Issue #1287
closed
Great, thanks for your investigation! I'll try to get around merging your already-pending security fixes soon. If Replicant is indeed affected by the stragefright vulnerability, then patches for it are welcome as well :)
Thanks for your great work, as usual!
- File stagefright_patchset.zip added
Sorry for the delay.
It was a lot of cherrypicking. Initially I worked with the patchset provided by Zimperium (https://s3.amazonaws.com/zhafiles/Zimperium-Handset-Alliance/ZHA-Stagefright-Patches.zip) but afterwards I realized, that some of the original patches (https://android-review.googlesource.com/#/c/162646/) are slightly different. And then I realized, that CyanogenMod (CM) also modified some of the patches, slightly.
So I set the focus on the patches, released by Google (AOSP) and respected the changes, CM has added (on the tree of CM11), and fitted them to the Replicant codebase.
From the result I made a patchset "stagefright_patchset.zip" for Replicant, (tested on the current codebase of 4.2) with the following patch-files included:
- 0001-Fix-several-ineffective-integer-overflow-checks.patch
- 0002-Detect-allocation-failures-and-bail-gracefully.patch
- 0003-Fix-integer-overflow-during-MP4-atom-processing.patch
- 0004-SampleTable-fix-integer-overflow-checks.patch
- 0005-Fix-integer-underflow-in-ESDS-processing.patch
- 0006-MPEG4Extractor-still-more-NULL-derefernce-fixes.patch
- 0007-Fix-null-pointer-dereferences-accessing-the-SampleTable.patch
- 0008-Prevent-integer-overflow-when-processing-covr-MPEG4-atoms.patch
- 0009-Fix-integer-overflow-when-handling-MPEG4-tx3g-atom.patch
- 0010-Fix-integer-underflow-in-covr-MPEG4-processing.patch
- NOT NEEDED (on Replicant):
- Fix multiple division-by-zero conditions in MPEG4 parsing
- Prevent integer underflow if size is below 6
- Prevent reading past the end of the buffer in 3GPP
After compiling/flashing the patched Replicant, I've tested my productive device some hours without any misbehavior.
Furthermore I've successfully checked, that Replicant isn't vulnerale to the "Stagefright vulnerability" anymore, by:
@everyone: please review the patches and apply it if you like.
- File stagefright_patchset-redux.zip added
[update]
This blogpost: https://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/ explains, why one of the stagefright patches was faulty, and how to solve the problem.
So I modified:
renewed:
- 0010-Fix-integer-underflow-in-covr-MPEG4-processing.patch
and added (the newly categorized CVE-2015-3864) as:
- 0011-MPEG4Extractor-handle-chunk_size-gt-SIZE_MAX.patch
based on:
The new patchset is named stagefright_patchset-redux.zip (attached).
I've recompiled/reflashed Replicant 4.2 for my device without any misbehavior, and tested the functionalities for some hours, now.
Furthermore I've successfully checked, that Replicant isn't vulnerable to the new "CVE-2015-3864" anymore, over the updated detector app (by Zimperium): https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector
@everyone: please review the patches and apply it if you like.
- % Done changed from 0 to 100
I have been running all the patches up to/since #3 without any problems for about 2 weeks. Will update to new patchset when time allows
- File deleted (
stagefright_patchset.zip)
- File deleted (
stagefright_patchset-redux.zip)
- Status changed from New to Closed
- Resolution set to fixed
All merged, thanks a lot!
Also available in: Atom
PDF