race condition in audio.c on uninit

Question

race condition in audio.c on uninit

3kyo0 opened this issue 5 years ago · comments

3kyo0 commented 5 years ago

mpv version and platform

mpv 0.29.1
mpv 0.29.0-353-g65b1c2d065-dirty
MacOS 10.13.6 (17G6030)

Reproduction steps

run script ./fuzz.sh
https://github.com/3kyo0/fuzz_samples/blob/master/fuzz.sh

Expected behavior

crash with Segmentation fault: 11
[mkv] SeekHead position beyond end of file - incomplete file?
(+) Video --vid=1 () (h264 720x432 25.000fps)
(+) Audio --aid=1 --alang=fre () (ac3 2ch)
(+) Subs --sid=1 --slang=fre (*) (dvd_subtitle)
[mkv] Invalid EBML length at position 13124
[mkv] Corrupt file detected. Trying to resync starting from position 13124...
No video PTS! Making something up. Using 25.000000 FPS.
[ffmpeg/audio] ac3: expacc 126 is out-of-range
[ffmpeg/audio] ac3: error decoding the audio block
Audio: no audio
Segmentation fault: 11

Actual behavior

crash

Log file

https://github.com/3kyo0/fuzz_samples/blob/master/crashreport.txt
https://github.com/3kyo0/fuzz_samples/blob/master/HONGGFUZZ.REPORT.TXT

Sample files

https://github.com/3kyo0/fuzz_samples/blob/master/SIGSEGV.EXC_BAD_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz

sfan5 · Answer 1 · Mon Jul 15 2019 20:09:36 GMT+0800 (China Standard Time)

Can't reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.
For fuzzing you might want to use --no-config to ensure the crash doesn't depend on any of your local configuration.

3kyo0 · Answer 2 · Mon Jul 15 2019 20:28:50 GMT+0800 (China Standard Time)

Can't reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.
For fuzzing you might want to use --no-config to ensure the crash doesn't depend on any of your local configuration.

Only MacOS

3kyo0 · Answer 3 · Tue Jul 16 2019 19:30:09 GMT+0800 (China Standard Time)

seems ao_c->filter pointer broken.there is two debug info.
1、Normal info:
Playing: ./SIGSEGV.EXC_BAD_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz
[mkv] SeekHead position beyond end of file - incomplete file?
(+) Video --vid=1 () (h264 720x432 25.000fps)
(+) Audio --aid=1 --alang=fre () (ac3 2ch)
(+) Subs --sid=1 --slang=fre (*) (dvd_subtitle)
[vo/gpu] opengl cocoa backend is deprecated, use vo=libmpv instead
[debug]ao_c->filter->f->pins[1]:0x7f8e2f5418d0
[debug]mpctx:0x7f8e32004840
[debug]ao_c:0x7f8e2f5351b0
[debug]ao_c->filter:0x7f8e2f5414f8
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x0
[debug]
[mkv] Invalid EBML length at position 13124
[mkv] Corrupt file detected. Trying to resync starting from position 13124...
[ffmpeg/audio] ac3: expacc 126 is out-of-range
[ffmpeg/audio] ac3: error decoding the audio block
No video PTS! Making something up. Using 25.000000 FPS.
[debug]ao_c->filter->f->pins[1]:0x7f8e2f5418d0
Audio: no audio
[debug]mpctx:0x7f8e32004840
[debug]ao_c:0x7f8e2f5351b0
[debug]ao_c->filter:0x7f8e2f5414f8
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x5
[debug]
VO: [gpu] 720x432 => 1455x432 yuv420p
V: -00:00:00 / 00:00:00 (0%)

Exiting... (End of file)

2、Crashed info
Playing: ./SIGSEGV.EXC_BAD_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz
[mkv] SeekHead position beyond end of file - incomplete file?
(+) Video --vid=1 () (h264 720x432 25.000fps)
(+) Audio --aid=1 --alang=fre () (ac3 2ch)
(+) Subs --sid=1 --slang=fre (*) (dvd_subtitle)
[vo/gpu] opengl cocoa backend is deprecated, use vo=libmpv instead
[debug]ao_c->filter->f->pins[1]:0x7f8ebc1211c0
[debug]mpctx:0x7f8ebe000040
[debug]ao_c:0x7f8ebc120d30
[debug]ao_c->filter:0x7f8ebc120858
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x0
[debug]
[mkv] Invalid EBML length at position 13124
[mkv] Corrupt file detected. Trying to resync starting from position 13124...
No video PTS! Making something up. Using 25.000000 FPS.
[ffmpeg/audio] ac3: expacc 126 is out-of-range
[ffmpeg/audio] ac3: error decoding the audio block
[debug]ao_c->filter->f->pins[1]:0x7f8ebc1211c0
Audio: no audio
[debug]mpctx:0x7f8ebe000040
[debug]ao_c:0x7f8ebc120d30
[debug]ao_c->filter:0x312d320a6572662d
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3033==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001012bb3f9 bp 0x7000039f3dc0 sp 0x7000039f3d00 T61145)

3kyo0 · Answer 4 · Wed Jul 17 2019 13:34:47 GMT+0800 (China Standard Time)

After debugging I think this is an Use after free Vulnerability.
audio.c:425 uinit_audio_chain(mpctx); this line free the ao_c
audio.c:810 if(ao_c->filter->got_output_eof && . this line reuse it

der richter · Answer 5 · Mon Jul 22 2019 00:47:39 GMT+0800 (China Standard Time)

i don't think the uninit in line 425 is the culprit. it's called in order and before the code in line 810. it's some race condition in another part of the code.

Deleted user · Answer 6 · Sun Sep 22 2019 04:00:37 GMT+0800 (China Standard Time)

I think @3kyo0 was right, that's exactly what I observed.