GHSL-2024-280: Use-After-Free read in Matroska CodecPrivate in GStreamer - CVE-2024-47834

Coordinated Disclosure Timeline

• 2024-10-07: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894
• 2024-10-09: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

Use-After-Free read in Matroska CodecPrivate (GHSL-2024-280)

An Use-After-Free read vulnerability has been discovered affecting the processing of CodecPrivate elements in Matroska streams.

1) Memory Allocation: In the GST_MATROSKA_ID_CODECPRIVATE case within the gst_matroska_demux_parse_stream function, a data chunk is allocated using gst_ebml_read_binary.

static GstFlowReturn gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml, GstMatroskaTrackContext ** dest_context){
...
      case GST_MATROSKA_ID_CODECPRIVATE:{
        guint8 *data;
        guint64 size;

        if ((ret = gst_ebml_read_binary (ebml, &id, &data, &size)) != GST_FLOW_OK) // <= MALLOC (1)
          break;
...
}

2) Memory Deallocation: Later, the allocated memory is freed in the gst_matroska_track_free function, by the call to g_free (track->codec_priv).

void gst_matroska_track_free (GstMatroskaTrackContext * track){
  g_free (track->codec_id);
  g_free (track->codec_name);
  g_free (track->name);
  g_free (track->language);
  g_free (track->codec_priv); // <= FREE (2)
  g_free (track->codec_state);
  gst_caps_replace (&track->caps, NULL);
...

3) Use After Free: Finally, the freed memory is accessed in the caps_serialize function through gst_value_serialize_buffer. The freed memory will be accessed in the gst_value_serialize_buffer function through the instruction sprintf (string + i * 2, “%02x”, data[i]); This results in a UAF read vulnerability, as the function tries to process memory that has already been freed.

static gchar * gst_value_serialize_buffer (const GValue * value){
...
  buffer = gst_value_get_buffer (value);
...
  if (!gst_buffer_map (buffer, &info, GST_MAP_READ))
    return NULL;

  data = info.data;

  string = g_malloc (info.size * 2 + 1);
  for (i = 0; i < info.size; i++) {
    sprintf (string + i * 2, "%02x", data[i]); // <= UAF (3)
  }
...
}

Impact

This vulnerability can lead to an OOB-read and a memory leak.

The vulnerability does not result in a crash. In order to catch this bug, you’ll need to run the program with AddressSanitizer (ASAN) enabled.

You can trigger the issue by running:

gst-discoverer-1.0 GHSL-2024-280/GHSL-2024-280_asan1

CVE

• CVE-2024-47834

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-280 in any communication regarding this issue.