CPR-Zero: CVE-2021-0675

Information

libMtkOmxAlacDec.so HAL library is responsible for decoding the Apple iTunes
ALAC/AAC-LC audio format on MediaTek based smartphones.
Privileged android.hardware.media.omx service loads the ALAC library when requested by anAndroid app, and then calls it to decode the supplied audio frames.
In the libMtkOmxAlacDec.so, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed:

When calling the alac_init function with our controlled csd-0 buffer, we can set the size of the sample buffer. This is similar to what we see here.
The first 4 bytes will set the setinfo_max_samples_per_frame inside the context struct. The setinfo_max_samples_per_frame field is used as the size of an internal output buffer that stores the decoded sample and then copies its content to the output buffer.
Later, when we hit the alac_decode_frame function, we can set the outputsamples to be different from the setinfo_max_samples_per_frame as we can see here.
This means that when we set the setinfo_max_samples_per_frame to be less than the frame data, we can write outside the internal output buffer for as long as we set the outputsamples.

Crash trace:

Build fingerprint: 'Redmi/cannong_global/cannong:11/RP1A.200720.011/V12.5.2.0.RJEMIXM:user/release-keys'
Revision: '0'
ABI: 'arm'
Timestamp: 2021-08-15 15:03:27+0300
pid: 14733, tid: 15077, name: omx@1.0-service  >>> media.codec <<<
uid: 1046
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xedd59000
    r0  0000a0a0  r1  a0a00000  r2  00000008  r3  edd56018
    r4  edbea000  r5  20a0a080  r6  ffffa0a0  r7  00a0a080
    r8  ffffa0a0  r9  00000bfb  r10 00000000  r11 41414141
    ip  00002fe8  sp  eba01050  lr  ebb10784  pc  ebb0fc40

backtrace:
      #00 pc 00009c40  /vendor/lib/libMtkOmxAlacDec.so (alac_decode_frame+1120) (BuildId: f191729fd2ea6e059b79c81995060285)
      #01 pc 00005051  /vendor/lib/libMtkOmxAlacDec.so (MtkOmxAlacDec::DecodeAudio(OMX_BUFFERHEADERTYPE*, OMX_BUFFERHEADERTYPE*)+64) (BuildId: f191729fd2ea6e059b79c81995060285)
      #02 pc 0000580b  /vendor/lib/libMtkOmxAlacDec.so (MtkOmxAudioDecodeThread(void*)+226) (BuildId: f191729fd2ea6e059b79c81995060285)
      #03 pc 000aae33  /apex/com.android.runtime/lib/bionic/libc.so (__pthread_start(void*)+40) (BuildId: 5d75b0dff4021c9991d704bbb0956589)
      #04 pc 000640a3  /apex/com.android.runtime/lib/bionic/libc.so (__start_thread+30) (BuildId: 5d75b0dff4021c9991d704bbb0956589)

References:
https://corp.mediatek.com/product-security-bulletin/December-2021
https://research.checkpoint.com/2022/bad-alac-one-codec-to-hack-the-whole-world

Share this: