UAF in mkvalidator libebml2/ebmlcrc.c EBML_CRCMatches function

[giantbranch]

Credit: giantbranch of NSFOCUS Security Team

What's the problem?

A Use After Free in libebml2/ebmlcrc.c EBML_CRCMatches function in mkvalidator v0.5.2.

ASAN reports:

$ ./mkvalidator ./tests_74.mkv
.=================================================================
==12870==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000888 at pc 0x00000050f66d bp 0x7ffdaad596c0 sp 0x7ffdaad596b8
READ of size 4 at 0x603000000888 thread T0
    #0 0x50f66c in EBML_CRCMatches /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlcrc.c:244:14
    #1 0x518e92 in ReadData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:416:35
    #2 0x4c8d4e in main /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:981:6
    #3 0x7feed484f83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x41bf58 in _start (/root/reproduce/mkvalidator+0x41bf58)

0x603000000888 is located 8 bytes inside of 24-byte region [0x603000000880,0x603000000898)
freed by thread T0 here:
    #0 0x495b4d in free (/root/reproduce/mkvalidator+0x495b4d)
    #1 0x51ff88 in ArrayClear /root/debug-fuzz-reslut/mkvalidator/foundation-source/corec/corec/array/array.c:157:2
    #2 0x4c8d4e in main /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:981:6
    #3 0x7feed484f83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x495dcd in malloc (/root/reproduce/mkvalidator+0x495dcd)
    #1 0x51fbb8 in Data_ReAlloc /root/debug-fuzz-reslut/mkvalidator/foundation-source/corec/corec/array/array.c:87:24

SUMMARY: AddressSanitizer: heap-use-after-free /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlcrc.c:244:14 inEBML_CRCMatches
Shadow bytes around the buggy address:
  0x0c067fff80c0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff80d0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff80e0: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
  0x0c067fff80f0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
  0x0c067fff8100: 00 04 fa fa 00 00 00 01 fa fa 00 00 06 fa fa fa
=>0x0c067fff8110: fd[fd]fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12870==ABORTING

location: foundation-source/libebml2/ebmlcrc.c:244

add a breakpoint in the EBML_CRCMatches function

look at $rsi : 0x67f788
and we look at the free chunk, so 0x67f788 is in the free chunk

How can we reproduce the issue?

Compile command I use:

clang corec/tools/coremake/coremake.c -o coremake && ./coremake gcc_linux_x64

make -C mkvalidator -e CC="clang -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e CXX="clang++ -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e STRIP=""

reproduce the issue

unzip tests_xx.zip
mkvalidator ./tests_xx.mkv

poc:
tests_74.zip

the details about my environment.

• mkvalidator version:

$ ./mkvalidator --version
mkvalidator v0.5.2, Copyright (c) 2010-2015 Matroska Foundation
	file "--version"

• Host Operating System and version: Ubuntu 16.04.3 LTS
• Host CPU architecture: x86_64
• clang: clang version 11.0.0