CPR-Zero: CVE-2021-30351

CVE-2021-30351

Qualcomm OMX audio decoder • Qualcomm chipsets APQ8009, APQ8009W, APQ8017, AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, IPQ4018, IPQ4028, IPQ4029, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078A, IPQ8173, IPQ8174, MDM9150, MDM9206, MDM9250, MDM9607, MDM9628, MSM8909W, MSM8996AU, QCA4024, QCA6174A, QCA6390, QCA6391, QCA6426, QCA6428, QCA6436, QCA6438, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595AU, QCA6696, QCA7500, QCA8075, QCA8081, QCA8337, QCA9367, QCA9377, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM2290, QCM4290, QCM6490, QCN5022, QCN5024, QCN5052, QCN5064, QCN5122, QCN5124, QCN5152, QCN5164, QCN5550, QCN9000, QCN9074, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6490, QCX315, QET4101, QRB5165, QRB5165N, QSM8250, QSW8573, Qualcomm215, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD205, SD210, SD429, SD460, SD480, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDW2500, SDX12, SDX20, SDX24, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7315, SM7325P, SM8450, SM8450P, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835 • Classic Buffer Overflow
Reported on 05-Sep-21 by Slava Makkaveev, Netanel Ben-Simon
CPR-ID: 2189
Upload Date: 31-May-22

Information

libAlacSwDec.so HAL library is responsible for decoding the Apple iTunes
ALAC/AAC-LC audio format on Qualcomm based smartphones.
Privileged android.hardware.media.omx service loads the ALAC library when requested by an Android app, and then calls it to decode the supplied audio frames.
In the libAlacSwDec.so, an out of bound memory access can occur due to improper validation of number of frames being passed during music playback.
The size of the internal output buffer mMixBufferU can be specified using the csd-0 configuration parameter. The numSamples audio parameter is encoded in the audio frame: https://github.com/macosforge/alac/blob/master/codec/ALACDecoder.cpp#L252.
We can write data outside the mMixBufferU output buffer because no size check is
performed: https://github.com/macosforge/alac/blob/master/codec/ALACDecoder.cpp#L320.

Crash trace:

Build fingerprint: 'Sony/G8142/G8142:8.0.0/47.1.A.16.20/623594567:user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 9942, tid: 10891, name: media.codec  >>> omx@1.0-service <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x85a0
    r0 00000000  r1 00000000  r2 00000007  r3 00000007
    r4 00000020  r5 00002168  r6 00000000  r7 ed621e6c
    r8 ea90d808  r9 00000001  sl 41411fd8  fp 00000000
    ip 00000007  sp ea90d6b0  lr 00000082  pc ea91033e  cpsr 400f0030

backtrace:
    #00 pc 0000233e  /system/vendor/lib/libAlacSwDec.so (_ZN11ALACDecoder6DecodeEP9BitBufferPhjjPj+1385)
    #01 pc 00005d17  /system/vendor/lib/libAlacSwDec.so (alac_dec_process+154)
    #02 pc 0000331f  /system/vendor/lib/libOmxAlacDecSw.so (_ZN11COmxDecAlac12process_dataEPvP20OMX_BUFFERHEADERTYPES2_+582)
    #03 pc 00006145  /system/vendor/lib/libOmxAlacDecSw.so (_ZN15omx_common_adec19process_in_port_msgEPvh+1196)
    #04 pc 0000906b  /system/vendor/lib/libOmxAlacDecSw.so (omx_common_msg+66)
    #05 pc 000484b7  /system/lib/libc.so (_ZL15__pthread_startPv+22)
    #06 pc 0001b59d  /system/lib/libc.so (__start_thread+32)

References:
https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2021-bulletin.html
https://research.checkpoint.com/2022/bad-alac-one-codec-to-hack-the-whole-world

Share this: