.codec <<<
uid: 1046
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf59c4000
    r0  00000010  r1  00008ffe  r2  00000007  r3  f59c3ffe
    r4  f596a000  r5  00000008  r6  00000000  r7  00000000
    r8  00000000  r9  00000000  r10 00000000  r11 41414141
    ip  00000010  sp  f3760050  lr  f386a055  pc  f386e988

backtrace:
      #00 pc 00009988  /vendor/lib/libMtkOmxAlacDec.so (alac_decode_frame+424) (BuildId: f191729fd2ea6e059b79c81995060285)
      #01 pc 00005051  /vendor/lib/libMtkOmxAlacDec.so (MtkOmxAlacDec::DecodeAudio(OMX_BUFFERHEADERTYPE*, OMX_BUFFERHEADERTYPE*)+64) (BuildId: f191729fd2ea6e059b79c81995060285)
      #02 pc 0000580b  /vendor/lib/libMtkOmxAlacDec.so (MtkOmxAudioDecodeThread(void*)+226) (BuildId: f191729fd2ea6e059b79c81995060285)
      #03 pc 000aae33  /apex/com.android.runtime/lib/bionic/libc.so (__pthread_start(void*)+40) (BuildId: 5d75b0dff4021c9991d704bbb0956589)
      #04 pc 000640a3  /apex/com.android.runtime/lib/bionic/libc.so (__start_thread+30) (BuildId: 5d75b0dff4021c9991d704bbb0956589)

References:
https://corp.mediatek.com/product-security-bulletin/December-2021
https://research.checkpoint.com/2022/bad-alac-one-codec-to-hack-the-whole-world

Share this: