Issue #1287
closedStagefright vulnerability
100%
Description
Within this ticket I'll check if Replicant is vulnerable to the Stagefright (http://source.android.com/devices/media.html) weaknesses.
More details: http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/
(And there already exists a Replicant forum thread about: http://redmine.replicant.us/boards/39/topics/10329)
- the weaknesses is more or less exclusively present within the hardware accelerated audio-/video-decoding, so Replicant don't have to be affected (without using that proprietary accelerations), but I have to check that in detail.
- If Replicant is affected, it doesn't seems to be enough to:
- avoid Hangouts or disable: Settings -> SMS -> Auto Retrieve MMS -> [uncheck]
- disable auto-MMS-reception of the standard SMS app or alternative SMS apps
- remove MMS APN: Settings -> More... -> Mobile networks -> Access Point Names -> {choose your MMS provider APN} -> three-dot-menu -> Delete APN
because you would be still vulnerable (e. g. over manipulated email-pictures, or any other app, which uses the Stagefright media framework.
Solution/Patches
CM diffs (I'll preventive try to bring to Replicant ASAP):
http://review.cyanogenmod.org/#/c/103267/
http://review.cyanogenmod.org/#/c/103268/
http://review.cyanogenmod.org/#/c/103269/
http://review.cyanogenmod.org/#/c/103270/
http://review.cyanogenmod.org/#/c/103266/
Files
Updated by Paul Kocialkowski about 9 years ago
Great, thanks for your investigation! I'll try to get around merging your already-pending security fixes soon. If Replicant is indeed affected by the stragefright vulnerability, then patches for it are welcome as well :)
Thanks for your great work, as usual!
Updated by My Self about 9 years ago
- File stagefright_patchset.zip added
Sorry for the delay.
It was a lot of cherrypicking. Initially I worked with the patchset provided by Zimperium (https://s3.amazonaws.com/zhafiles/Zimperium-Handset-Alliance/ZHA-Stagefright-Patches.zip) but afterwards I realized, that some of the original patches (https://android-review.googlesource.com/#/c/162646/) are slightly different. And then I realized, that CyanogenMod (CM) also modified some of the patches, slightly.
So I set the focus on the patches, released by Google (AOSP) and respected the changes, CM has added (on the tree of CM11), and fitted them to the Replicant codebase.
From the result I made a patchset "stagefright_patchset.zip" for Replicant, (tested on the current codebase of 4.2) with the following patch-files included:
- 0001-Fix-several-ineffective-integer-overflow-checks.patch
- 0002-Detect-allocation-failures-and-bail-gracefully.patch
- 0003-Fix-integer-overflow-during-MP4-atom-processing.patch
- 0004-SampleTable-fix-integer-overflow-checks.patch
- 0005-Fix-integer-underflow-in-ESDS-processing.patch
- 0006-MPEG4Extractor-still-more-NULL-derefernce-fixes.patch
- 0007-Fix-null-pointer-dereferences-accessing-the-SampleTable.patch
- 0008-Prevent-integer-overflow-when-processing-covr-MPEG4-atoms.patch
- 0009-Fix-integer-overflow-when-handling-MPEG4-tx3g-atom.patch
- 0010-Fix-integer-underflow-in-covr-MPEG4-processing.patch
- NOT NEEDED (on Replicant):
- Fix multiple division-by-zero conditions in MPEG4 parsing
- Prevent integer underflow if size is below 6
- Prevent reading past the end of the buffer in 3GPP
Furthermore I've successfully checked, that Replicant isn't vulnerale to the "Stagefright vulnerability" anymore, by:
- Stagefright Detector App (https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector) and
- the set of video POC files (https://s3.amazonaws.com/zhafiles/Zimperium-Handset-Alliance/ZHA-Crash-PoC.zip), which don't let the media server crashes any longer, logcat records.
@everyone: please review the patches and apply it if you like.
Updated by My Self about 9 years ago
Additionally, the patchset was sent to the mailing list: http://lists.osuosl.org/pipermail/replicant/Week-of-Mon-20150810/000771.html
Updated by My Self about 9 years ago
- File stagefright_patchset-redux.zip added
[update]
This blogpost: https://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/ explains, why one of the stagefright patches was faulty, and how to solve the problem.
So I modified:- 0009-Fix-integer-overflow-when-handling-MPEG4-tx3g-atom.patch
with the changes of: https://github.com/CyanogenMod/android_frameworks_av/commit/fa7a54848a50d587be90210c317f7885927ff7f7
- 0010-Fix-integer-underflow-in-covr-MPEG4-processing.patch
- 0011-MPEG4Extractor-handle-chunk_size-gt-SIZE_MAX.patch
based on:
The new patchset is named stagefright_patchset-redux.zip (attached).
I've recompiled/reflashed Replicant 4.2 for my device without any misbehavior, and tested the functionalities for some hours, now.
Furthermore I've successfully checked, that Replicant isn't vulnerable to the new "CVE-2015-3864" anymore, over the updated detector app (by Zimperium): https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector
@everyone: please review the patches and apply it if you like.
Updated by T M about 9 years ago
I have been running all the patches up to/since #3 without any problems for about 2 weeks. Will update to new patchset when time allows
Updated by T M about 9 years ago
T M wrote:
I have been running all the patches up to/since http://redmine.replicant.us/issues/1287#note-3 without any problems for about 2 weeks. Will update to new patchset when time allows
Updated by My Self about 9 years ago
- File deleted (
stagefright_patchset-redux.zip)
Updated by My Self about 9 years ago
Updated by Paul Kocialkowski about 9 years ago
- Status changed from New to Closed
- Resolution set to fixed
All merged, thanks a lot!
Updated by George Bateman over 8 years ago
Here is a wiki for the Stagefright Detector App